src/op_mode/show_ipsec_sa.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

#!/usr/bin/env python3

import re
import subprocess

import tabulate
import hurry.filesize

def parse_conn_spec(s):
    # Example: ESTABLISHED 14 seconds ago, 10.0.0.2[foo]...10.0.0.1[10.0.0.1]
    return re.search(r'.*ESTABLISHED\s+(.*)ago,\s(.*)\[(.*)\]\.\.\.(.*)\[(.*)\].*', s).groups()

def parse_ike_line(s):
    try:
        # Example with traffic: AES_CBC_256/HMAC_SHA2_256_128/ECP_521, 2382660 bytes_i (1789 pkts, 2s ago), 2382660 bytes_o ...
        return re.search(r'.*:\s+(.*)\/(.*)\/(.*),\s+(\d+)\s+bytes_i\s\(.*pkts,.*\),\s+(\d+)\s+bytes_o', s).groups()
    except AttributeError:
        try:
            # Example without traffic: 3DES_CBC/HMAC_MD5_96/MODP_1024, 0 bytes_i, 0 bytes_o, rekeying in 45 minutes
            return re.search(r'.*:\s+(.*)\/(.*)\/(.*),\s+(\d+)\s+bytes_i,\s+(\d+)\s+bytes_o,\s+rekeying', s).groups()
        except AttributeError:
            return (None, None, None, None, None)


# Get a list of all configured connections
with open('/etc/ipsec.conf', 'r') as f:
    config = f.read()
    connections = re.findall(r'conn\s([^\s]+)\s*\n', config)
    connections = list(filter(lambda s: s != '%default', connections))

status_data = []

for conn in connections:
    status = subprocess.check_output("ipsec statusall {0}".format(conn), shell=True).decode()
    if re.search(r'no match', status):
        status_line = [conn, "down", None, None, None, None, None]
    else:
        try:
            time, _, _, ip, id = parse_conn_spec(status)
            if ip == id:
                id = None
            enc, hash, dh, bytes_in, bytes_out = parse_ike_line(status)

            # Convert bytes to human-readable units
            bytes_in = hurry.filesize.size(bytes_in)
            bytes_out = hurry.filesize.size(bytes_out)

            status_line = [conn, "up", time, "{0}/{1}".format(bytes_in, bytes_out), ip, id, "{0}/{1}/{2}".format(enc, hash, dh)]
        except Exception as e:
            print(status)
            raise e
            status_line = [conn, None, None, None, None, None]

    status_line = list(map(lambda x: "N/A" if x is None else x, status_line))
    status_data.append(status_line)

headers = ["Connection", "State", "Up", "Bytes In/Out", "Remote address", "Remote ID", "Proposal"]
output = tabulate.tabulate(status_data, headers)
print(output)