extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-25 09:03:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

More robust detection of empty SPD entries.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2017-10-14 15:48:28 -07:00
parent 7b9f7c095d
commit f1975ae9b0
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
1 changed files with 25 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
Shorewall-core/lib.cli
View File

@ -1137,26 +1137,31 @@ show_a_macro() {
cat ${directory}/macro.$1 cat ${directory}/macro.$1
} }
# #
# Don't dump empty SPD entries # Don't dump empty SPD entries or entries from the other address family
# #
spd_filter4() spd_filter() {
{ #
awk \ # af = Address Family (4 or 6)
'BEGIN { skip=0; }; \ # afok = Address Family of entry matches af
/^src/ { skip=0; }; \ # p = print the contents of A (entry is not empty)
/^src 0.0.0.0\/0 dst 0.0.0.0\/0 uid 0$/ { skip=1; }; \ # i = Number of lines stored in A
/src .*:/ { skip=1; }; \ #
{ if ( skip == 0 ) print; };' awk -v af=$g_family \
} 'function prnt(A,i, j) { while ( j < i ) print A[j++]; };\
\
spd_filter6() /^src / { if (p) prnt( A, i );\
{ afok = 1;\
awk \ p = 0;\
'BEGIN { skip=0; }; \ i = 0;\
/^src/ { skip=0; }; \ if ( af == 4 )\
/^src ::\/0 dst ::\/0 uid 0$/ { skip=1; }; \ { if ( /:/ ) afok = 0; }\
/src .*\./ { skip=1; }; \ else\
{ if ( skip == 0 ) print; };' { if ( /\./ ) afok = 0; }\
};\
{ if ( afok ) A[i++] = $0; };\
/tmpl/ { p = afok; };\
\
END { if (p) prnt( A, i ); }'
} }
# #
# Print a heading with leading and trailing black lines # Print a heading with leading and trailing black lines
@ -1169,12 +1174,7 @@ heading() {
show_ipsec() { show_ipsec() {
heading "PFKEY SPD" heading "PFKEY SPD"
$IP -s -$g_family xfrm policy | spd_filter
if [ $g_family = 4 ]; then
$IP -s -4 xfrm policy | spd_filter4
else
$IP -s -6 xfrm policy | spd_filter6
fi
heading "PFKEY SAD" heading "PFKEY SAD"
$IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys