File: //usr/libexec/ipsec/barf
#! /bin/sh
# dump assorted information of use in debugging
# Copyright (C) 1998, 1999 Henry Spencer.
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
LC_ALL=C export LC_ALL
LOGS=${LOGS-/var/log}
me="ipsec barf"
# Max lines to use for things like 'route -n'
maxlines=100
# kludge to produce no barf output mentioning policygroups if none are present.
# This will not catch ".file" policygroups.
PREPOLICIES=/etc/ipsec.d/policies
if [ `ls $PREPOLICIES 2> /dev/null | wc -l` -ne 0 ]
then
POLICIES=$PREPOLICIES
fi
# message patterns that start relevant parts of logs
fstart='Starting Libreswan'
pstart='Starting Pluto'
case "$1" in
--help) echo "Usage: ipsec barf" ; exit 0 ;;
--version) echo "$me $IPSEC_VERSION" ; exit 0 ;;
--maxlines) maxlines=$2; shift;;
esac
# log-location guesser, results in $findlog_file and $findlog_startline
# Fine point: startline is the *last* line containing "string", or
# failing that, the *first* line containing "fallbackstring".
findlog() { # findlog string fallbackstring possiblefile ...
s="$1"
shift
t="$1"
shift
# try the suggested files first
for f in $*
do
if test -s $LOGS/$f -a -f $LOGS/$f && egrep -q "$s" $LOGS/$f
then
# aha, this one has it
findlog_file=$LOGS/$f
findlog_startline=`egrep -n "$s" $LOGS/$f |
sed -n '$s/:.*//p'`
return 0
fi
done
for f in $*
do
if test -s $LOGS/$f -a -f $LOGS/$f && egrep -q "$t" $LOGS/$f
then
# aha, this one has it
findlog_file=$LOGS/$f
findlog_startline=`egrep -n "$t" $LOGS/$f |
sed -n '1s/:.*//p'`
return 0
fi
done
# nope, resort to a search, newest first, of uncompressed logs
for f in `ls -t $LOGS | egrep -v lastlog | egrep -v tmp | egrep -v '^mail' | egrep -v '\.(gz|Z)$'`
do
if test -f $LOGS/$f -a ! -d $LOGS/$f && egrep -q "$s" $LOGS/$f
then
# found it
findlog_file=$LOGS/$f
findlog_startline=`egrep -n "$s" $LOGS/$f |
sed -n '$s/:.*//p'`
return 0
fi
done
for f in `ls -t $LOGS | egrep -v lastlog | egrep -v tmp | egrep -v '^mail' | egrep -v '\.(gz|Z)$'`
do
if test -s $LOGS/$f -a -f $LOGS/$f && egrep -q "$t" $LOGS/$f
then
# found it
findlog_file=$LOGS/$f
findlog_startline=`egrep -n "$t" $LOGS/$f |
sed -n '1s/:.*//p'`
return 0
fi
done
# echo "$0: unable to find $LOGS/$1 or local equivalent" >&2
findlog_file=/dev/null
findlog_startline=1 # arbitrary
}
if test ! -x /usr/bin/journalctl
then
# no systemd, need to figure out log file location
findlog "$fstart" "klips" messages syslog auth.log daemon.log
if test " $findlog_file" = " /dev/null"
then
echo "Unable to find KLIPS messages, typically found in /var/log/messages or equivalent. You may need to run Libreswan for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration."
fi
klog=$findlog_file
kline=$findlog_startline
findlog "$pstart" "Pluto" secure auth.log daemon.log debug
if test " $findlog_file" = " /dev/null"
then
echo "Unable to find Pluto messages, typically found in /var/log/secure or equivalent. You may need to run Libreswan for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration."
