Implement 'show ipsec'

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -1161,6 +1161,38 @@ show_a_macro() {
     echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
     cat ${directory}/macro.$1
 }
+#
+# Don't dump empty SPD entries
+#
+spd_filter()
+{
+    awk \
+    'BEGIN            { skip=0; }; \
+    /^src/            { skip=0; }; \
+    /^src 0.0.0.0\/0/ { skip=1; }; \
+    /^src ::\/0/      { skip=1; }; \
+                      { if ( skip == 0 ) print; };'
+}
+#
+# Print a heading with leading and trailing black lines
+#
+heading() {
+    echo
+    echo "$@"
+    echo
+}
+
+show_ipsec() {
+    heading "PFKEY SPD"
+    $IP -s xfrm policy | spd_filter
+    heading "PFKEY SAD"
+    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
+}
+
+show_ipsec_command() {
+    echo "$g_product $SHOREWALL_VERSION IPSEC at $g_hostname - $(date)"
+    show_ipsec
+}
 
 #
 # Show Command Executor
@@ -1427,6 +1459,10 @@ show_command() {
 		$g_tool -t filter -L dynamic $g_ipt_options  | fgrep ACCEPT | $output_filter
 	    fi
 	    ;;
+	ipsec)
+	    [ $# -gt 1 ] && too_many_arguments $2
+	    eval show_ipsec_command $g_pager
+	    ;;
 	*)
 	    case "$PRODUCT" in
 		*-lite)
@@ -1579,19 +1615,6 @@ show_status() {
 
 }
 
-#
-# Don't dump empty SPD entries
-#
-spd_filter()
-{
-    awk \
-    'BEGIN            { skip=0; }; \
-    /^src/            { skip=0; }; \
-    /^src 0.0.0.0\/0/ { skip=1; }; \
-    /^src ::\/0/      { skip=1; }; \
-                      { if ( skip == 0 ) print; };'
-}
-
 #
 # Dump Command Executor
 #
@@ -1742,10 +1765,7 @@ do_dump_command() {
     heading "Events"
     show_events
 
-    heading "PFKEY SPD"
+    show_ipsec
-    $IP -s xfrm policy | spd_filter
-    heading "PFKEY SAD"
-    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
 
     heading "/proc"
     show_proc /proc/version
@@ -1945,15 +1965,6 @@ read_yesno_with_timeout() {
     fi
 }
 
-#
-# Print a heading with leading and trailing black lines
-#
-heading() {
-    echo
-    echo "$@"
-    echo
-}
-
 #
 # Create the appropriate -q option to pass onward
 #
@@ -4310,6 +4321,7 @@ usage() # $1 = exit status
 	echo "   [ show | list | ls ] ipa"
     fi
 
+    echo "   [ show | list | ls ] ipsec"
     echo "   [ show | list | ls ] [ -m ] log [<regex>]"
     echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
     ecko "   [ show | list | ls ] macro <macro>"

Shorewall-core/manpages/shorewall.xml

@@ -695,7 +695,7 @@
       <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg
-      choice="req"><option>actions|classifiers|connections|config|events|filters|ip|ipa|macros|zones|policies|marks</option></arg>
+      choice="req"><option>actions|classifiers|connections|config|events|filters|ip|ipa|ipsec|macros|zones|policies|marks</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -2503,6 +2503,17 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">ipsec</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.0. Displays the contents of the
+                IPSEC <firstterm>Security Policy Database</firstterm> (SPD)
+                and <firstterm>Security Association Database</firstterm>
+                (SAD). SAD keys are not displayed.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term>[-<option>m</option>] <emphasis
               role="bold">log</emphasis></term>