#! /bin/sh
# dump assorted information of use in debugging
# Copyright (C) 1998, 1999  Henry Spencer.
# 
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
# 
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#
# RCSID $Id: barf.in,v 1.107.2.7 2006-11-07 03:49:18 paul Exp $

LOGS=${LOGS-/var/log}
CONFS=${IPSEC_CONFS-/etc}
CONFDDIR=${IPSEC_CONFDDIR-/etc/ipsec.d}
me="/usr/lib/ipsec/barf"
# Max lines to use for things like 'route -n'
maxlines=100

# kludge to produce no barf output mentioning policygroups if none are present.
# This will not catch ".file" policygroups. 
PREPOLICIES=${CONFDDIR}/policies
if [ `ls $PREPOLICIES 2> /dev/null | wc -l` -ne 0 ]
then
	POLICIES=$PREPOLICIES
fi

# message patterns that start relevant parts of logs
pluto_start='Starting IKEv1 pluto daemon'
charon_start='Starting IKEv2 charon daemon'
plutolognull='no'

case "$1" in
--help)		echo "Usage: ipsec barf" ; exit 0	;;
--version)	echo "$me $IPSEC_VERSION" ; exit 0	;;
--maxlines)     maxlines=$2; shift;;
esac

# make sure output is in English
unset LANG LANGUAGE LC_ALL LC_MESSAGES

# log-location guesser, results in $findlog_file and $findlog_startline
# Fine point:  startline is the *last* line containing "string", or
# failing that, the *first* line containing "fallbackstring".
findlog() {		# findlog string fallbackstring possiblefile ...
	s="$1"
	shift
	t="$1"
	shift
	# try the suggested files first
	for f in $*
	do
		if test -s $LOGS/$f -a -f $LOGS/$f && egrep -q "$s" $LOGS/$f
		then
			# aha, this one has it
			findlog_file=$LOGS/$f
			findlog_startline=`egrep -n "$s" $LOGS/$f |
				sed -n '$s/:.*//p'`
			return 0
		fi
	done
	for f in $*
	do
		if test -s $LOGS/$f -a -f $LOGS/$f && egrep -q "$t" $LOGS/$f
		then
			# aha, this one has it
			findlog_file=$LOGS/$f
			findlog_startline=`egrep -n "$t" $LOGS/$f |
				sed -n '1s/:.*//p'`
			return 0
		fi
	done
	# nope, resort to a search, newest first, of uncompressed logs
	for f in `ls -t $LOGS | egrep -v '^mail' | egrep -v '\.(gz|Z)$'`
	do
		if test -f $LOGS/$f -a ! -d $LOGS/$f && egrep -q "$s" $LOGS/$f
		then
			# found it
			findlog_file=$LOGS/$f
			findlog_startline=`egrep -n "$s" $LOGS/$f |
				sed -n '$s/:.*//p'`
			return 0
		fi
	done
	for f in `ls -t $LOGS | egrep -v '^mail' | egrep -v '\.(gz|Z)$'`
	do
		if test -s $LOGS/$f -a -f $LOGS/$f && egrep -q "$t" $LOGS/$f
		then
			# found it
			findlog_file=$LOGS/$f
			findlog_startline=`egrep -n "$t" $LOGS/$f |
				sed -n '1s/:.*//p'`
			return 0
		fi
	done
# 	echo "$0: unable to find $LOGS/$1 or local equivalent" >&2
	findlog_file=/dev/null
	findlog_startline=1		# arbitrary
}

# try to guess where logs are
findlog "$pluto_start" "nothing-else" messages syslog auth.log daemon.log
if test " $findlog_file" = " /dev/null" 
then
echo "Unable to find IKEv1 messages, typically found in /var/log/messages or equivalent. You may need to run Strongswan for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration."
plutolognull='yes'
fi
plutolog=$findlog_file
kline=$findlog_startline

findlog "$charon_start" "nothing-else" secure auth.log daemon.log debug
if test " $findlog_file" = " /dev/null" 
then
if test 'plutolognull' = 'yes'
then
echo "Unable to find IKEv2 messages, typically found in /var/log/secure or equivalent. You may need to run Strongswan for the first time or you may have IKEv2 turned off; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration."
else
echo "Unable to find IKEv2 messages. Strongswan might be running with IKEv2 turned off or alternatively, your log files have been emptied (ie, logwatch)"
fi
fi 
charonlog=$findlog_file
pline=$findlog_startline

# /lib/modules examiner
modulegoo() {
	set +x
	for d in `ls /lib/modules`
	do
		if test -d /lib/modules/$d
		then
			f=/lib/modules/$d/$1
			if test -f $f
			then
				nm -g $f | egrep "$2"
			else
				echo
			fi | sed "s;^;$d: ;"
		fi
	done
	set -x
}

# advanced shell deviousness to get dividers into output
_________________________() {
	$2	# something to do nothing and not echo anything
}

exec 2>&1		# stderr on stdout, so errors go into main output

hostname ; date
set -x
_________________________ version
ipsec --version
_________________________ /proc/net/pfkey
if test -r /proc/net/pfkey
then
	cat /proc/net/pfkey
_________________________ ip-xfrm-state
	ip -s xfrm state
_________________________ ip-xfrm-policy
	ip -s xfrm policy
fi
_________________________ /proc/sys/net/ipsec-star
if test -d /proc/sys/net/ipsec
then
	( cd /proc/sys/net/ipsec && egrep '^' * )
fi
_________________________ ipsec/status
ipsec statusall
_________________________ routing/tables
ip rule list
_________________________ ip/route
/opt/vyatta/bin/vtyshow.pl show ip route
_________________________ ipsec/directory
ipsec --directory
_________________________ ps
# -i ppid picks up the header
ps alxwf | egrep -i 'ppid|pluto|ipsec|klips'
_________________________ ipsec/conf
/usr/lib/ipsec/_include $CONFS/ipsec.conf | /usr/lib/ipsec/_keycensor
_________________________ ipsec/secrets
/usr/lib/ipsec/_include $CONFS/ipsec.secrets | /usr/lib/ipsec/_secretcensor
_________________________ ipsec/listall
ipsec listall
if [ $POLICIES ]
then
	for policy in $POLICIES/*; do base=`basename $policy`;
	   _________________________ ipsec/policies/$base
	   cat $policy
	done
fi
_________________________ /proc/net/ipsec_version
if test -r /proc/net/ipsec_version
then
	cat /proc/net/ipsec_version
else
	if test -r /proc/net/pfkey
	then
		echo "NETKEY (`uname -r`) support detected "
	else
		echo "no KLIPS or NETKEY support detected"
	fi
fi
_________________________ /proc/net/ipsec-ls
if test -f /proc/net/ipsec_version
then
	ls -l /proc/net/ipsec_*
fi
_________________________ plutolog
sed -n $kline,'$'p $plutolog |
	egrep -i 'pluto' |
	case "$1" in
	--short)	tail -500	;;
	*)		cat		;;
	esac
_________________________ charonlog
sed -n $pline,'$'p $charonlog |
	egrep -i 'charon' |
	case "$1" in
	--short)	tail -500	;;
	*)		cat		;;
	esac
_________________________ date
date
