This file is indexed.

/usr/lib/ipsec/barf is in libreswan 3.23-4.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
#! /bin/sh
# dump assorted information of use in debugging
# Copyright (C) 1998, 1999  Henry Spencer.
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#

LC_ALL=C export LC_ALL

LOGS=${LOGS-/var/log}
me="ipsec barf"
# Max lines to use for things like 'route -n'
maxlines=100

# kludge to produce no barf output mentioning policygroups if none are present.
# This will not catch ".file" policygroups.
PREPOLICIES=/etc/ipsec.d/policies
if [ `ls $PREPOLICIES 2> /dev/null | wc -l` -ne 0 ]
then
	POLICIES=$PREPOLICIES
fi

# message patterns that start relevant parts of logs
fstart='Starting Libreswan'
pstart='Starting Pluto'

case "$1" in
--help)		echo "Usage: ipsec barf" ; exit 0	;;
--version)	echo "$me $IPSEC_VERSION" ; exit 0	;;
--maxlines)     maxlines=$2; shift;;
esac

# log-location guesser, results in $findlog_file and $findlog_startline
# Fine point:  startline is the *last* line containing "string", or
# failing that, the *first* line containing "fallbackstring".
findlog() {		# findlog string fallbackstring possiblefile ...
	s="$1"
	shift
	t="$1"
	shift
	# try the suggested files first
	for f in $*
	do
		if test -s $LOGS/$f -a -f $LOGS/$f && egrep -q "$s" $LOGS/$f
		then
			# aha, this one has it
			findlog_file=$LOGS/$f
			findlog_startline=`egrep -n "$s" $LOGS/$f |
				sed -n '$s/:.*//p'`
			return 0
		fi
	done
	for f in $*
	do
		if test -s $LOGS/$f -a -f $LOGS/$f && egrep -q "$t" $LOGS/$f
		then
			# aha, this one has it
			findlog_file=$LOGS/$f
			findlog_startline=`egrep -n "$t" $LOGS/$f |
				sed -n '1s/:.*//p'`
			return 0
		fi
	done
	# nope, resort to a search, newest first, of uncompressed logs
	for f in `ls -t $LOGS | egrep -v lastlog | egrep -v tmp | egrep -v '^mail' | egrep -v '\.(gz|Z)$'`
	do
		if test -f $LOGS/$f -a ! -d $LOGS/$f && egrep -q "$s" $LOGS/$f
		then
			# found it
			findlog_file=$LOGS/$f
			findlog_startline=`egrep -n "$s" $LOGS/$f |
				sed -n '$s/:.*//p'`
			return 0
		fi
	done
	for f in `ls -t $LOGS | egrep -v lastlog | egrep -v tmp | egrep -v '^mail' | egrep -v '\.(gz|Z)$'`
	do
		if test -s $LOGS/$f -a -f $LOGS/$f && egrep -q "$t" $LOGS/$f
		then
			# found it
			findlog_file=$LOGS/$f
			findlog_startline=`egrep -n "$t" $LOGS/$f |
				sed -n '1s/:.*//p'`
			return 0
		fi
	done
# 	echo "$0: unable to find $LOGS/$1 or local equivalent" >&2
	findlog_file=/dev/null
	findlog_startline=1		# arbitrary
}

if test ! -x /usr/bin/journalctl
then
	# no systemd, need to figure out log file location
	findlog "$fstart" "klips" messages syslog auth.log daemon.log
	if test " $findlog_file" = " /dev/null"
	then
	echo "Unable to find KLIPS messages, typically found in /var/log/messages or equivalent. You may need to run Libreswan for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration."
	fi
	klog=$findlog_file
	kline=$findlog_startline

	findlog "$pstart" "Pluto" secure auth.log daemon.log debug
	if test " $findlog_file" = " /dev/null"
	then
	echo "Unable to find Pluto messages, typically found in /var/log/secure or equivalent. You may need to run Libreswan for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration."
	fi
	plog=$findlog_file
	pline=$findlog_startline
fi

# /lib/modules examiner
modulegoo() {
	set +x
	for d in `ls /lib/modules`
	do
		if test -d /lib/modules/$d
		then
			f=/lib/modules/$d/$1
			if test -f $f
			then
				nm -g $f | egrep "$2"
			else
				echo
			fi | sed "s;^;$d: ;"
		fi
	done
	set -x
}