fi
plog=$findlog_file
pline=$findlog_startline
fi
# /lib/modules examiner
modulegoo() {
set +x
for d in `ls /lib/modules`
do
if test -d /lib/modules/$d
then
f=/lib/modules/$d/$1
if test -f $f
then
nm -g $f | egrep "$2"
else
echo
fi | sed "s;^;$d: ;"
fi
done
set -x
}
# advanced shell deviousness to get dividers into output
_________________________() {
$2 # something to do nothing and not echo anything
}
exec 2>&1 # stderr on stdout, so errors go into main output
hostname ; date
set -x
_________________________ version
ipsec --version
_________________________ /proc/version
cat /proc/version
_________________________ /proc/net/ipsec_eroute
if test -r /proc/net/ipsec_eroute
then
sort -sg -k 3 /proc/net/ipsec_eroute || cat /proc/net/ipsec_eroute
fi
_________________________ netstat-rn
netstat -nr|head -n $maxlines
_________________________ /proc/net/ipsec_spi
if test -r /proc/net/ipsec_spi
then
cat /proc/net/ipsec_spi
fi
_________________________ /proc/net/ipsec_spigrp
if test -r /proc/net/ipsec_spigrp
then
cat /proc/net/ipsec_spigrp
fi
_________________________ /proc/net/ipsec_tncfg
if test -r /proc/net/ipsec_tncfg
then
cat /proc/net/ipsec_tncfg
fi
_________________________ /proc/net/pfkey
if test -r /proc/net/pfkey
then
cat /proc/net/pfkey
_________________________ ip-xfrm-state
ip xfrm state
_________________________ ip-xfrm-policy
ip xfrm policy
_________________________ ip-xfrm-stats
cat /proc/net/xfrm_stat
fi
_________________________ ip-l2tp-tunnel
if test -d /sys/module/l2tp_core
then
ip l2tp show tunnel
_________________________ ip-l2tp-session
ip l2tp show session
fi
if test -d /sys/module/ip_vti
then
ip -s tunnel show
_________________________ ip-tunnel
ip -s tunnel show
fi
_________________________ /proc/crypto
if test -r /proc/crypto
then
cat /proc/crypto
fi
# not visible on my 2.6 system
#_________________________ /proc/net/pf_key-star
#( cd /proc/net && egrep '^' pf_key_* )
__________________________/proc/sys/net/core/xfrm-star
for i in /proc/sys/net/core/xfrm_*
do
echo -n "$i: "
cat $i
done
_________________________ /proc/sys/net/ipsec-star
if test -d /proc/sys/net/ipsec
then
( cd /proc/sys/net/ipsec && egrep '^' * )
fi
_________________________ ipsec/status
ipsec whack --status
_________________________ ifconfig-a
ifconfig -a
_________________________ ip-addr-list
ip addr list
_________________________ ip-route-list
ip route list
_________________________ ip-rule-list
ip rule list
_________________________ ipsec_verify
ipsec verify --nocolour
_________________________ mii-tool
if [ -x /sbin/mii-tool ]
then
/sbin/mii-tool -v
elif [ -x /usr/sbin/mii-tool ]
then
/usr/sbin/mii-tool -v
else
mii-tool -v
fi
_________________________ ipsec/directory
ipsec --directory
_________________________ hostname/fqdn
hostname --fqdn
_________________________ hostname/ipaddress
hostname --ip-address
_________________________ uptime
uptime
_________________________ ps
# -i ppid picks up the header
ps alxwf | egrep -i 'ppid|pluto|ipsec|klips'
_________________________ ipsec/conf
ipsec readwriteconf --config /etc/ipsec.conf | ipsec _keycensor
_________________________ ipsec/secrets
cat /etc/ipsec.secrets | ipsec _secretcensor
_________________________ ipsec/listall
ipsec whack --listall
_________________________ nss/contents
certutil -L -d sql:/etc/ipsec.d
_________________________ nss/crls
crlutil -L -d sql:/etc/ipsec.d
if [ $POLICIES ]
then
for policy in $POLICIES/*; do base=`basename $policy`;
_________________________ ipsec/policies/$base
cat $policy
done
fi
_________________________ ipsec/ls-execdir
ls -l $IPSEC_EXECDIR
_________________________ /proc/net/dev
cat /proc/net/dev
_________________________ /proc/net/route
cat /proc/net/route
_________________________ /proc/sys/net/ipv4/ip_no_pmtu_disc
cat /proc/sys/net/ipv4/ip_no_pmtu_disc
_________________________ /proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/ip_forward
_________________________ /proc/sys/net/ipv4/tcp_ecn
cat /proc/sys/net/ipv4/tcp_ecn
