path: root/iptables-xml.8
diff options
authorSam Liddicott <>2007-07-17 17:02:04 +0000
committerPatrick McHardy <>2007-07-17 17:02:04 +0000
commit8e52815a55692d657aeca7f8ecf656cd65dcfce0 (patch)
tree878bfcb064752ccc5b81211fff49daf6bf2fdb1c /iptables-xml.8
parent115ce7a1c3cf65164a29597862ff099101ed8e95 (diff)
Attached are: 1. A man page for iptables-xml 2. A fix for iptables.xslt allowing for an arbitrary depth of arguments or modifiers. Although iptables-xml cannot generate more than two levels deep, xml generated by other systems may prefer to generate <action> <restore-mark> <mask>0xff00</mask> </restore-mark> </action> than <action> <restore-mark/> <mask>0xff00</mask> </action> (which is what iptables-xml generates) even though the same iptables is re-generated on conversion. 3. A fix for iptables-xml.c so that combining of consecutive targets of rules with the same match into one XML rule, will not combine over a terminating action; i.e. there is no point in converting -A table -p tcp -j DROP -A table -p tcp -j MARK --set-mark 25 -A table -p tcp -j RETURN into one XML rule with multiple actions as they are probably not logically combined in the mind of the author. Signed-off by: Sam Liddicott <>
Diffstat (limited to 'iptables-xml.8')
1 files changed, 89 insertions, 0 deletions
diff --git a/iptables-xml.8 b/iptables-xml.8
new file mode 100644
index 00000000..2e4a3da3
--- /dev/null
+++ b/iptables-xml.8
@@ -0,0 +1,89 @@
+.TH IPTABLES-XML 8 "Jul 16, 2007" "" ""
+.\" Man page written by Sam Liddicott <>
+.\" It is based on the iptables-save man page.
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" GNU General Public License for more details.
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+iptables-xml \- Convert iptables-save format to XML
+.BR "iptables-xml " "[-c] [-v]"
+.B iptables-xml
+is used to convert the output of iptables-save into an easily manipulatable
+XML format to STDOUT. Use I/O-redirection provided by your shell to write to
+a file.
+\fB\-c\fR, \fB\-\-combine\fR
+combine consecutive rules with the same matches but different targets. iptables
+does not currently support more than one target per match, so this simulates
+that by collecting the targets from consecutive iptables rules into one action
+tag, but only when the rule matches are identical. Terminating actions like
+RETURN, DROP, ACCEPT and QUEUE are not combined with subsequent targets.
+\fB\-v\fR, \fB\-\-verbose\fR
+Output xml comments containing the iptables line from which the XML is derived
+iptables-xml does a mechanistic conversion to a very expressive xml
+format; the only semantic considerations are for -g and -j targets in
+order to discriminate between <call> <goto> and <nane-of-target> as it
+helps xml processing scripts if they can tell the difference between a
+target like SNAT and another chain.
+Some sample output is:
+ <table name="mangle" >
+ <chain name="PREROUTING" policy="ACCEPT" packet-count="63436"
+byte-count="7137573" >
+ <rule >
+ <conditions>
+ <match >
+ <p >tcp</p>
+ </match>
+ <tcp >
+ <sport >8443</sport>
+ </tcp>
+ </conditions>
+ <actions>
+ <call >
+ <check_ip />
+ </call>
+ </actions>
+ </rule>
+ </chain>
+ </table>
+Conversion from XML to iptables-save format may be done using the
+iptables.xslt script and xsltproc, or a custom program using
+libxsltproc or similar; in this fashion:
+xsltproc iptables.xslt my-iptables.xml | iptables-restore
+None known as of iptables-1.3.7 release
+Sam Liddicott <>
+.BR iptables-save "(8), " iptables-restore "(8), " iptables "(8) "