From: Tobias Brunner Date: Thu, 27 Apr 2023 14:34:23 +0000 (+0200) Subject: vici: Improve log messages for terminate/rekey() in case of combined filters X-Git-Tag: 5.9.11rc1~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5e46e101a6f1f7ab24549679b15d0ff2c98c3081;p=thirdparty%2Fstrongswan.git vici: Improve log messages for terminate/rekey() in case of combined filters As long as any `child*` selector is received, only CHILD_SAs will be terminated or rekeyed. Any passed `ike*` selectors will only be used to filter the IKE_SAs when looking for matching CHILD_SAs. However, the previous log messages seemed to indicate that IKE_SAs will also be terminated/rekeyed. References strongswan/strongswan#1655 --- diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c index 299c9092ee..1c236d2491 100644 --- a/src/libcharon/plugins/vici/vici_control.c +++ b/src/libcharon/plugins/vici/vici_control.c @@ -226,11 +226,32 @@ CALLBACK(initiate, vici_message_t*, } } +/** + * Format the given SA filter parameters for logging. + */ +static inline void format_sa_selector(char *buf, size_t len, char *name, + u_int id) +{ + if (name && id) + { + snprintf(buf, len, "'%s' #%d", name, id); + } + else if (name) + { + snprintf(buf, len, "'%s'", name); + } + else if (id) + { + snprintf(buf, len, "#%d", id); + } +} + CALLBACK(terminate, vici_message_t*, private_vici_control_t *this, char *name, u_int id, vici_message_t *request) { enumerator_t *enumerator, *isas, *csas; char *child, *ike, *errmsg = NULL; + char child_sel[BUF_LEN] = "", ike_sel[BUF_LEN] = ""; u_int child_id, ike_id, current, *del, done = 0; bool force; int timeout; @@ -257,22 +278,13 @@ CALLBACK(terminate, vici_message_t*, return send_reply(this, "missing terminate selector"); } - if (ike_id) - { - DBG1(DBG_CFG, "vici terminate IKE_SA #%d", ike_id); - } - if (child_id) - { - DBG1(DBG_CFG, "vici terminate CHILD_SA #%d", child_id); - } - if (ike) - { - DBG1(DBG_CFG, "vici terminate IKE_SA '%s'", ike); - } - if (child) - { - DBG1(DBG_CFG, "vici terminate CHILD_SA '%s'", child); - } + format_sa_selector(child_sel, sizeof(child_sel), child, child_id); + format_sa_selector(ike_sel, sizeof(ike_sel), ike, ike_id); + + DBG1(DBG_CFG, "vici terminate%s%s%s%s%s", + child_sel[0] ? " CHILD_SA " : "", child_sel, + child_sel[0] && ike_sel[0] ? " of" : "", + ike_sel[0] ? " IKE_SA ": "", ike_sel); if (timeout >= 0) { @@ -376,6 +388,7 @@ CALLBACK(rekey, vici_message_t*, { enumerator_t *isas, *csas; char *child, *ike, *errmsg = NULL; + char child_sel[BUF_LEN] = "", ike_sel[BUF_LEN] = ""; u_int child_id, ike_id, found = 0; ike_sa_t *ike_sa; child_sa_t *child_sa; @@ -393,22 +406,13 @@ CALLBACK(rekey, vici_message_t*, return send_reply(this, "missing rekey selector"); } - if (ike_id) - { - DBG1(DBG_CFG, "vici rekey IKE_SA #%d", ike_id); - } - if (child_id) - { - DBG1(DBG_CFG, "vici rekey CHILD_SA #%d", child_id); - } - if (ike) - { - DBG1(DBG_CFG, "vici rekey IKE_SA '%s'", ike); - } - if (child) - { - DBG1(DBG_CFG, "vici rekey CHILD_SA '%s'", child); - } + format_sa_selector(child_sel, sizeof(child_sel), child, child_id); + format_sa_selector(ike_sel, sizeof(ike_sel), ike, ike_id); + + DBG1(DBG_CFG, "vici rekey%s%s%s%s%s", + child_sel[0] ? " CHILD_SA " : "", child_sel, + child_sel[0] && ike_sel[0] ? " of" : "", + ike_sel[0] ? " IKE_SA ": "", ike_sel); isas = charon->controller->create_ike_sa_enumerator(charon->controller, TRUE); while (isas->enumerate(isas, &ike_sa))