Use 'conntrack' for 'show connections'

Shorewall/changelog.txt

@@ -2,6 +2,8 @@ Changes in Shorewall 4.4.14
 
 1)  Support ipset lists.
 
+2)  Use conntrack in 'shorewall connections'
+
 Changes in Shorewall 4.4.13
 
 1)  Allow zone lists in rules SOURCE and DEST.

Shorewall/lib.cli

@@ -524,11 +524,17 @@ show_command() {
     case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
-	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-	    echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
-	    echo
-	    [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
+	    if mywhich conntrack ; then
+		echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
+		echo
+		conntrack -f ipv4 -L
+	    else
+		local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+		local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+		echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
+		echo
+		[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
+	    fi
 	    ;;
 	nat)
 	    [ $# -gt 1 ] && usage 1

Shorewall/releasenotes.txt

@@ -23,6 +23,9 @@ None.
 1)  On systems running Upstart, shorewall-init cannot reliably start the
     firewall before interfaces are brought up.
 
+2)  Shorewall now uses the 'conntrack' utility for 'show connections'
+    if that utility is installed.
+
 ----------------------------------------------------------------------------
       I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------

Shorewall6/lib.cli

@@ -448,11 +448,17 @@ show_command() {
     case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
-	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-	    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
-	    echo
-	    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g'
+	    if mywhich conntrack ; then
+		echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
+		echo
+		conntrack -f ipv6 -L
+	    else
+		local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+		local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+		echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
+		echo
+		grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g'
+	    fi
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1