Don't dump SPD entries for the other address family

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-12-23 14:48:51 +01:00 · 2017-10-14 13:39:00 -07:00 · 2017-10-14 13:39:00 -07:00 · 7b9f7c095d
commit 7b9f7c095d
parent 8ea96098bf
1 changed files with 18 additions and 2 deletions
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@ -1139,13 +1139,23 @@ show_a_macro() {
 #
 # Don't dump empty SPD entries
 #
-spd_filter()
+spd_filter4()
 {
    awk \
    'BEGIN                                  { skip=0; }; \
    /^src/                                  { skip=0; }; \
    /^src 0.0.0.0\/0 dst 0.0.0.0\/0 uid 0$/ { skip=1; }; \
+    /src .*:/                               { skip=1; }; \
+                                            { if ( skip == 0 ) print; };'
+}
+
+spd_filter6()
+{
+    awk \
+    'BEGIN                                  { skip=0; }; \
+    /^src/                                  { skip=0; }; \
    /^src ::\/0 dst ::\/0 uid 0$/           { skip=1; }; \
+    /src .*\./                              { skip=1; }; \
                                            { if ( skip == 0 ) print; };'
 }
 #
@ -1159,7 +1169,13 @@ heading() {

 show_ipsec() {
    heading "PFKEY SPD"
-    $IP -s -$g_family xfrm policy | spd_filter
+
+    if [ $g_family = 4 ]; then
+	$IP -s -4 xfrm policy | spd_filter4
+    else
+	$IP -s -6 xfrm policy | spd_filter6
+    fi
+
    heading "PFKEY SAD"
    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
 }