[augeas-devel] augeas: master - Iptables: fix ticket #51
David Lutterkort
lutter at fedoraproject.org
Sat Mar 28 04:01:38 UTC 2009
Gitweb: http://git.fedorahosted.org/git/augeas.git?p=augeas.git;a=commitdiff;h=f6122be6d2b0ab41b2c8cc7a9c5fb247ee9badb3
Commit: f6122be6d2b0ab41b2c8cc7a9c5fb247ee9badb3
Parent: 47b278290cffbd0f946d06b05d733ec30498476a
Author: David Lutterkort <lutter at redhat.com>
AuthorDate: Fri Mar 27 20:58:26 2009 -0700
Committer: David Lutterkort <lutter at redhat.com>
CommitterDate: Fri Mar 27 20:58:26 2009 -0700
Iptables: fix ticket #51
* allow more characters in chain names
* allow comments mixed in with chains and rules
---
lenses/iptables.aug | 9 +++++----
lenses/tests/test_iptables.aug | 29 ++++++++++++++++++++++++++++-
tests/root/etc/sysconfig/iptables | 10 ++++++++++
3 files changed, 43 insertions(+), 5 deletions(-)
diff --git a/lenses/iptables.aug b/lenses/iptables.aug
index 6a1810c..64a195e 100644
--- a/lenses/iptables.aug
+++ b/lenses/iptables.aug
@@ -16,11 +16,12 @@ let eol = Util.eol
let spc = Util.del_ws_spc
let dels = Util.del_str
+let chain_name = store /[A-Za-z0-9-]+/
let chain =
- let policy = [ label "policy" . store /ACCEPT|DROP|REJECT/ ] in
+ let policy = [ label "policy" . store /ACCEPT|DROP|REJECT|-/ ] in
let counters_eol = del /[ \t]*(\[[0-9:]+\])?[ \t]*\n/ "\n" in
[ label "chain" .
- dels ":" . store /[A-Za-z]+/ . spc . policy . counters_eol ]
+ dels ":" . chain_name . spc . policy . counters_eol ]
let param (long:string) (short:string) =
[ label long .
@@ -48,11 +49,11 @@ let add_rule =
let chain_action (n:string) (o:string) =
[ label n .
del (/--/ . n | o) o .
- spc . store /[A-Z]+/ . ipt_match . eol ] in
+ spc . chain_name . ipt_match . eol ] in
chain_action "append" "-A" | chain_action "insert" "-I"
let table = [ del /\*/ "*" . label "table" . store /[a-z]+/ . eol .
- chain* . add_rule* .
+ (chain|comment)* . (add_rule . comment*)* .
dels "COMMIT" . eol ]
let lns = (comment|empty|table)*
diff --git a/lenses/tests/test_iptables.aug b/lenses/tests/test_iptables.aug
index e9390bd..5faa0c3 100644
--- a/lenses/tests/test_iptables.aug
+++ b/lenses/tests/test_iptables.aug
@@ -62,6 +62,27 @@ test add_rule get
{ "append" = "INPUT"
{ "jump" = "REJECT" } { "reject-with" = "icmp-host-prohibited" } }
+test add_rule get
+ "-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT\n" =
+ { "append" = "RH-Firewall-1-INPUT"
+ { "protocol" = "icmp" }
+ { "icmp-type" = "any" }
+ { "jump" = "ACCEPT" } }
+
+test Iptables.table get "*filter
+:RH-Firewall-1-INPUT - [0:0]
+-A FORWARD -j RH-Firewall-1-INPUT
+-A RH-Firewall-1-INPUT -i lo -j ACCEPT
+COMMIT\n" =
+ { "table" = "filter"
+ { "chain" = "RH-Firewall-1-INPUT"
+ { "policy" = "-" } }
+ { "append" = "FORWARD"
+ { "jump" = "RH-Firewall-1-INPUT" } }
+ { "append" = "RH-Firewall-1-INPUT"
+ { "in-interface" = "lo" }
+ { "jump" = "ACCEPT" } } }
+
let conf = "# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002
*filter
:INPUT DROP [1:229]
@@ -86,8 +107,11 @@ COMMIT
*nat
:PREROUTING ACCEPT [1:229]
:POSTROUTING ACCEPT [3:450]
+# The output chain
:OUTPUT ACCEPT [3:450]
+# insert something
--insert POSTROUTING -o eth0 -j SNAT --to-source 195.233.192.1 \t
+# and now commit
COMMIT
# Completed on Wed Apr 24 10:19:55 2002\n"
@@ -131,9 +155,12 @@ test Iptables.lns get conf =
{ "table" = "nat"
{ "chain" = "PREROUTING" { "policy" = "ACCEPT" } }
{ "chain" = "POSTROUTING" { "policy" = "ACCEPT" } }
+ { "#comment" = "The output chain" }
{ "chain" = "OUTPUT" { "policy" = "ACCEPT" } }
+ { "#comment" = "insert something" }
{ "insert" = "POSTROUTING"
{ "out-interface" = "eth0" }
{ "jump" = "SNAT" }
- { "to-source" = "195.233.192.1" } } }
+ { "to-source" = "195.233.192.1" } }
+ { "#comment" = "and now commit" } }
{ "#comment" = "Completed on Wed Apr 24 10:19:55 2002" }
diff --git a/tests/root/etc/sysconfig/iptables b/tests/root/etc/sysconfig/iptables
index 40714b1..1440488 100644
--- a/tests/root/etc/sysconfig/iptables
+++ b/tests/root/etc/sysconfig/iptables
@@ -4,6 +4,7 @@
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
+:RH-Firewall-1-INPUT - [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
@@ -34,4 +35,13 @@
-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -j RH-Firewall-1-INPUT
+-A FORWARD -j RH-Firewall-1-INPUT
+-A RH-Firewall-1-INPUT -i lo -j ACCEPT
+-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
+-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
+-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
+-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
+-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
+-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
COMMIT
More information about the augeas-devel
mailing list