/usr/lib/ipsec/barf is in libreswan 3.23-4.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 | #! /bin/sh
# dump assorted information of use in debugging
# Copyright (C) 1998, 1999 Henry Spencer.
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
LC_ALL=C export LC_ALL
LOGS=${LOGS-/var/log}
me="ipsec barf"
# Max lines to use for things like 'route -n'
maxlines=100
# kludge to produce no barf output mentioning policygroups if none are present.
# This will not catch ".file" policygroups.
PREPOLICIES=/etc/ipsec.d/policies
if [ `ls $PREPOLICIES 2> /dev/null | wc -l` -ne 0 ]
then
POLICIES=$PREPOLICIES
fi
# message patterns that start relevant parts of logs
fstart='Starting Libreswan'
pstart='Starting Pluto'
case "$1" in
--help) echo "Usage: ipsec barf" ; exit 0 ;;
--version) echo "$me $IPSEC_VERSION" ; exit 0 ;;
--maxlines) maxlines=$2; shift;;
esac
# log-location guesser, results in $findlog_file and $findlog_startline
# Fine point: startline is the *last* line containing "string", or
# failing that, the *first* line containing "fallbackstring".
findlog() { # findlog string fallbackstring possiblefile ...
s="$1"
shift
t="$1"
shift
# try the suggested files first
for f in $*
do
if test -s $LOGS/$f -a -f $LOGS/$f && egrep -q "$s" $LOGS/$f
then
# aha, this one has it
findlog_file=$LOGS/$f
findlog_startline=`egrep -n "$s" $LOGS/$f |
sed -n '$s/:.*//p'`
return 0
fi
done
for f in $*
do
if test -s $LOGS/$f -a -f $LOGS/$f && egrep -q "$t" $LOGS/$f
then
# aha, this one has it
findlog_file=$LOGS/$f
findlog_startline=`egrep -n "$t" $LOGS/$f |
sed -n '1s/:.*//p'`
return 0
fi
done
# nope, resort to a search, newest first, of uncompressed logs
for f in `ls -t $LOGS | egrep -v lastlog | egrep -v tmp | egrep -v '^mail' | egrep -v '\.(gz|Z)$'`
do
if test -f $LOGS/$f -a ! -d $LOGS/$f && egrep -q "$s" $LOGS/$f
then
# found it
findlog_file=$LOGS/$f
findlog_startline=`egrep -n "$s" $LOGS/$f |
sed -n '$s/:.*//p'`
return 0
fi
done
for f in `ls -t $LOGS | egrep -v lastlog | egrep -v tmp | egrep -v '^mail' | egrep -v '\.(gz|Z)$'`
do
if test -s $LOGS/$f -a -f $LOGS/$f && egrep -q "$t" $LOGS/$f
then
# found it
findlog_file=$LOGS/$f
findlog_startline=`egrep -n "$t" $LOGS/$f |
sed -n '1s/:.*//p'`
return 0
fi
done
# echo "$0: unable to find $LOGS/$1 or local equivalent" >&2
findlog_file=/dev/null
findlog_startline=1 # arbitrary
}
if test ! -x /usr/bin/journalctl
then
# no systemd, need to figure out log file location
findlog "$fstart" "klips" messages syslog auth.log daemon.log
if test " $findlog_file" = " /dev/null"
then
echo "Unable to find KLIPS messages, typically found in /var/log/messages or equivalent. You may need to run Libreswan for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration."
fi
klog=$findlog_file
kline=$findlog_startline
findlog "$pstart" "Pluto" secure auth.log daemon.log debug
if test " $findlog_file" = " /dev/null"
then
echo "Unable to find Pluto messages, typically found in /var/log/secure or equivalent. You may need to run Libreswan for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration."