_________________________ /proc/sys/net/ipv4/conf/star-rp_filter
( cd /proc/sys/net/ipv4/conf && egrep '^' */rp_filter )
_________________________ /proc/sys/net/ipv4/conf/star-star-redirects
( cd /proc/sys/net/ipv4/conf && egrep '^' */*redirects )
_________________________ /proc/sys/net/ipv4/tcp_window_scaling
cat /proc/sys/net/ipv4/tcp_window_scaling
_________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
cat /proc/sys/net/ipv4/tcp_adv_win_scale
_________________________ uname-a
uname -a
_________________________ config-built-with
if test -r /proc/config_built_with
then
cat /proc/config_built_with
fi
_________________________ distro-release
for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
do
if test -f $distro
then
cat $distro
fi
done
_________________________ /proc/net/ipsec_version
if test -r /proc/net/ipsec_version
then
cat /proc/net/ipsec_version
else
if test -r /proc/net/pfkey
then
echo "NETKEY (`uname -r`) support detected "
else
echo "no KLIPS or NETKEY support detected"
fi
fi
_________________________ iptables
if test -e /proc/net/ip_tables_names
then
if test -r /sbin/iptables-save -o -r /usr/sbin/iptables-save
then
iptables-save --modprobe=/dev/null
else
if test -r /sbin/iptables -o -r /usr/sbin/iptables
then
iptables -L -v -n
_________________________ iptables-nat
grep ^nat /proc/net/ip_tables_names > /dev/null 2>/dev/null &&
iptables -t nat -L -v -n
_________________________ iptables-mangle
grep ^mangle /proc/net/ip_tables_names > /dev/null 2>/dev/null &&
iptables -t mangle -L -v -n
fi
fi
fi
_________________________ ip6tables
if test -e ip6_tables_names
then
if test -r /sbin/ip6tables-save -o -r /usr/sbin/ip6tables-save
then
ip6tables-save --modprobe=/dev/null
else
if test -r /sbin/ip6tables -o -r /usr/sbin/ip6tables
then
test -e /proc/net/ip_tables_names && ip6tables -L -v -n
# There is no IPv6 NAT yet (hopefully that will remain so)
_________________________ ip6tables-mangle
grep ^mangle /proc/net/ip6_tables_names > /dev/null 2>/dev/null &&
ip6tables -t mangle -L -v -n
fi
fi
fi
_________________________ /proc/modules
if test -f /proc/modules
then
cat /proc/modules
else
echo "kernel without module support"
fi
_________________________ /proc/meminfo
cat /proc/meminfo
#obsolete? not on my klips system
#_________________________ dev/ipsec-ls
#ls -l /dev/ipsec*
_________________________ /proc/net/ipsec-ls
if test -f /proc/net/ipsec_version
then
ls -l /proc/net/ipsec_*
fi
_________________________ usr/src/linux/.config
if test -f /proc/config.gz
then
zcat /proc/config.gz | egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_HW_RANDOM|CONFIG_CRYPTO_DEV|_XFRM'
elif test -f /lib/modules/`uname -r`/build/.config
then
cat /lib/modules/`uname -r`/build/.config | egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_HW_RANDOM|CONFIG_CRYPTO_DEV|_XFRM'
else
echo "no .config file found, cannot list kernel properties"
fi
_________________________ etc/syslog.conf
_________________________ etc/syslog-ng/syslog-ng.conf
cat /etc/syslog-ng/syslog-ng.conf
cat /etc/syslog.conf
_________________________ etc/resolv.conf
cat /etc/resolv.conf
_________________________ lib/modules-ls
ls -ltr /lib/modules
_________________________ fipscheck
cat /proc/sys/crypto/fips_enabled
_________________________ /proc/ksyms-netif_rx
if test -r /proc/ksyms
then
egrep netif_rx /proc/ksyms
else
if test -r /proc/kallsyms
then
egrep netif_rx /proc/kallsyms
else
echo "broken (redhat/fedora) 2.6 kernel without kallsyms"
fi
fi
_________________________ lib/modules-netif_rx
modulegoo kernel/net/ipv4/ipip.o netif_rx
_________________________ kern.debug
if test -f $LOGS/kern.debug
then
tail -100 $LOGS/kern.debug
fi
_________________________ klog
dmesg | egrep -i "klips|ipsec"
_________________________ plog
if test -x /usr/bin/journalctl
then
journalctl -u ipsec.service --no-pager --since "1 hour ago" |
case "$1" in
--short) tail -500 ;;
*) cat ;;
esac
else
sed -n $pline,'$'p $plog |
egrep -i 'pluto' |
case "$1" in
--short) tail -500 ;;
*) cat ;;
esac
fi
_________________________ date
date