From 51d5ec6b2be713418d72748f0f2bfcdb3cbd667a Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Fri, 12 Jul 2013 16:07:22 -0700
Subject: [PATCH] Make the output of 'show event[2] understandable

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall-core/lib.cli | 48 +++++++++++++++++++++++++++++++++++++-----
 docs/Events.xml        | 44 +++++++++++++++++++++++++-------------
 2 files changed, 72 insertions(+), 20 deletions(-)

diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli
index 99c836149..c6371cb4e 100644
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -729,22 +729,60 @@ show_nfacct() {
     fi
 }
 
+show_event() {
+    local address
+    local ttl_label
+    local ttl
+    local last_seen
+    local last
+    local oldest_pkt
+    local oldest
+    local intimes
+    local outtimes1
+    local outtimes2
+    local time
+    local count
+
+    while read address ttl_label ttl last_seen last oldest_pkt oldest intimes; do
+	outtimes1=''
+	outtimes2=''
+	count=0
+	last=$((($currenttime - $last)/1000))
+	for time in $intimes; do
+	    time=${time%,}
+	    time=$((($currenttime - $time)/1000))
+	    if [ $count -lt $oldest ]; then
+		outtimes2="$outtimes2 $time"
+	    else
+		outtimes1="$outtimes1 $time"
+	    fi
+	    count=$(($count + 1))
+	done
+	echo "   $address :${outtimes1}${outtimes2}"
+    done < /proc/net/xt_recent/$1
+
+}
+
 show_events() {
     local file
     local base
+    local currenttime
 
     if [ -f /proc/net/xt_recent/%CURRENTTIME ]; then
 	echo -127.0.0.1 > /proc/net/xt_recent/%CURRENTTIME
 	echo +127.0.0.1 > /proc/net/xt_recent/%CURRENTTIME
-	echo Current time: $(cat /proc/net/xt_recent/%CURRENTTIME | cut -d ' ' -f 5 -)
-	echo
+	currenttime=$(cat /proc/net/xt_recent/%CURRENTTIME | cut -d ' ' -f 5 -)
+	# echo Current time: $currenttime
+	# echo
+    else
+	currenttime=0
     fi
 
     if [ $# -gt 0 ]; then
 	for event in $@ ; do
 	    if [ -f /proc/net/xt_recent/$event ]; then
 		echo $event:
-		cat /proc/net/xt_recent/$event
+		show_event $event
 		echo
 	    else
 		error_message "WARNING: Event $event not found"
@@ -755,8 +793,8 @@ show_events() {
 	    base=$(basename $file)
 
 	    if [ $base != %CURRENTTIME ]; then
-		echo $(basename $file)
-		cat $file
+		echo $base
+		show_event $base
 		echo
 	    fi
 	done
diff --git a/docs/Events.xml b/docs/Events.xml
index 270c26dfb..41c4cf8d3 100644
--- a/docs/Events.xml
+++ b/docs/Events.xml
@@ -421,28 +421,42 @@
       the events listed in the command while <emphasis role="bold">show
       events</emphasis> lists the contents of all events.</para>
 
-      <programlisting>root@gateway:~# shorewall show events
-Shorewall 4.5.19-Beta2 events at gateway - Fri Jul 12 13:21:27 PDT 2013
+      <programlisting>root@gateway:/usr/src/linux-source-3.2/net/netfilter# shorewall show events
+Shorewall 4.5.19-Beta2 events at gateway - Fri Jul 12 15:57:20 PDT 2013
 
-Current time: 4404787304 <emphasis role="bold">&lt;================ Times are 'milliseconds since boot'</emphasis>
+SSH
+   src=125.46.13.163 : 3453
+   src=200.59.55.50 : 3900 3900
+   src=65.182.111.112 : 2946
 
-SSH <emphasis role="bold">&lt;================= This and the next event are created by the Autoblacklist example below</emphasis>
-src=125.46.13.163 ttl: 114 last_seen: 4403672214 oldest_pkt: 1 4403672214
-src=200.59.55.50 ttl: 32 last_seen: 4403225346 oldest_pkt: 2 4403225096, 4403225346
-src=65.182.111.112 ttl: 118 last_seen: 4404178828 oldest_pkt: 1 4404178828
+SSH_COUNTER
 
-SSH_COUNTER <emphasis role="bold">&lt;====================== This event has not occurred recently.</emphasis>
-
-sticky001 <emphasis role="bold">&lt;================== This and the next events are generated by the Shorewall SAME rule target.</emphasis>
-src=172.20.1.146 ttl: 64 last_seen: 4404774586 oldest_pkt: 9 4404731690, 4404731690, 4404731690, 4404731690, 4404731690, 4404731691, 4404750647, 4404774560, 4404774586, 4404731667, 4404731667, 4404731669, 4404731669, 4404731669, 4404731669, 4404731669, 4404731669, 4404731688, 4404731689, 4404731689
+sticky001
+   src=172.20.1.146 : 8 8 8 8 8 8 8 8 8 8 8 8 8 8 7 7 7 7 7 7
 
 sticky002
-src=172.20.1.213 ttl: 128 last_seen: 4404785474 oldest_pkt: 6 4404785172, 4404785215, 4404785324, 4404785397, 4404785407, 4404785474, 4404767925, 4404767925, 4404767925, 4404767942, 4404768011, 4404768011, 4404768011, 4404768012, 4404768014, 4404768014, 4404768042, 4404768042, 4404768042, 4404768043
+   src=172.20.1.213 : 53 49 49 49 49 49 49 49 49 49 49 49 49 49 49 49 49 49 46 46
 
-root@gateway:~# </programlisting>
+root@gateway:/usr/src/linux-source-3.2/net/netfilter# </programlisting>
 
-      <para>Note that the times of the recent events are recorded for each
-      address.</para>
+      <para>The SSH and SSH_COUNTER events are created using the following
+      Automatic Blacklisting example. The sticky001 and sticky002 events are
+      created by the SAME rule action.</para>
+
+      <para>Each line represents one event. The list of numbers following the
+      ':' represent the number of seconds ago that a matching packet triggered
+      the event. The numbers are in chronological sequence, so In this event,
+      there were 20 packets from 172.20.1.213 that arrived between 53 and 46
+      seconds ago:</para>
+
+      <programlisting>sticky002
+   src=172.20.1.213 : <emphasis role="bold">53</emphasis> 49 49 49 49 49 49 49 49 49 49 49 49 49 49 49 49 49 46 <emphasis
+          role="bold">46</emphasis></programlisting>
+
+      <para>Note that there may have been earlier packets that also matched,
+      but the system where this example was captured used the default value of
+      the <emphasis role="bold">ip_pkt_list_tot</emphasis> xt_recent option
+      (20).</para>
     </section>
   </section>