summaryrefslogtreecommitdiff
path: root/src/op_mode/show_ipsec_sa.py
blob: 70e892aa631b86d24a82c472e117dd8e2403cf2e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#!/usr/bin/env python3
#
# Copyright (C) 2019 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import re
import sys

import vici
import tabulate
import hurry.filesize

import vyos.util


try:
    session = vici.Session()
    sas = session.list_sas()
except PermissionError:
    print("You do not have a permission to connect to the IPsec daemon")
    sys.exit(1)
except ConnectionRefusedError:
    print("IPsec is not runing")
    sys.exit(1)
except Exception as e:
    print("An error occured: {0}".format(e))
    sys.exit(1)

sa_data = []

for sa in sas:
    # list_sas() returns a list of single-item dicts
    for peer in sa:
        parent_sa = sa[peer]

        if parent_sa["state"] == b"ESTABLISHED":
            state = "up"
        else:
            state = "down"

        if state == "up":
            uptime = vyos.util.seconds_to_human(parent_sa["established"].decode())
        else:
            uptime = "N/A"

        remote_host = parent_sa["remote-host"].decode()
        remote_id = parent_sa["remote-id"].decode()

        if remote_host == remote_id:
            remote_id = "N/A"

        # The counters can only be obtained from the child SAs
        child_sas = parent_sa["child-sas"]
        installed_sas = {k: v for k, v in child_sas.items() if v["state"] == b"INSTALLED"}

        if not installed_sas:
            data = [peer, state, "N/A", "N/A", "N/A", "N/A", "N/A", "N/A"]
            sa_data.append(data)
        else:
            for csa in installed_sas:
                isa = installed_sas[csa]

                bytes_in = hurry.filesize.size(int(isa["bytes-in"].decode()))
                bytes_out = hurry.filesize.size(int(isa["bytes-out"].decode()))
                bytes_str = "{0}/{1}".format(bytes_in, bytes_out)

                pkts_in = hurry.filesize.size(int(isa["packets-in"].decode()), system=hurry.filesize.si)
                pkts_out = hurry.filesize.size(int(isa["packets-out"].decode()), system=hurry.filesize.si)
                pkts_str = "{0}/{1}".format(pkts_in, pkts_out)
                # Remove B from <1K values
                pkts_str = re.sub(r'B', r'', pkts_str)

                enc = isa["encr-alg"].decode()
                key_size = isa["encr-keysize"].decode()
                if "integ-alg" in isa:
                    hash = isa["integ-alg"].decode()
                else:
                    hash = ""
                if "dh-group" in isa:
                    dh_group = isa["dh-group"].decode()
                else:
                    dh_group = ""
                proposal = "{0}_{1}".format(enc, key_size)
                if hash:
                    proposal = "{0}/{1}".format(proposal, hash)
                if dh_group:
                    proposal = "{0}/{1}".format(proposal, dh_group)

                data = [peer, state, uptime, bytes_str, pkts_str, remote_host, remote_id, proposal]
                sa_data.append(data)

headers = ["Connection", "State", "Uptime", "Bytes In/Out", "Packets In/Out", "Remote address", "Remote ID", "Proposal"]
output = tabulate.tabulate(sa_data, headers)
print(output)