Implement 'show ipsec'

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-22 07:33:43 +01:00 · 2016-12-23 10:01:40 -08:00 · 2016-12-23 10:01:40 -08:00 · 1b97783c23
commit 1b97783c23
parent c9f45277b8
2 changed files with 50 additions and 27 deletions
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@ -1161,6 +1161,38 @@ show_a_macro() {
    echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
    cat ${directory}/macro.$1
 }
+#
+# Don't dump empty SPD entries
+#
+spd_filter()
+{
+    awk \
+    'BEGIN            { skip=0; }; \
+    /^src/            { skip=0; }; \
+    /^src 0.0.0.0\/0/ { skip=1; }; \
+    /^src ::\/0/      { skip=1; }; \
+                      { if ( skip == 0 ) print; };'
+}
+#
+# Print a heading with leading and trailing black lines
+#
+heading() {
+    echo
+    echo "$@"
+    echo
+}
+
+show_ipsec() {
+    heading "PFKEY SPD"
+    $IP -s xfrm policy | spd_filter
+    heading "PFKEY SAD"
+    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
+}
+
+show_ipsec_command() {
+    echo "$g_product $SHOREWALL_VERSION IPSEC at $g_hostname - $(date)"
+    show_ipsec
+}

 #
 # Show Command Executor
@ -1427,6 +1459,10 @@ show_command() {
 		$g_tool -t filter -L dynamic $g_ipt_options  | fgrep ACCEPT | $output_filter
 	    fi
 	    ;;
+	ipsec)
+	    [ $# -gt 1 ] && too_many_arguments $2
+	    eval show_ipsec_command $g_pager
+	    ;;
 	*)
 	    case "$PRODUCT" in
 		*-lite)
@ -1579,19 +1615,6 @@ show_status() {

 }

-#
-# Don't dump empty SPD entries
-#
-spd_filter()
-{
-    awk \
-    'BEGIN            { skip=0; }; \
-    /^src/            { skip=0; }; \
-    /^src 0.0.0.0\/0/ { skip=1; }; \
-    /^src ::\/0/      { skip=1; }; \
-                      { if ( skip == 0 ) print; };'
-}
-
 #
 # Dump Command Executor
 #
@ -1742,10 +1765,7 @@ do_dump_command() {
    heading "Events"
    show_events

-    heading "PFKEY SPD"
-    $IP -s xfrm policy | spd_filter
-    heading "PFKEY SAD"
-    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
+    show_ipsec

    heading "/proc"
    show_proc /proc/version
@ -1945,15 +1965,6 @@ read_yesno_with_timeout() {
    fi
 }

-#
-# Print a heading with leading and trailing black lines
-#
-heading() {
-    echo
-    echo "$@"
-    echo
-}
-
 #
 # Create the appropriate -q option to pass onward
 #
@ -4310,6 +4321,7 @@ usage() # $1 = exit status
 	echo "   [ show | list | ls ] ipa"
    fi

+    echo "   [ show | list | ls ] ipsec"
    echo "   [ show | list | ls ] [ -m ] log [<regex>]"
    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
    ecko "   [ show | list | ls ] macro <macro>"
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
@ -695,7 +695,7 @@
      <arg choice="req"><option>show | list | ls </option></arg>

      <arg
-      choice="req"><option>actions|classifiers|connections|config|events|filters|ip|ipa|macros|zones|policies|marks</option></arg>
+      choice="req"><option>actions|classifiers|connections|config|events|filters|ip|ipa|ipsec|macros|zones|policies|marks</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@ -2503,6 +2503,17 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">ipsec</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.0. Displays the contents of the
+                IPSEC <firstterm>Security Policy Database</firstterm> (SPD)
+                and <firstterm>Security Association Database</firstterm>
+                (SAD). SAD keys are not displayed.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>[-<option>m</option>] <emphasis
              role="bold">log</emphasis></term>