Use 'conntrack' for 'show connections'

This commit is contained in:
Tom Eastep 2010-09-23 19:08:40 -07:00
parent 611c33e052
commit 0f4d8eb929
4 changed files with 27 additions and 10 deletions

View File

@ -2,6 +2,8 @@ Changes in Shorewall 4.4.14
1) Support ipset lists.
2) Use conntrack in 'shorewall connections'
Changes in Shorewall 4.4.13
1) Allow zone lists in rules SOURCE and DEST.

View File

@ -524,11 +524,17 @@ show_command() {
case "$1" in
connections)
[ $# -gt 1 ] && usage 1
if mywhich conntrack ; then
echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
echo
conntrack -f ipv4 -L
else
local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
echo
[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
fi
;;
nat)
[ $# -gt 1 ] && usage 1

View File

@ -23,6 +23,9 @@ None.
1) On systems running Upstart, shorewall-init cannot reliably start the
firewall before interfaces are brought up.
2) Shorewall now uses the 'conntrack' utility for 'show connections'
if that utility is installed.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------

View File

@ -448,11 +448,17 @@ show_command() {
case "$1" in
connections)
[ $# -gt 1 ] && usage 1
if mywhich conntrack ; then
echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
echo
conntrack -f ipv6 -L
else
local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
echo
grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g'
fi
;;
tos|mangle)
[ $# -gt 1 ] && usage 1