From 79982776b088b66d4e84abb13015afd9e012fa53 Mon Sep 17 00:00:00 2001
From: "/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net"
Date: Tue, 17 Jul 2007 17:02:04 +0000
Subject: [PATCH] iptables-xml
Attached are:
1. A man page for iptables-xml
2. A fix for iptables.xslt allowing for an arbitrary depth of arguments
or modifiers.
Although iptables-xml cannot generate more than two levels deep, xml
generated by other systems may prefer to generate
0xff00
than
0xff00
(which is what iptables-xml generates)
even though the same iptables is re-generated on conversion.
3. A fix for iptables-xml.c so that combining of consecutive targets of
rules with the same match into one XML rule, will not combine over a
terminating action; i.e. there is no point in converting
-A table -p tcp -j DROP
-A table -p tcp -j MARK --set-mark 25
-A table -p tcp -j RETURN
into one XML rule with multiple actions as they are probably not
logically combined in the mind of the author.
Signed-off by: Sam Liddicott
---
iptables-xml.8 | 89 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
iptables-xml.c | 26 ++++++++++++++++-
iptables.xslt | 5 ++--
3 files changed, 117 insertions(+), 3 deletions(-)
create mode 100644 iptables-xml.8
diff --git a/iptables-xml.8 b/iptables-xml.8
new file mode 100644
index 0000000..2e4a3da
--- /dev/null
+++ b/iptables-xml.8
@@ -0,0 +1,89 @@
+.TH IPTABLES-XML 8 "Jul 16, 2007" "" ""
+.\"
+.\" Man page written by Sam Liddicott
+.\" It is based on the iptables-save man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+iptables-xml \- Convert iptables-save format to XML
+.SH SYNOPSIS
+.BR "iptables-xml " "[-c] [-v]"
+.br
+.SH DESCRIPTION
+.PP
+.B iptables-xml
+is used to convert the output of iptables-save into an easily manipulatable
+XML format to STDOUT. Use I/O-redirection provided by your shell to write to
+a file.
+.TP
+\fB\-c\fR, \fB\-\-combine\fR
+combine consecutive rules with the same matches but different targets. iptables
+does not currently support more than one target per match, so this simulates
+that by collecting the targets from consecutive iptables rules into one action
+tag, but only when the rule matches are identical. Terminating actions like
+RETURN, DROP, ACCEPT and QUEUE are not combined with subsequent targets.
+.TP
+\fB\-v\fR, \fB\-\-verbose\fR
+Output xml comments containing the iptables line from which the XML is derived
+
+.PP
+iptables-xml does a mechanistic conversion to a very expressive xml
+format; the only semantic considerations are for -g and -j targets in
+order to discriminate between and as it
+helps xml processing scripts if they can tell the difference between a
+target like SNAT and another chain.
+
+Some sample output is:
+
+
+
+
+
+
+
+ tcp
+
+
+ 8443
+
+
+
+
+
+
+
+
+
+
+
+
+
+.PP
+Conversion from XML to iptables-save format may be done using the
+iptables.xslt script and xsltproc, or a custom program using
+libxsltproc or similar; in this fashion:
+
+xsltproc iptables.xslt my-iptables.xml | iptables-restore
+
+.SH BUGS
+None known as of iptables-1.3.7 release
+.SH AUTHOR
+Sam Liddicott
+.SH SEE ALSO
+.BR iptables-save "(8), " iptables-restore "(8), " iptables "(8) "
+.PP
diff --git a/iptables-xml.c b/iptables-xml.c
index ce3049c..71d5288 100644
--- a/iptables-xml.c
+++ b/iptables-xml.c
@@ -359,6 +359,18 @@ isTarget(char *arg)
|| strcmp((arg), "--goto") == 0));
}
+// is it a terminating target like -j ACCEPT, etc
+// (or I guess -j SNAT in nat table, but we don't check for that yet
+static int
+isTerminatingTarget(char *arg)
+{
+ return ((arg)
+ && (strcmp((arg), "ACCEPT") == 0
+ || strcmp((arg), "DROP") == 0
+ || strcmp((arg), "QUEUE") == 0
+ || strcmp((arg), "RETURN") == 0));
+}
+
// part=-1 means do conditions, part=1 means do rules, part=0 means do both
static void
do_rule_part(char *leveltag1, char *leveltag2, int part, int argc,
@@ -536,7 +548,19 @@ compareRules()
while (new < newargc && old < oldargc) {
if (isTarget(oldargv[old]) && isTarget(newargv[new])) {
- compare = 1;
+ /* if oldarg was a terminating action then it makes no sense
+ * to combine further actions into the same xml */
+ if (((strcmp((oldargv[old]), "-j") == 0
+ || strcmp((oldargv[old]), "--jump") == 0)
+ && old+1 < oldargc
+ && isTerminatingTarget(oldargv[old+1]) )
+ || strcmp((oldargv[old]), "-g") == 0
+ || strcmp((oldargv[old]), "--goto") == 0 ) {
+ /* Previous rule had terminating action */
+ compare = 0;
+ } else {
+ compare = 1;
+ }
break;
}
// break when old!=new
diff --git a/iptables.xslt b/iptables.xslt
index 4cf8419..07cec19 100644
--- a/iptables.xslt
+++ b/iptables.xslt
@@ -44,7 +44,7 @@
-
+
!
-
@@ -52,7 +52,8 @@
-
-
+
+
--
cgit v1.2.3