Implement 'show policies' command

Shorewall/Perl/Shorewall/Compiler.pm

@@ -459,6 +459,10 @@ sub generate_script_3($) {
     dump_zone_contents;
     emit_unindented '__EOF__';
 
+    emit 'cat > ${VARDIR}/policies << __EOF__';
+    save_policies;
+    emit_unindented '__EOF__';
+
     pop_indent;
 
     emit "fi\n";

Shorewall/Perl/Shorewall/Policy.pm

@@ -32,7 +32,7 @@ use Shorewall::Actions;
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains );
+our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies );
 our @EXPORT_OK = qw(  );
 our $VERSION = '4.4_1';
 
@@ -273,6 +273,21 @@ sub process_a_policy() {
     }
 }
 
+sub save_policies() {
+    for my $zone1 ( all_zones ) {
+	for my $zone2 ( all_zones ) {
+	    my $chainref  = $filter_table->{ rules_chain( $zone1, $zone2 ) };
+	    my $policyref = $filter_table->{ $chainref->{policychain} };
+
+	    if ( $policyref->{referenced} ) {
+		emit_unindented "$zone1 \t=> $zone2 is " . $policyref->{policy} . ' using chain ' . $policyref->{name};
+	    } else {
+		emit_unindented "$zone1 \t=> $zone2 is " . $policyref->{policy};
+	    }
+	}
+    }
+}	    
+
 sub validate_policy()
 {
     our %validpolicies = (

Shorewall/changelog.txt

@@ -14,6 +14,8 @@ Changes in Shorewall 4.4.4
 
 7)  Suppress duplicate COMMENT warnings.
 
+8)  Implement 'show policies' command.
+
 Changes in Shorewall 4.4.3
 
 1)  Move Debian INITLOG initialization to /etc/default/shorewall

Shorewall/lib.cli

@@ -560,6 +560,12 @@ show_command() {
 	vardir)
 	    echo $VARDIR;
 	    ;;
+	policies)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$PRODUCT $version Policies at $HOSTNAME - $(date)"
+	    echo
+	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
+	    ;;
 	*)
 	    if [ "$PRODUCT" = Shorewall ]; then
 		case $1 in

Shorewall/releasenotes.txt

@@ -275,6 +275,18 @@ None.
 
 	COMMENTs ignored -- require comment support in iptables/Netfilter
 
+6)  The shorewall and shorewall6 utilities now support a 'show
+    policies' command. Once Shorewall or Shorewall6 has been restarted
+    using a script generated by this version, the 'show policies'
+    command will list each pair of zones and give the applicable
+    policy. If the policy is enforced in a chain, the name of the chain
+    is given.
+
+    Example:
+
+	net 	=> loc is DROP using chain net2loc
+
+
 ----------------------------------------------------------------------------
                 N E W   F E A T U R E S   I N   4 . 4 . 0
 ----------------------------------------------------------------------------

Shorewall/shorewall

@@ -1387,6 +1387,7 @@ usage() # $1 = exit status
     echo "   show [ -m ] log"
     echo "   show macros"
     echo "   show [ -x ] mangle|nat|raw|routing"
+    echo "   show policies"
     echo "   show tc"
     echo "   show vardir"
     echo "   show zones"

Shorewall6/shorewall6

@@ -1289,7 +1289,7 @@ usage() # $1 = exit status
     echo "   restart [ -n ] [ -f ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|raw|routing|tc|vardir|zones} ]"
+    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|policies|raw|routing|tc|vardir|zones} ]"
     echo "   start [ -f ] [ -n ] [ <directory> ]"
     echo "   stop [ -f ]"
     echo "   status"

manpages/shorewall.xml

@@ -498,6 +498,18 @@
       <arg choice="req"><option>mangle|nat|raw</option></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>show</option></arg>
+
+      <arg choice="plain"><option>policies</option></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall</command>
 
@@ -1272,6 +1284,15 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">policies</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.4. Displays the applicable policy
+                between each pair of zones.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">raw</emphasis></term>
 

manpages6/shorewall6.xml

@@ -401,6 +401,18 @@
       choice="req"><option>actions|classifiers|connections|config|filters|macros|zones</option></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>show</option></arg>
+
+      <arg choice="plain"><option>policies</option></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6</command>
 
@@ -1081,15 +1093,11 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">nat</emphasis></term>
+              <term><emphasis role="bold">policies</emphasis></term>
 
               <listitem>
-                <para>Displays the Netfilter nat table using the command
+                <para>Added in Shorewall 4.4.4. Displays the applicable policy
-                <emphasis role="bold">ip6tables -t nat -L -n -v</emphasis>.The
+                between each pair of zones.</para>
-                <emphasis role="bold">-x</emphasis> option is passed directly
-                through to ip6tables and causes actual packet and byte counts
-                to be displayed. Without this option, those counts are
-                abbreviated.</para>
               </listitem>
             </varlistentry>