Use 'conntrack' for 'show connections'

This commit is contained in:
Tom Eastep 2010-09-23 19:08:40 -07:00
parent 611c33e052
commit 0f4d8eb929
4 changed files with 27 additions and 10 deletions

View File

@ -2,6 +2,8 @@ Changes in Shorewall 4.4.14
1) Support ipset lists. 1) Support ipset lists.
2) Use conntrack in 'shorewall connections'
Changes in Shorewall 4.4.13 Changes in Shorewall 4.4.13
1) Allow zone lists in rules SOURCE and DEST. 1) Allow zone lists in rules SOURCE and DEST.

View File

@ -524,11 +524,17 @@ show_command() {
case "$1" in case "$1" in
connections) connections)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count) if mywhich conntrack ; then
local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max) echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)" echo
echo conntrack -f ipv4 -L
[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack else
local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
echo
[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
fi
;; ;;
nat) nat)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1

View File

@ -23,6 +23,9 @@ None.
1) On systems running Upstart, shorewall-init cannot reliably start the 1) On systems running Upstart, shorewall-init cannot reliably start the
firewall before interfaces are brought up. firewall before interfaces are brought up.
2) Shorewall now uses the 'conntrack' utility for 'show connections'
if that utility is installed.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E I I I. N E W F E A T U R E S I N T H I S R E L E A S E
---------------------------------------------------------------------------- ----------------------------------------------------------------------------

View File

@ -448,11 +448,17 @@ show_command() {
case "$1" in case "$1" in
connections) connections)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count) if mywhich conntrack ; then
local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max) echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)" echo
echo conntrack -f ipv6 -L
grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' else
local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
echo
grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g'
fi
;; ;;
tos|mangle) tos|mangle)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1