[strongSwan-dev] logging: unique connection IDs?
Harald Dunkel
harald.dunkel at aixigo.com
Mon Aug 19 10:16:45 CEST 2019
Hi Tobias,
On 8/16/19 3:27 PM, Tobias Brunner wrote:
> Hi Harald,
>
>> if I restart charon, then the connection IDs in the logfile start
>> by 1 again, making logfile analysis pretty difficult. The IDs are
>> not unique.
>
> Couldn't you e.g. split the log based on messages referring to the
> daemon's restart before analyzing it (or consider the timestamps in your
> analysis).
>
Doesn't really help: The log files are already rotated. I would have
to distinguish between "old" and "new" log files, i.e. introduce my
own connection ids.
>> Would it be possible to use a random number for the first ID after
>> a restart instead? Still not perfect, but the chance to get unique
>> IDs is much higher.
>
> Hm, these are simply static variables initialized to zero (one for IKE
> and one for CHILD SAs). I suppose it would theoretically be possible to
> initialize them to a random value as an option somehow. But we'd have
> to make sure they are only initialized once, so wrap-arounds and
> concurrency are handled properly, however, we don't have a portable
> pthread_once abstraction yet.
>
Maybe it would be possible to use an alphanumerical identifier similar
to the connection identifiers in sendmail's log file, e.g.
"x7J7j1kb2487133". Could be generated using something like
echo $n $remoteIP $remoteport $localIP $localport `date` | md5sum
or another cryptographic function. I am sure you get the idea. $n
is the current incremental connection id, still starting at 1 with
each restart.
Regards
Harri
More information about the Dev
mailing list