Better non-debug logging messages when a session is established/closed.

author: reyk <reyk@openbsd.org> 2010-07-03 16:59:35 +0000
committer: reyk <reyk@openbsd.org> 2010-07-03 16:59:35 +0000
commit: badf94565689539c5b6588e9f54eaabad27af717 (patch)
tree: 382d13e53fe5bca87663a742c0865f2b035dacb5
parent: use SMALL_PROGRAM to knock out some code (diff)
download: wireguard-openbsd-badf94565689539c5b6588e9f54eaabad27af717.tar.xz
wireguard-openbsd-badf94565689539c5b6588e9f54eaabad27af717.zip
4 files changed, 28 insertions, 13 deletions
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 73eda75d656..5952d7be1b0 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.20 2010/06/27 05:40:49 reyk Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.21 2010/07/03 16:59:35 reyk Exp $	*/
 /*	$vantronix: ikev2.c,v 1.101 2010/06/03 07:57:33 reyk Exp $	*/
 
 /*
@@ -384,7 +384,7 @@ ikev2_recv(struct iked *env, struct iked_message *msg)
 	else
 		ikev2_resp_recv(env, msg, hdr);
 
-	if (sa != NULL && sa->sa_state == IKEV2_STATE_DELETE)
+	if (sa != NULL && sa->sa_state == IKEV2_STATE_CLOSED)
 		sa_free(env, sa);
 }
 
@@ -881,7 +881,7 @@ ikev2_init_done(struct iked *env, struct iked_sa *sa)
 	if (ret == 0)
 		ret = ikev2_childsa_enable(env, sa);
 	if (ret == 0)
-		sa_state(env, sa, IKEV2_STATE_RUNNING);
+		sa_state(env, sa, IKEV2_STATE_ESTABLISHED);
 
 	return (ret);
 }
@@ -1510,7 +1510,7 @@ ikev2_resp_recv(struct iked *env, struct iked_message *msg,
 	case IKEV2_EXCHANGE_IKE_SA_INIT:
 		if (ikev2_sa_responder(env, sa, msg) != 0) {
 			log_debug("%s: failed to get IKE SA keys", __func__);
-			sa_state(env, sa, IKEV2_STATE_DELETE);
+			sa_state(env, sa, IKEV2_STATE_CLOSED);
 			return;
 		}
 		if (ikev2_resp_ike_sa_init(env, msg) != 0) {
@@ -1521,7 +1521,7 @@ ikev2_resp_recv(struct iked *env, struct iked_message *msg,
 	case IKEV2_EXCHANGE_IKE_AUTH:
 		if (!sa_stateok(sa, IKEV2_STATE_SA_INIT)) {
 			log_debug("%s: state mismatch", __func__);
-			sa_state(env, sa, IKEV2_STATE_DELETE);
+			sa_state(env, sa, IKEV2_STATE_CLOSED);
 			return;
 		}
 
@@ -1829,7 +1829,7 @@ ikev2_resp_ike_auth(struct iked *env, struct iked_sa *sa)
 	if (ret == 0)
 		ret = ikev2_childsa_enable(env, sa);
 	if (ret == 0)
-		sa_state(env, sa, IKEV2_STATE_RUNNING);
+		sa_state(env, sa, IKEV2_STATE_ESTABLISHED);
 
  done:
 	ibuf_release(e);
diff --git a/sbin/iked/ikev2.h b/sbin/iked/ikev2.h
index fbe2fa31be0..f4176fdc665 100644
--- a/sbin/iked/ikev2.h
+++ b/sbin/iked/ikev2.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.h,v 1.5 2010/06/26 18:32:34 reyk Exp $	*/
+/*	$OpenBSD: ikev2.h,v 1.6 2010/07/03 16:59:35 reyk Exp $	*/
 /*	$vantronix: ikev2.h,v 1.27 2010/05/19 12:20:30 reyk Exp $	*/
 
 /*
@@ -69,8 +69,8 @@ extern size_t ikev2_default_nesp_transforms;
 #define IKEV2_STATE_AUTH_SUCCESS	5	/* authenticated */
 #define IKEV2_STATE_VALID		6	/* validated peer certs */
 #define IKEV2_STATE_EAP_VALID		7	/* EAP validated */
-#define IKEV2_STATE_RUNNING		8	/* active IKE SA */
-#define IKEV2_STATE_DELETE		9	/* delete this SA */
+#define IKEV2_STATE_ESTABLISHED		8	/* active IKE SA */
+#define IKEV2_STATE_CLOSED		9	/* delete this SA */
 
 extern struct iked_constmap ikev2_state_map[];
 
diff --git a/sbin/iked/ikev2_pld.c b/sbin/iked/ikev2_pld.c
index fd43e34fbef..4f6d45d8ffa 100644
--- a/sbin/iked/ikev2_pld.c
+++ b/sbin/iked/ikev2_pld.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2_pld.c,v 1.12 2010/06/27 05:49:05 reyk Exp $	*/
+/*	$OpenBSD: ikev2_pld.c,v 1.13 2010/07/03 16:59:35 reyk Exp $	*/
 /*	$vantronix: ikev2.c,v 1.101 2010/06/03 07:57:33 reyk Exp $	*/
 
 /*
@@ -747,7 +747,7 @@ ikev2_pld_delete(struct iked *env, struct ikev2_payload *pld,
 	default:
 		if (ikev2_msg_frompeer(msg) &&
 		    del->del_protoid == IKEV2_SAPROTO_IKE) {
-			sa_state(env, sa, IKEV2_STATE_DELETE);
+			sa_state(env, sa, IKEV2_STATE_CLOSED);
 			return (0);
 		}
 		log_debug("%s: invalid SPI size", __func__);
diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c
index 19981013237..2745bc34a05 100644
--- a/sbin/iked/policy.c
+++ b/sbin/iked/policy.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: policy.c,v 1.10 2010/06/27 00:32:42 reyk Exp $	*/
+/*	$OpenBSD: policy.c,v 1.11 2010/07/03 16:59:35 reyk Exp $	*/
 /*	$vantronix: policy.c,v 1.29 2010/05/28 15:34:35 reyk Exp $	*/
 
 /*
@@ -132,7 +132,22 @@ sa_state(struct iked *env, struct iked_sa *sa, int state)
 	a = print_map(sa->sa_state, ikev2_state_map);
 	b = print_map(state, ikev2_state_map);
 
-	log_info("%s: %s -> %s", __func__, a, b);
+	if (state > sa->sa_state) {
+		switch (state) {
+		case IKEV2_STATE_ESTABLISHED:
+		case IKEV2_STATE_CLOSED:
+			log_info("%s: %s -> %s from %s to %s policy '%s'",
+			    __func__, a, b,
+			    print_host(&sa->sa_peer.addr, NULL, 0),
+			    print_host(&sa->sa_local.addr, NULL, 0),
+			    sa->sa_policy->pol_name);
+			break;
+		default:
+			log_debug("%s: %s -> %s", __func__, a, b);
+			break;
+		}
+	}
+
 	sa->sa_state = state;
 }
author	reyk <reyk@openbsd.org>	2010-07-03 16:59:35 +0000
committer	reyk <reyk@openbsd.org>	2010-07-03 16:59:35 +0000
commit	badf94565689539c5b6588e9f54eaabad27af717 (patch)
tree	382d13e53fe5bca87663a742c0865f2b035dacb5
parent	use SMALL_PROGRAM to knock out some code (diff)
download	wireguard-openbsd-badf94565689539c5b6588e9f54eaabad27af717.tar.xz wireguard-openbsd-badf94565689539c5b6588e9f54eaabad27af717.zip