[augeas-devel] augeas: master - Iptables: new lens and test
David Lutterkort
lutter at fedoraproject.org
Tue Mar 17 23:20:20 UTC 2009
Gitweb: http://git.fedorahosted.org/git/augeas.git?p=augeas.git;a=commitdiff;h=6ca268b9e074744956bd2f5ad3ee7b349933653f
Commit: 6ca268b9e074744956bd2f5ad3ee7b349933653f
Parent: 5b7f5b28723c0ad8d2661f2380d88ce6528b3022
Author: David Lutterkort <lutter at redhat.com>
AuthorDate: Tue Mar 17 16:13:23 2009 -0700
Committer: David Lutterkort <lutter at redhat.com>
CommitterDate: Tue Mar 17 16:19:01 2009 -0700
Iptables: new lens and test
A fairly basic parse of the iptables config file. It should accept any
legal iptables config file; what makes it basic is that it doesn't break
some of the values down as fine-grained as I would like to have them
---
doc/naturaldocs/conf/lenses/Menu.txt | 1 +
lenses/iptables.aug | 59 ++++++++++++++
lenses/tests/test_iptables.aug | 139 ++++++++++++++++++++++++++++++++++
3 files changed, 199 insertions(+), 0 deletions(-)
diff --git a/doc/naturaldocs/conf/lenses/Menu.txt b/doc/naturaldocs/conf/lenses/Menu.txt
index 926b0af..5d71e72 100644
--- a/doc/naturaldocs/conf/lenses/Menu.txt
+++ b/doc/naturaldocs/conf/lenses/Menu.txt
@@ -55,6 +55,7 @@ Group: Specific Modules {
File: Dpkg (dpkg.aug)
File: Exports (exports.aug)
+ File: Iptables (iptables.aug)
File: Modprobe (modprobe.aug)
File: Services (services.aug)
File: Sshd (sshd.aug)
diff --git a/lenses/iptables.aug b/lenses/iptables.aug
new file mode 100644
index 0000000..6a1810c
--- /dev/null
+++ b/lenses/iptables.aug
@@ -0,0 +1,59 @@
+module Iptables =
+ autoload xfm
+
+(*
+Module: Iptables
+ Parse the iptables file format as produced by iptables-save. The
+ resulting tree is fairly simple; in particular a rule is simply
+ a long list of options/switches and their values (if any)
+
+ This lens should be considered experimental
+*)
+
+let comment = Util.comment
+let empty = Util.empty
+let eol = Util.eol
+let spc = Util.del_ws_spc
+let dels = Util.del_str
+
+let chain =
+ let policy = [ label "policy" . store /ACCEPT|DROP|REJECT/ ] in
+ let counters_eol = del /[ \t]*(\[[0-9:]+\])?[ \t]*\n/ "\n" in
+ [ label "chain" .
+ dels ":" . store /[A-Za-z]+/ . spc . policy . counters_eol ]
+
+let param (long:string) (short:string) =
+ [ label long .
+ spc . del (/--/ . long | /-/ . short) ("-" . short) . spc .
+ store /(![ \t]*)?[^ \t\n-][^ \t\n]*/ ]
+
+(* misses --set-counters *)
+let ipt_match =
+ let any_key = /[a-zA-Z-][a-zA-Z-]+/ -
+ /protocol|source|destination|jump|goto|in-interface|out-interface|fragment|match/ in
+ let any_param =
+ [ spc . dels "--" . key any_key . (spc . store /[^ \t\n-][^ \t\n]*/)? ] in
+ (param "protocol" "p"
+ |param "source" "s"
+ |param "destination" "d"
+ |param "jump" "j"
+ |param "goto" "g"
+ |param "in-interface" "i"
+ |param "out-interface" "o"
+ |param "fragment" "f"
+ |param "match" "m"
+ |any_param)*
+
+let add_rule =
+ let chain_action (n:string) (o:string) =
+ [ label n .
+ del (/--/ . n | o) o .
+ spc . store /[A-Z]+/ . ipt_match . eol ] in
+ chain_action "append" "-A" | chain_action "insert" "-I"
+
+let table = [ del /\*/ "*" . label "table" . store /[a-z]+/ . eol .
+ chain* . add_rule* .
