During childsa last use checks, iked debug logs results, per SA, after a
successful pfkey_sa_last_used call.
This patch makes logging behavior more closely match that, on error.
I chose log_warn instead of log_debug since iked will complain about the
nonzero errno after pfkey_reply:
pfkey_sa_last_used: message: No such process
With this patch an operator can at least troubleshoot which SAs are
causing the trouble.
Comments? Make sense?
thank you, all
matthew weaver
---
Index: ikev2.c
===================================================================
RCS file: /cvs/src/sbin/iked/ikev2.c,v
retrieving revision 1.223
diff -u -p -u -r1.223 ikev2.c
--- ikev2.c 2 May 2020 13:01:37 -0000 1.223
+++ ikev2.c 26 May 2020 15:53:42 -0000
@@ -4347,8 +4347,15 @@ ikev2_ike_sa_alive(struct iked *env, voi
TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) {
if (!csa->csa_loaded)
continue;
- if (pfkey_sa_last_used(env->sc_pfkey, csa, &last_used) != 0)
+ if (pfkey_sa_last_used(env->sc_pfkey, csa, &last_used) != 0) {
+ log_warn(
+ "%s: %s CHILD SA spi %s failed to determine "
+ "last use", __func__,
+ csa->csa_dir == IPSP_DIRECTION_IN ?
+ "incoming" : "outgoing",
+ print_spi(csa->csa_spi.spi, csa->csa_spi.spi_size));
continue;
+ }
diff = (uint32_t)(gettime() - last_used);
log_debug("%s: %s CHILD SA spi %s last used %llu second(s) ago",
__func__,