fi
plog=$findlog_file
pline=$findlog_startline
fi
# /lib/modules examiner
modulegoo() {
set +x
for d in `ls /lib/modules`
do
if test -d /lib/modules/$d
then
f=/lib/modules/$d/$1
if test -f $f
then
nm -g $f | egrep "$2"
else
echo
fi | sed "s;^;$d: ;"
fi
done
set -x
}
# advanced shell deviousness to get dividers into output
_________________________() {
$2 # something to do nothing and not echo anything
}
exec 2>&1 # stderr on stdout, so errors go into main output
hostname ; date
set -x
_________________________ version
ipsec --version
_________________________ /proc/version
cat /proc/version
_________________________ /proc/net/ipsec_eroute
if test -r /proc/net/ipsec_eroute
then
sort -sg -k 3 /proc/net/ipsec_eroute || cat /proc/net/ipsec_eroute
fi
_________________________ netstat-rn
netstat -nr|head -n $maxlines
_________________________ /proc/net/ipsec_spi
if test -r /proc/net/ipsec_spi
then
cat /proc/net/ipsec_spi
fi
_________________________ /proc/net/ipsec_spigrp
if test -r /proc/net/ipsec_spigrp
then
cat /proc/net/ipsec_spigrp
fi
_________________________ /proc/net/ipsec_tncfg
if test -r /proc/net/ipsec_tncfg
then
cat /proc/net/ipsec_tncfg
fi
_________________________ /proc/net/pfkey
if test -r /proc/net/pfkey
then
cat /proc/net/pfkey
_________________________ ip-xfrm-state
ip xfrm state
_________________________ ip-xfrm-policy
ip xfrm policy
_________________________ ip-xfrm-stats
cat /proc/net/xfrm_stat
fi
_________________________ ip-l2tp-tunnel
if test -d /sys/module/l2tp_core
then
ip l2tp show tunnel
_________________________ ip-l2tp-session
ip l2tp show session
fi
if test -d /sys/module/ip_vti
then
ip -s tunnel show
_________________________ ip-tunnel
ip -s tunnel show
fi
_________________________ /proc/crypto
if test -r /proc/crypto
then
cat /proc/crypto
fi
# not visible on my 2.6 system
#_________________________ /proc/net/pf_key-star
#( cd /proc/net && egrep '^' pf_key_* )
__________________________/proc/sys/net/core/xfrm-star
for i in /proc/sys/net/core/xfrm_*
do
echo -n "$i: "
cat $i
done
_________________________ /proc/sys/net/ipsec-star
if test -d /proc/sys/net/ipsec
then
( cd /proc/sys/net/ipsec && egrep '^' * )
fi
_________________________ ipsec/status
ipsec whack --status
_________________________ ifconfig-a
ifconfig -a
_________________________ ip-addr-list
ip addr list
_________________________ ip-route-list
ip route list
_________________________ ip-rule-list
ip rule list
_________________________ ipsec_verify
ipsec verify --nocolour
_________________________ mii-tool
if [ -x /sbin/mii-tool ]
then
/sbin/mii-tool -v
elif [ -x /usr/sbin/mii-tool ]
then
/usr/sbin/mii-tool -v
else
mii-tool -v
fi
_________________________ ipsec/directory
ipsec --directory
_________________________ hostname/fqdn
hostname --fqdn
_________________________ hostname/ipaddress
hostname --ip-address
_________________________ uptime
uptime
_________________________ ps
# -i ppid picks up the header
ps alxwf | egrep -i 'ppid|pluto|ipsec|klips'
_________________________ ipsec/conf
ipsec readwriteconf --config /etc/ipsec.conf | ipsec _keycensor
_________________________ ipsec/secrets
cat /etc/ipsec.secrets | ipsec _secretcensor
_________________________ ipsec/listall
ipsec whack --listall
_________________________ nss/contents
certutil -L -d sql:/var/lib/ipsec/nss
_________________________ nss/crls
crlutil -L -d sql:/var/lib/ipsec/nss
if [ $POLICIES ]
then
for policy in $POLICIES/*; do base=`basename $policy`;
_________________________ ipsec/policies/$base
cat $policy
done
fi
_________________________ ipsec/ls-execdir
ls -l $IPSEC_EXECDIR
_________________________ /proc/net/dev
cat /proc/net/dev
_________________________ /proc/net/route
cat /proc/net/route
_________________________ /proc/sys/net/ipv4/ip_no_pmtu_disc
cat /proc/sys/net/ipv4/ip_no_pmtu_disc
_________________________ /proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/ip_forward
_________________________ /proc/sys/net/ipv4/tcp_ecn
cat /proc/sys/net/ipv4/tcp_ecn
