From 1b97783c2326c9d67ccdfce0f1c50cf96853a08e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 23 Dec 2016 10:01:40 -0800 Subject: [PATCH] Implement 'show ipsec' Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 64 ++++++++++++++++----------- Shorewall-core/manpages/shorewall.xml | 13 +++++- 2 files changed, 50 insertions(+), 27 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index af48f95a7..6b14c6775 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -1161,6 +1161,38 @@ show_a_macro() { echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)" cat ${directory}/macro.$1 } +# +# Don't dump empty SPD entries +# +spd_filter() +{ + awk \ + 'BEGIN { skip=0; }; \ + /^src/ { skip=0; }; \ + /^src 0.0.0.0\/0/ { skip=1; }; \ + /^src ::\/0/ { skip=1; }; \ + { if ( skip == 0 ) print; };' +} +# +# Print a heading with leading and trailing black lines +# +heading() { + echo + echo "$@" + echo +} + +show_ipsec() { + heading "PFKEY SPD" + $IP -s xfrm policy | spd_filter + heading "PFKEY SAD" + $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys +} + +show_ipsec_command() { + echo "$g_product $SHOREWALL_VERSION IPSEC at $g_hostname - $(date)" + show_ipsec +} # # Show Command Executor @@ -1427,6 +1459,10 @@ show_command() { $g_tool -t filter -L dynamic $g_ipt_options | fgrep ACCEPT | $output_filter fi ;; + ipsec) + [ $# -gt 1 ] && too_many_arguments $2 + eval show_ipsec_command $g_pager + ;; *) case "$PRODUCT" in *-lite) @@ -1579,19 +1615,6 @@ show_status() { } -# -# Don't dump empty SPD entries -# -spd_filter() -{ - awk \ - 'BEGIN { skip=0; }; \ - /^src/ { skip=0; }; \ - /^src 0.0.0.0\/0/ { skip=1; }; \ - /^src ::\/0/ { skip=1; }; \ - { if ( skip == 0 ) print; };' -} - # # Dump Command Executor # @@ -1742,10 +1765,7 @@ do_dump_command() { heading "Events" show_events - heading "PFKEY SPD" - $IP -s xfrm policy | spd_filter - heading "PFKEY SAD" - $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys + show_ipsec heading "/proc" show_proc /proc/version @@ -1945,15 +1965,6 @@ read_yesno_with_timeout() { fi } -# -# Print a heading with leading and trailing black lines -# -heading() { - echo - echo "$@" - echo -} - # # Create the appropriate -q option to pass onward # @@ -4310,6 +4321,7 @@ usage() # $1 = exit status echo " [ show | list | ls ] ipa" fi + echo " [ show | list | ls ] ipsec" echo " [ show | list | ls ] [ -m ] log []" echo " [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost" ecko " [ show | list | ls ] macro " diff --git a/Shorewall-core/manpages/shorewall.xml b/Shorewall-core/manpages/shorewall.xml index 80a66145d..5dad5d6e2 100644 --- a/Shorewall-core/manpages/shorewall.xml +++ b/Shorewall-core/manpages/shorewall.xml @@ -695,7 +695,7 @@ + choice="req"> @@ -2503,6 +2503,17 @@ + + ipsec + + + Added in Shorewall 5.1.0. Displays the contents of the + IPSEC Security Policy Database (SPD) + and Security Association Database + (SAD). SAD keys are not displayed. + + + [-] log