[netfilter-cvslog] r6910 - trunk/iptables

kaber at trash.net kaber at trash.net
Tue Jul 17 19:02:05 CEST 2007 

Author: kaber at trash.net
Date: 2007-07-17 19:02:04 +0200 (Tue, 17 Jul 2007)
New Revision: 6910

Added:
   trunk/iptables/iptables-xml.8
Modified:
   trunk/iptables/iptables-xml.c
   trunk/iptables/iptables.xslt
Log:
[PATCH] iptables-xml

Attached are:
1. A man page for iptables-xml

2. A fix for iptables.xslt allowing for an arbitrary depth of arguments
or modifiers.

Although iptables-xml cannot generate more than two levels deep, xml
generated by other systems may prefer to generate

<action>
  <restore-mark>
    <mask>0xff00</mask>
  </restore-mark>
</action>

than

<action>
  <restore-mark/>
   <mask>0xff00</mask>
</action>

(which is what iptables-xml generates)
even though the same iptables is re-generated on conversion.

3. A fix for iptables-xml.c so that combining of consecutive targets of
rules with the same match into one XML rule, will not combine over a
terminating action; i.e. there is no point in converting

-A table -p tcp -j DROP
-A table -p tcp -j MARK --set-mark 25
-A table -p tcp -j RETURN

into one XML rule with multiple actions as they are probably not
logically combined in the mind of the author.


Signed-off by: Sam Liddicott <azez at ufomechanic.net>


Added: trunk/iptables/iptables-xml.8
===================================================================
--- trunk/iptables/iptables-xml.8	                        (rev 0)
+++ trunk/iptables/iptables-xml.8	2007-07-17 17:02:04 UTC (rev 6910)
@@ -0,0 +1,89 @@
+.TH IPTABLES-XML 8 "Jul 16, 2007" "" ""
+.\"
+.\" Man page written by Sam Liddicott <azez at ufomechanic.net>
+.\" It is based on the iptables-save man page.
+.\"
+.\"	This program is free software; you can redistribute it and/or modify
+.\"	it under the terms of the GNU General Public License as published by
+.\"	the Free Software Foundation; either version 2 of the License, or
+.\"	(at your option) any later version.
+.\"
+.\"	This program is distributed in the hope that it will be useful,
+.\"	but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\"	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+.\"	GNU General Public License for more details.
+.\"
+.\"	You should have received a copy of the GNU General Public License
+.\"	along with this program; if not, write to the Free Software
+.\"	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+iptables-xml \- Convert iptables-save format to XML
+.SH SYNOPSIS
+.BR "iptables-xml " "[-c] [-v]"
+.br
+.SH DESCRIPTION
+.PP
+.B iptables-xml
+is used to convert the output of iptables-save into an easily manipulatable
+XML format to STDOUT.  Use I/O-redirection provided by your shell to write to 
+a file.
+.TP
+\fB\-c\fR, \fB\-\-combine\fR
+combine consecutive rules with the same matches but different targets. iptables
+does not currently support more than one target per match, so this simulates 
+that by collecting the targets from consecutive iptables rules into one action
+tag, but only when the rule matches are identical. Terminating actions like
+RETURN, DROP, ACCEPT and QUEUE are not combined with subsequent targets.
+.TP
+\fB\-v\fR, \fB\-\-verbose\fR
+Output xml comments containing the iptables line from which the XML is derived
+
+.PP
+iptables-xml does a mechanistic conversion to a very expressive xml
+format; the only semantic considerations are for -g and -j targets in
+order to discriminate between <call> <goto> and <nane-of-target> as it
+helps xml processing scripts if they can tell the difference between a
+target like SNAT and another chain.
+
+Some sample output is:
+
+<iptables-rules>
+  <table name="mangle" >
+    <chain name="PREROUTING" policy="ACCEPT" packet-count="63436"
+byte-count="7137573" >
+      <rule >
+       <conditions>
+        <match >
+          <p >tcp</p>
+        </match>
+        <tcp >
+          <sport >8443</sport>
+        </tcp>
+       </conditions>
+       <actions>
+        <call >
+          <check_ip />
+        </call>
+        <ACCEPT/>
+       </actions>
+      </rule>
+    </chain>
+  </table>
+</iptables-rules>
+
+.PP
+Conversion from XML to iptables-save format may be done using the 
+iptables.xslt script and xsltproc, or a custom program using
+libxsltproc or similar; in this fashion:
+
+xsltproc iptables.xslt my-iptables.xml | iptables-restore
+
+.SH BUGS
+None known as of iptables-1.3.7 release
+.SH AUTHOR
+Sam Liddicott <azez at ufomechanic.net>
+.SH SEE ALSO
+.BR iptables-save "(8), " iptables-restore "(8), " iptables "(8) "
+.PP