_________________________ /proc/sys/net/ipv4/conf/star-rp_filter
( cd /proc/sys/net/ipv4/conf && egrep '^' */rp_filter )
_________________________ /proc/sys/net/ipv4/conf/star-star-redirects
( cd /proc/sys/net/ipv4/conf && egrep '^' */*redirects )
_________________________ /proc/sys/net/ipv4/tcp_window_scaling
cat /proc/sys/net/ipv4/tcp_window_scaling
_________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
cat /proc/sys/net/ipv4/tcp_adv_win_scale
_________________________ uname-a
uname -a
_________________________ config-built-with
if test -r /proc/config_built_with
then
cat /proc/config_built_with
fi
_________________________ distro-release
for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
do
if test -f $distro
then
cat $distro
fi
done
_________________________ /proc/net/ipsec_version
if test -r /proc/net/ipsec_version
then
cat /proc/net/ipsec_version
else
if test -r /proc/net/pfkey
then
echo "NETKEY (`uname -r`) support detected "
else
echo "no KLIPS or NETKEY support detected"
fi
fi
_________________________ iptables
if test -e /proc/net/ip_tables_names
then
if test -r /sbin/iptables-save -o -r /usr/sbin/iptables-save
then
iptables-save --modprobe=/dev/null
else
if test -r /sbin/iptables -o -r /usr/sbin/iptables
then
iptables -L -v -n
_________________________ iptables-nat
grep ^nat /proc/net/ip_tables_names > /dev/null 2>/dev/null &&
iptables -t nat -L -v -n
_________________________ iptables-mangle
grep ^mangle /proc/net/ip_tables_names > /dev/null 2>/dev/null &&
iptables -t mangle -L -v -n
fi
fi
fi
_________________________ ip6tables
if test -e ip6_tables_names
then
if test -r /sbin/ip6tables-save -o -r /usr/sbin/ip6tables-save
then
ip6tables-save --modprobe=/dev/null
else
if test -r /sbin/ip6tables -o -r /usr/sbin/ip6tables
then
test -e /proc/net/ip_tables_names && ip6tables -L -v -n
# There is no IPv6 NAT yet (hopefully that will remain so)
_________________________ ip6tables-mangle
grep ^mangle /proc/net/ip6_tables_names > /dev/null 2>/dev/null &&
ip6tables -t mangle -L -v -n
fi
fi
fi
_________________________ /proc/modules
if test -f /proc/modules
then
cat /proc/modules
else
echo "kernel without module support"
fi
_________________________ /proc/meminfo
cat /proc/meminfo
#obsolete? not on my klips system
#_________________________ dev/ipsec-ls
#ls -l /dev/ipsec*
_________________________ /proc/net/ipsec-ls
if test -f /proc/net/ipsec_version
then
ls -l /proc/net/ipsec_*
fi
_________________________ usr/src/linux/.config
if test -f /proc/config.gz
then
zcat /proc/config.gz | egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_HW_RANDOM|CONFIG_CRYPTO_DEV|_XFRM'
elif test -f /lib/modules/`uname -r`/build/.config
then
cat /lib/modules/`uname -r`/build/.config | egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_HW_RANDOM|CONFIG_CRYPTO_DEV|_XFRM'
else
echo "no .config file found, cannot list kernel properties"
fi
_________________________ etc/syslog.conf
_________________________ etc/syslog-ng/syslog-ng.conf
cat /etc/syslog-ng/syslog-ng.conf
cat /etc/syslog.conf
_________________________ etc/resolv.conf
cat /etc/resolv.conf
_________________________ lib/modules-ls
ls -ltr /lib/modules
_________________________ fipscheck
cat /proc/sys/crypto/fips_enabled
_________________________ /proc/ksyms-netif_rx
if test -r /proc/ksyms
then
egrep netif_rx /proc/ksyms
else
if test -r /proc/kallsyms
then
egrep netif_rx /proc/kallsyms
else
echo "broken (redhat/fedora) 2.6 kernel without kallsyms"
fi
fi
_________________________ lib/modules-netif_rx
modulegoo kernel/net/ipv4/ipip.o netif_rx
_________________________ kern.debug
if test -f $LOGS/kern.debug
then
tail -100 $LOGS/kern.debug
fi
_________________________ klog
dmesg | egrep -i "klips|ipsec"
_________________________ plog
if test -x /usr/bin/journalctl
then
journalctl -u ipsec.service --no-pager --since "1 hour ago" |
case "$1" in
--short) tail -500 ;;
*) cat ;;
esac
else
sed -n $pline,'$'p $plog |
egrep -i 'pluto' |
case "$1" in
--short) tail -500 ;;
*) cat ;;
esac
fi
_________________________ date
date
|