/testing/guestbin/swan-prep kroot@swantest:/home/build/libreswan/testing/pluto/newoe-18-poc-blockall\[root@east newoe-18-poc-blockall]# cp policies/* /etc/ipsec.d/policies/ kroot@swantest:/home/build/libreswan/testing/pluto/newoe-18-poc-blockall\[root@east newoe-18-poc-blockall]# echo "0.0.0.0/0" >> /etc/ipsec.d/policies/block kroot@swantest:/home/build/libreswan/testing/pluto/newoe-18-poc-blockall\[root@east newoe-18-poc-blockall]# ipsec start Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Redirecting to: /etc/init.d/ipsec start Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Starting pluto IKE daemon for IPsec: kroot@swantest:/home/build/libreswan/testing/pluto/newoe-18-poc-blockall\[root@east newoe-18-poc-blockall]# /testing/pluto/bin/wait-until-pluto-started kroot@swantest:/home/build/libreswan/testing/pluto/newoe-18-poc-blockall\[root@east newoe-18-poc-blockall]# # give OE policies time to load kroot@swantest:/home/build/libreswan/testing/pluto/newoe-18-poc-blockall\[root@east newoe-18-poc-blockall]# sleep 5 kroot@swantest:/home/build/libreswan/testing/pluto/newoe-18-poc-blockall\[root@east newoe-18-poc-blockall]# echo "initdone" initdone kroot@swantest:/home/build/libreswan/testing/pluto/newoe-18-poc-blockall\[root@east newoe-18-poc-blockall]# ../../pluto/bin/ipsec-look.sh ==== cut ==== start raw xfrm state: src 0.0.0.0/0 dst 192.1.2.23/32 \ dir fwd action block priority 1564639 ptype main \ tmpl src 0.0.0.0 dst 0.0.0.0\ proto esp reqid 0 mode transport\ src 0.0.0.0/0 dst 192.1.2.23/32 \ dir in action block priority 1564639 ptype main \ tmpl src 0.0.0.0 dst 0.0.0.0\ proto esp reqid 0 mode transport\ src 192.1.2.23/32 dst 0.0.0.0/0 \ dir out action block priority 1564639 ptype main \ tmpl src 0.0.0.0 dst 0.0.0.0\ proto esp reqid 0 mode transport\ src 192.1.2.253/32 dst 192.1.2.23/32 \ dir fwd priority 1564639 ptype main \ src 192.1.2.253/32 dst 192.1.2.23/32 \ dir in priority 1564639 ptype main \ src 192.1.2.23/32 dst 192.1.2.253/32 \ dir out priority 1564639 ptype main \ src 192.1.3.253/32 dst 192.1.2.23/32 \ dir fwd priority 1564639 ptype main \ src 192.1.3.253/32 dst 192.1.2.23/32 \ dir in priority 1564639 ptype main \ src 192.1.2.23/32 dst 192.1.3.253/32 \ dir out priority 1564639 ptype main \ src 192.1.3.254/32 dst 192.1.2.23/32 \ dir fwd priority 1564639 ptype main \ src 192.1.3.254/32 dst 192.1.2.23/32 \ dir in priority 1564639 ptype main \ src 192.1.2.23/32 dst 192.1.3.254/32 \ dir out priority 1564639 ptype main \ src 192.1.2.254/32 dst 192.1.2.23/32 \ dir fwd priority 1564639 ptype main \ src 192.1.2.254/32 dst 192.1.2.23/32 \ dir in priority 1564639 ptype main \ src 192.1.2.23/32 dst 192.1.2.254/32 \ dir out priority 1564639 ptype main \ end raw xfrm state: ==== tuc ==== east Mon Aug 26 18:30:46 UTC 2019 XFRM state: XFRM policy: src 0.0.0.0/0 dst 192.1.2.23/32 dir fwd action block priority 1564639 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 0 mode transport src 0.0.0.0/0 dst 192.1.2.23/32 dir in action block priority 1564639 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 0 mode transport src 192.1.2.23/32 dst 0.0.0.0/0 dir out action block priority 1564639 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 0 mode transport src 192.1.2.23/32 dst 192.1.2.253/32 dir out priority 1564639 ptype main src 192.1.2.23/32 dst 192.1.2.254/32 dir out priority 1564639 ptype main src 192.1.2.23/32 dst 192.1.3.253/32 dir out priority 1564639 ptype main src 192.1.2.23/32 dst 192.1.3.254/32 dir out priority 1564639 ptype main src 192.1.2.253/32 dst 192.1.2.23/32 dir fwd priority 1564639 ptype main src 192.1.2.253/32 dst 192.1.2.23/32 dir in priority 1564639 ptype main src 192.1.2.254/32 dst 192.1.2.23/32 dir fwd priority 1564639 ptype main src 192.1.2.254/32 dst 192.1.2.23/32 dir in priority 1564639 ptype main src 192.1.3.253/32 dst 192.1.2.23/32 dir fwd priority 1564639 ptype main src 192.1.3.253/32 dst 192.1.2.23/32 dir in priority 1564639 ptype main src 192.1.3.254/32 dst 192.1.2.23/32 dir fwd priority 1564639 ptype main src 192.1.3.254/32 dst 192.1.2.23/32 dir in priority 1564639 ptype main XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES default via 192.1.2.254 dev eth1 192.0.1.0/24 via 192.1.2.45 dev eth1 192.0.2.0/24 dev eth0 proto kernel scope link src 192.0.2.254 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.23 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI kroot@swantest:/home/build/libreswan/testing/pluto/newoe-18-poc-blockall\[root@east newoe-18-poc-blockall]# # should not show any hits kroot@swantest:/home/build/libreswan/testing/pluto/newoe-18-poc-blockall\[root@east newoe-18-poc-blockall]# grep "negotiated connection" /tmp/pluto.log kroot@swantest:/home/build/libreswan/testing/pluto/newoe-18-poc-blockall\[root@east newoe-18-poc-blockall 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 final.sh 'grep "negotiated connection" /tmp/pluto.log' <<<<<<<<<<tuc<<<<<<<<<<: ==== cut ==== kroot@swantest:/home/build/libreswan/testing/pluto/newoe-18-poc-blockall\[root@east newoe-18-poc-blockall]# ipsec auto --status whack: is Pluto running? connect() for "/run/pluto/pluto.ctl" failed (111 Connection refused) kroot@swantest:/home/build/libreswan/testing/pluto/newoe-18-poc-blockall\[root@east newoe-18-poc-blockall 33]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 33 final.sh 'ipsec auto --status' <<<<<<<<<<tuc<<<<<<<<<<: ==== tuc ==== kroot@swantest:/home/build/libreswan/testing/pluto/newoe-18-poc-blockall\[root@east newoe-18-poc-blockall]# ../bin/check-for-core.sh kroot@swantest:/home/build/libreswan/testing/pluto/newoe-18-poc-blockall\[root@east newoe-18-poc-blockall]# if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi type=AVC msg=audit(1566844133.486:265910): avc: denied { write } for pid=7504 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=295084539 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1 type=AVC msg=audit(1566844133.996:266013): avc: denied { write } for pid=8463 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=63889669 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1 kroot@swantest:/home/build/libreswan/testing/pluto/newoe-18-poc-blockall\[root@east newoe-18-poc-blockall]# : ==== end ==== kroot@swantest:/home/build/libreswan/testing/pluto/newoe-18-poc-blockall\[root@east newoe-18-poc-blockall]#