diff options
-rw-r--r-- | iptables-xml.8 | 89 | ||||
-rw-r--r-- | iptables-xml.c | 26 | ||||
-rw-r--r-- | iptables.xslt | 5 |
3 files changed, 117 insertions, 3 deletions
diff --git a/iptables-xml.8 b/iptables-xml.8 new file mode 100644 index 00000000..2e4a3da3 --- /dev/null +++ b/iptables-xml.8 @@ -0,0 +1,89 @@ +.TH IPTABLES-XML 8 "Jul 16, 2007" "" "" +.\" +.\" Man page written by Sam Liddicott <azez@ufomechanic.net> +.\" It is based on the iptables-save man page. +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation; either version 2 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program; if not, write to the Free Software +.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +.\" +.\" +.SH NAME +iptables-xml \- Convert iptables-save format to XML +.SH SYNOPSIS +.BR "iptables-xml " "[-c] [-v]" +.br +.SH DESCRIPTION +.PP +.B iptables-xml +is used to convert the output of iptables-save into an easily manipulatable +XML format to STDOUT. Use I/O-redirection provided by your shell to write to +a file. +.TP +\fB\-c\fR, \fB\-\-combine\fR +combine consecutive rules with the same matches but different targets. iptables +does not currently support more than one target per match, so this simulates +that by collecting the targets from consecutive iptables rules into one action +tag, but only when the rule matches are identical. Terminating actions like +RETURN, DROP, ACCEPT and QUEUE are not combined with subsequent targets. +.TP +\fB\-v\fR, \fB\-\-verbose\fR +Output xml comments containing the iptables line from which the XML is derived + +.PP +iptables-xml does a mechanistic conversion to a very expressive xml +format; the only semantic considerations are for -g and -j targets in +order to discriminate between <call> <goto> and <nane-of-target> as it +helps xml processing scripts if they can tell the difference between a +target like SNAT and another chain. + +Some sample output is: + +<iptables-rules> + <table name="mangle" > + <chain name="PREROUTING" policy="ACCEPT" packet-count="63436" +byte-count="7137573" > + <rule > + <conditions> + <match > + <p >tcp</p> + </match> + <tcp > + <sport >8443</sport> + </tcp> + </conditions> + <actions> + <call > + <check_ip /> + </call> + <ACCEPT/> + </actions> + </rule> + </chain> + </table> +</iptables-rules> + +.PP +Conversion from XML to iptables-save format may be done using the +iptables.xslt script and xsltproc, or a custom program using +libxsltproc or similar; in this fashion: + +xsltproc iptables.xslt my-iptables.xml | iptables-restore + +.SH BUGS +None known as of iptables-1.3.7 release +.SH AUTHOR +Sam Liddicott <azez@ufomechanic.net> +.SH SEE ALSO +.BR iptables-save "(8), " iptables-restore "(8), " iptables "(8) " +.PP diff --git a/iptables-xml.c b/iptables-xml.c index ce3049c2..71d52885 100644 --- a/iptables-xml.c +++ b/iptables-xml.c @@ -359,6 +359,18 @@ isTarget(char *arg) || strcmp((arg), "--goto") == 0)); } +// is it a terminating target like -j ACCEPT, etc +// (or I guess -j SNAT in nat table, but we don't check for that yet +static int +isTerminatingTarget(char *arg) +{ + return ((arg) + && (strcmp((arg), "ACCEPT") == 0 + || strcmp((arg), "DROP") == 0 + || strcmp((arg), "QUEUE") == 0 + || strcmp((arg), "RETURN") == 0)); +} + // part=-1 means do conditions, part=1 means do rules, part=0 means do both static void do_rule_part(char *leveltag1, char *leveltag2, int part, int argc, @@ -536,7 +548,19 @@ compareRules() while (new < newargc && old < oldargc) { if (isTarget(oldargv[old]) && isTarget(newargv[new])) { - compare = 1; + /* if oldarg was a terminating action then it makes no sense + * to combine further actions into the same xml */ + if (((strcmp((oldargv[old]), "-j") == 0 + || strcmp((oldargv[old]), "--jump") == 0) + && old+1 < oldargc + && isTerminatingTarget(oldargv[old+1]) ) + || strcmp((oldargv[old]), "-g") == 0 + || strcmp((oldargv[old]), "--goto") == 0 ) { + /* Previous rule had terminating action */ + compare = 0; + } else { + compare = 1; + } break; } // break when old!=new diff --git a/iptables.xslt b/iptables.xslt index 4cf84191..07cec19c 100644 --- a/iptables.xslt +++ b/iptables.xslt @@ -44,7 +44,7 @@ </xsl:template> <!-- all child action nodes --> - <xsl:template match="iptables-rules/table/chain/rule/actions/*/*|iptables-rules/table/chain/rule/actions/*//*|iptables-rules/table/chain/rule/conditions/*/*|iptables-rules/table/chain/rule/conditions/*//*"> + <xsl:template match="iptables-rules/table/chain/rule/actions//*|iptables-rules/table/chain/rule/conditions//*" priority="0"> <xsl:if test="@invert=1"><xsl:text> !</xsl:text></xsl:if> <xsl:text> -</xsl:text> <!-- if length of name is 1 character, then only do 1 - not 2 --> @@ -52,7 +52,8 @@ <xsl:text>-</xsl:text> </xsl:if> <xsl:value-of select="name()"/> - <xsl:text> </xsl:text><xsl:value-of select="."/> + <xsl:text> </xsl:text> + <xsl:apply-templates select="node()"/> </xsl:template> <xsl:template match="iptables-rules/table/chain/rule/actions/call/*|iptables-rules/table/chain/rule/actions/goto/*"> |