+ dels "COMMIT" . eol ]
+
+let lns = (comment|empty|table)*
+let xfm = transform lns (incl "/etc/sysconfig/iptables")
diff --git a/lenses/tests/test_iptables.aug b/lenses/tests/test_iptables.aug
new file mode 100644
index 0000000..e9390bd
--- /dev/null
+++ b/lenses/tests/test_iptables.aug
@@ -0,0 +1,139 @@
+module Test_iptables =
+
+let add_rule = Iptables.add_rule
+let ipt_match = Iptables.ipt_match
+
+test add_rule get
+"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n" =
+ { "append" = "INPUT"
+ { "match" = "state" }
+ { "state" = "ESTABLISHED,RELATED" }
+ { "jump" = "ACCEPT" } }
+
+test add_rule get
+"-A INPUT -p icmp -j \tACCEPT \n" =
+ { "append" = "INPUT"
+ { "protocol" = "icmp" }
+ { "jump" = "ACCEPT" } }
+
+test add_rule get
+"-A INPUT -i lo -j ACCEPT\n" =
+ { "append" = "INPUT"
+ { "in-interface" = "lo" }
+ { "jump" = "ACCEPT" } }
+
+test ipt_match get " -m tcp -p tcp --dport 53" =
+ { "match" = "tcp" } { "protocol" = "tcp" } { "dport" = "53" }
+
+let arule = " -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT"
+
+test add_rule get ("--append INPUT" . arule . "\n") =
+ { "append" = "INPUT"
+ { "match" = "state" }
+ { "state" = "NEW" }
+ { "match" = "tcp" }
+ { "protocol" = "tcp" }
+ { "dport" = "53" }
+ { "jump" = "ACCEPT" } }
+
+test ipt_match get arule =
+ { "match" = "state" } { "state" = "NEW" } { "match" = "tcp" }
+ { "protocol" = "tcp" } { "dport" = "53" } { "jump" = "ACCEPT" }
+
+test ipt_match get ("-A INPUT" . arule) = *
+
+test ipt_match get " -p esp -j ACCEPT" =
+ { "protocol" = "esp" } { "jump" = "ACCEPT" }
+
+test ipt_match get
+ " -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT"
+ =
+ { "match" = "state" } { "state" = "NEW" } { "match" = "udp" }
+ { "protocol" = "udp" } { "dport" = "5353" }
+ { "destination" = "224.0.0.251" } { "jump" = "ACCEPT" }
+
+test add_rule get
+ "-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT\n" =
+ { "insert" = "FORWARD"
+ { "match" = "physdev" } { "physdev-is-bridged" } { "jump" = "ACCEPT" } }
+
+test add_rule get
+ "-A INPUT -j REJECT --reject-with icmp-host-prohibited\n" =
+ { "append" = "INPUT"
+ { "jump" = "REJECT" } { "reject-with" = "icmp-host-prohibited" } }
+
+let conf = "# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002
+*filter
+:INPUT DROP [1:229]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-I FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+--append OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+COMMIT
+# Completed on Wed Apr 24 10:19:55 2002
+# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002
+*mangle
+:PREROUTING ACCEPT [658:32445]
+:INPUT ACCEPT [658:32445]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [891:68234]
+:POSTROUTING ACCEPT [891:68234]
+COMMIT
+# Completed on Wed Apr 24 10:19:55 2002
+# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002
+*nat
+:PREROUTING ACCEPT [1:229]
+:POSTROUTING ACCEPT [3:450]
+:OUTPUT ACCEPT [3:450]
+--insert POSTROUTING -o eth0 -j SNAT --to-source 195.233.192.1 \t
+COMMIT
+# Completed on Wed Apr 24 10:19:55 2002\n"
+
+test Iptables.lns get conf =
+ { "#comment" =
+ "Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002" }
+ { "table" = "filter"
+ { "chain" = "INPUT" { "policy" = "DROP" } }
+ { "chain" = "FORWARD" { "policy" = "DROP" } }
+ { "chain" = "OUTPUT" { "policy" = "DROP" } }
+ { "append" = "INPUT"
+ { "match" = "state" }
+ { "state" = "RELATED,ESTABLISHED" }
+ { "jump" = "ACCEPT" } }
+ { "insert" = "FORWARD"
+ { "in-interface" = "eth0" }
+ { "match" = "state" }
+ { "state" = "RELATED,ESTABLISHED" }
+ { "jump" = "ACCEPT" } }
+ { "append" = "FORWARD"
+ { "in-interface" = "eth1" }
+ { "match" = "state" }
+ { "state" = "NEW,RELATED,ESTABLISHED" }
+ { "jump" = "ACCEPT" } }
+ { "append" = "OUTPUT"
+ { "match" = "state" }
+ { "state" = "NEW,RELATED,ESTABLISHED" }
+ { "jump" = "ACCEPT" } } }
+ { "#comment" = "Completed on Wed Apr 24 10:19:55 2002" }
+ { "#comment" =
+ "Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002" }
+ { "table" = "mangle"
+ { "chain" = "PREROUTING" { "policy" = "ACCEPT" } }
+ { "chain" = "INPUT" { "policy" = "ACCEPT" } }
+ { "chain" = "FORWARD" { "policy" = "ACCEPT" } }
+ { "chain" = "OUTPUT" { "policy" = "ACCEPT" } }
+ { "chain" = "POSTROUTING" { "policy" = "ACCEPT" } } }
+ { "#comment" = "Completed on Wed Apr 24 10:19:55 2002" }
+ { "#comment" =
+ "Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002" }
+ { "table" = "nat"
+ { "chain" = "PREROUTING" { "policy" = "ACCEPT" } }
+ { "chain" = "POSTROUTING" { "policy" = "ACCEPT" } }
+ { "chain" = "OUTPUT" { "policy" = "ACCEPT" } }
+ { "insert" = "POSTROUTING"
+ { "out-interface" = "eth0" }
+ { "jump" = "SNAT" }
+ { "to-source" = "195.233.192.1" } } }
+ { "#comment" = "Completed on Wed Apr 24 10:19:55 2002" }
More information about the augeas-devel
mailing list