Modified: trunk/iptables/iptables-xml.c
===================================================================
--- trunk/iptables/iptables-xml.c	2007-07-16 15:27:38 UTC (rev 6909)
+++ trunk/iptables/iptables-xml.c	2007-07-17 17:02:04 UTC (rev 6910)
@@ -359,6 +359,18 @@
 		    || strcmp((arg), "--goto") == 0));
 }
 
+// is it a terminating target like -j ACCEPT, etc
+// (or I guess -j SNAT in nat table, but we don't check for that yet
+static int
+isTerminatingTarget(char *arg)
+{
+	return ((arg)
+		&& (strcmp((arg), "ACCEPT") == 0
+		    || strcmp((arg), "DROP") == 0
+		    || strcmp((arg), "QUEUE") == 0
+		    || strcmp((arg), "RETURN") == 0));
+}
+
 // part=-1 means do conditions, part=1 means do rules, part=0 means do both
 static void
 do_rule_part(char *leveltag1, char *leveltag2, int part, int argc,
@@ -536,7 +548,19 @@
 
 	while (new < newargc && old < oldargc) {
 		if (isTarget(oldargv[old]) && isTarget(newargv[new])) {
-			compare = 1;
+			/* if oldarg was a terminating action then it makes no sense
+			 * to combine further actions into the same xml */
+			if (((strcmp((oldargv[old]), "-j") == 0 
+					|| strcmp((oldargv[old]), "--jump") == 0) 
+				&& old+1 < oldargc
+				&& isTerminatingTarget(oldargv[old+1]) )
+			    || strcmp((oldargv[old]), "-g") == 0 
+			    || strcmp((oldargv[old]), "--goto") == 0 ) {
+				/* Previous rule had terminating action */	
+				compare = 0;
+			} else {
+				compare = 1;
+			}
 			break;
 		}
 		// break when old!=new

Modified: trunk/iptables/iptables.xslt
===================================================================
--- trunk/iptables/iptables.xslt	2007-07-16 15:27:38 UTC (rev 6909)
+++ trunk/iptables/iptables.xslt	2007-07-17 17:02:04 UTC (rev 6910)
@@ -44,7 +44,7 @@
   </xsl:template>
   
   <!-- all child action nodes -->
-  <xsl:template match="iptables-rules/table/chain/rule/actions/*/*|iptables-rules/table/chain/rule/actions/*//*|iptables-rules/table/chain/rule/conditions/*/*|iptables-rules/table/chain/rule/conditions/*//*">
+  <xsl:template match="iptables-rules/table/chain/rule/actions//*|iptables-rules/table/chain/rule/conditions//*" priority="0">
     <xsl:if test="@invert=1"><xsl:text> !</xsl:text></xsl:if>
     <xsl:text> -</xsl:text>
     <!-- if length of name is 1 character, then only do 1 - not 2 -->
@@ -52,7 +52,8 @@
       <xsl:text>-</xsl:text>
     </xsl:if>
     <xsl:value-of select="name()"/>
-    <xsl:text> </xsl:text><xsl:value-of select="."/>
+    <xsl:text> </xsl:text>
+    <xsl:apply-templates select="node()"/>
   </xsl:template>
 
   <xsl:template match="iptables-rules/table/chain/rule/actions/call/*|iptables-rules/table/chain/rule/actions/goto/*">

More information about the netfilter-cvslog mailing list