# advanced shell deviousness to get dividers into output
_________________________() {
	$2	# something to do nothing and not echo anything
}

exec 2>&1		# stderr on stdout, so errors go into main output

hostname ; date
set -x
_________________________ version
ipsec --version
_________________________ /proc/version
cat /proc/version
_________________________ /proc/net/ipsec_eroute
if test -r /proc/net/ipsec_eroute
then
	sort -sg -k 3 /proc/net/ipsec_eroute || cat /proc/net/ipsec_eroute
fi
_________________________ netstat-rn
netstat -nr|head -n $maxlines
_________________________ /proc/net/ipsec_spi
if test -r /proc/net/ipsec_spi
then
	cat /proc/net/ipsec_spi
fi
_________________________ /proc/net/ipsec_spigrp
if test -r /proc/net/ipsec_spigrp
then
	cat /proc/net/ipsec_spigrp
fi
_________________________ /proc/net/ipsec_tncfg
if test -r /proc/net/ipsec_tncfg
then
	cat /proc/net/ipsec_tncfg
fi
_________________________ /proc/net/pfkey
if test -r /proc/net/pfkey
then
	cat /proc/net/pfkey
_________________________ ip-xfrm-state
	ip xfrm state
_________________________ ip-xfrm-policy
	ip xfrm policy
_________________________ ip-xfrm-stats
	cat /proc/net/xfrm_stat
fi
_________________________ ip-l2tp-tunnel
if test -d /sys/module/l2tp_core
then
	ip l2tp show tunnel
_________________________ ip-l2tp-session
	ip l2tp show session
fi
if test -d /sys/module/ip_vti
then
	ip -s tunnel show
_________________________ ip-tunnel
	ip -s tunnel show
fi
_________________________ /proc/crypto
if test -r /proc/crypto
then
	cat /proc/crypto
fi
# not visible on my 2.6 system
#_________________________ /proc/net/pf_key-star
#( cd /proc/net && egrep '^' pf_key_* )
__________________________/proc/sys/net/core/xfrm-star
for i in /proc/sys/net/core/xfrm_*
do
	echo -n "$i: "
	cat $i
done
_________________________ /proc/sys/net/ipsec-star
if test -d /proc/sys/net/ipsec
then
	( cd /proc/sys/net/ipsec && egrep '^' * )
fi
_________________________ ipsec/status
ipsec whack --status
_________________________ ifconfig-a
ifconfig -a
_________________________ ip-addr-list
ip addr list
_________________________ ip-route-list
ip route list
_________________________ ip-rule-list
ip rule list
_________________________ ipsec_verify
ipsec verify --nocolour
_________________________ mii-tool
if [ -x /sbin/mii-tool ]
then
    /sbin/mii-tool -v
elif [ -x /usr/sbin/mii-tool ]
then
    /usr/sbin/mii-tool -v
else
    mii-tool -v
fi
_________________________ ipsec/directory
ipsec --directory
_________________________ hostname/fqdn
hostname --fqdn
_________________________ hostname/ipaddress
hostname --ip-address
_________________________ uptime
uptime
_________________________ ps
# -i ppid picks up the header
ps alxwf | egrep -i 'ppid|pluto|ipsec|klips'
_________________________ ipsec/conf
ipsec readwriteconf --config /etc/ipsec.conf | ipsec _keycensor
_________________________ ipsec/secrets
cat /etc/ipsec.secrets | ipsec _secretcensor
_________________________ ipsec/listall
ipsec whack --listall
_________________________ nss/contents
certutil -L -d sql:/var/lib/ipsec/nss
_________________________ nss/crls
crlutil -L -d sql:/var/lib/ipsec/nss
if [ $POLICIES ]
then
	for policy in $POLICIES/*; do base=`basename $policy`;
	   _________________________ ipsec/policies/$base
	   cat $policy
	done
fi
_________________________ ipsec/ls-execdir
ls -l $IPSEC_EXECDIR
_________________________ /proc/net/dev
cat /proc/net/dev
_________________________ /proc/net/route
cat /proc/net/route
_________________________ /proc/sys/net/ipv4/ip_no_pmtu_disc
cat /proc/sys/net/ipv4/ip_no_pmtu_disc
_________________________ /proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/ip_forward
_________________________ /proc/sys/net/ipv4/tcp_ecn
cat /proc/sys/net/ipv4/tcp_ecn
_________________________ /proc/sys/net/ipv4/conf/star-rp_filter
( cd /proc/sys/net/ipv4/conf && egrep '^' */rp_filter )
_________________________ /proc/sys/net/ipv4/conf/star-star-redirects
( cd /proc/sys/net/ipv4/conf && egrep '^' */*redirects )
_________________________ /proc/sys/net/ipv4/tcp_window_scaling
cat /proc/sys/net/ipv4/tcp_window_scaling
_________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
cat /proc/sys/net/ipv4/tcp_adv_win_scale
_________________________ uname-a
uname -a
_________________________ config-built-with
if test -r /proc/config_built_with
then
	cat /proc/config_built_with
fi
_________________________ distro-release
for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
do
        if test -f $distro
        then
               cat $distro
        fi

