Use 'ip -s xfrm' to dump the SPD and SAD

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2016-12-17 14:43:16 -08:00 · 2016-12-17 14:43:16 -08:00 · 03a9b92a14
commit 03a9b92a14
parent b3b637d663
1 changed files with 17 additions and 6 deletions
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@ -1583,6 +1583,19 @@ show_status() {

 }

+#
+# Don't dump empty SPD entries
+#
+spd_filter()
+{
+    awk \
+    'BEGIN            { skip=0; }; \
+    /^src/            { skip=0; }; \
+    /^src 0.0.0.0\/0/ { skip=1; }; \
+    /^src ::\/0/      { skip=1; }; \
+                      { if ( skip == 0 ) print; };'
+}
+
 #
 # Dump Command Executor
 #
@ -1733,12 +1746,10 @@ do_dump_command() {
    heading "Events"
    show_events

-    if qt mywhich setkey; then
-	heading "PFKEY SPD"
-	setkey -DP
-	heading "PFKEY SAD"
-	setkey -D | grep -Ev '^[[:space:]](A:|E:)'  # Don't divulge the keys
-    fi
+    heading "PFKEY SPD"
+    $IP -s xfrm policy | spd_filter
+    heading "PFKEY SAD"
+    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys

    heading "/proc"
    show_proc /proc/version