done
_________________________ /proc/net/ipsec_version
if test -r /proc/net/ipsec_version
then
	cat /proc/net/ipsec_version
else
	if test -r /proc/net/pfkey
	then
		echo "NETKEY (`uname -r`) support detected "
	else
		echo "no KLIPS or NETKEY support detected"
	fi
fi
_________________________ iptables
if test -e /proc/net/ip_tables_names
then
	if test -r /sbin/iptables-save -o -r /usr/sbin/iptables-save
	then
		iptables-save --modprobe=/dev/null
	else
		if test -r /sbin/iptables -o -r /usr/sbin/iptables
		then
			iptables -L -v -n
			_________________________ iptables-nat

			grep ^nat /proc/net/ip_tables_names > /dev/null 2>/dev/null &&
				iptables -t nat -L -v -n
			_________________________ iptables-mangle
			grep ^mangle /proc/net/ip_tables_names > /dev/null 2>/dev/null &&
				iptables -t mangle -L -v -n
		fi
	fi
fi
_________________________ ip6tables
if test -e ip6_tables_names
then
	if test -r /sbin/ip6tables-save -o -r /usr/sbin/ip6tables-save
	then
		ip6tables-save --modprobe=/dev/null
	else
		if test -r /sbin/ip6tables -o -r /usr/sbin/ip6tables
		then
			test -e /proc/net/ip_tables_names && ip6tables -L -v -n
			# There is no IPv6 NAT yet (hopefully that will remain so)
			_________________________ ip6tables-mangle
			grep ^mangle /proc/net/ip6_tables_names > /dev/null 2>/dev/null &&
				ip6tables -t mangle -L -v -n
		fi
	fi
fi
_________________________ /proc/modules
if test -f /proc/modules
then
	cat /proc/modules
else
	echo "kernel without module support"
fi
_________________________ /proc/meminfo
cat /proc/meminfo
#obsolete? not on my klips system
#_________________________ dev/ipsec-ls
#ls -l /dev/ipsec*
_________________________ /proc/net/ipsec-ls
if test -f /proc/net/ipsec_version
then
	ls -l /proc/net/ipsec_*
fi
_________________________ usr/src/linux/.config
if test -f /proc/config.gz
then
	zcat /proc/config.gz | egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_HW_RANDOM|CONFIG_CRYPTO_DEV|_XFRM'
elif test -f /lib/modules/`uname -r`/build/.config
then
	cat /lib/modules/`uname -r`/build/.config | egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_HW_RANDOM|CONFIG_CRYPTO_DEV|_XFRM'
else
	echo "no .config file found, cannot list kernel properties"
fi
_________________________ etc/syslog.conf
_________________________ etc/syslog-ng/syslog-ng.conf
cat /etc/syslog-ng/syslog-ng.conf
cat /etc/syslog.conf
_________________________ etc/resolv.conf
cat /etc/resolv.conf
_________________________ lib/modules-ls
ls -ltr /lib/modules
_________________________ fipscheck
cat /proc/sys/crypto/fips_enabled
_________________________ /proc/ksyms-netif_rx
if test -r /proc/ksyms
then
	egrep netif_rx /proc/ksyms
else
	if test -r /proc/kallsyms
	then
		egrep netif_rx /proc/kallsyms
	else
		echo "broken (redhat/fedora) 2.6 kernel without kallsyms"
	fi
fi

_________________________ lib/modules-netif_rx
modulegoo kernel/net/ipv4/ipip.o netif_rx
_________________________ kern.debug
if test -f $LOGS/kern.debug
then
	tail -100 $LOGS/kern.debug
fi
_________________________ klog
dmesg | egrep -i "klips|ipsec"
_________________________ plog
if test -x /usr/bin/journalctl
then
	journalctl -u ipsec.service --no-pager --since "1 hour ago" |
		case "$1" in
		--short)	tail -500	;;
		*)		cat		;;
		esac
else
	sed -n $pline,'$'p $plog |
		egrep -i 'pluto' |
		case "$1" in
		--short)	tail -500	;;
		*)		cat		;;
		esac
fi
_________________________ date
date