[augeas-devel] augeas: master - Iptables: fix ticket #51

David Lutterkort lutter at fedoraproject.org
Sat Mar 28 04:01:38 UTC 2009 

Gitweb:        http://git.fedorahosted.org/git/augeas.git?p=augeas.git;a=commitdiff;h=f6122be6d2b0ab41b2c8cc7a9c5fb247ee9badb3
Commit:        f6122be6d2b0ab41b2c8cc7a9c5fb247ee9badb3
Parent:        47b278290cffbd0f946d06b05d733ec30498476a
Author:        David Lutterkort <lutter at redhat.com>
AuthorDate:    Fri Mar 27 20:58:26 2009 -0700
Committer:     David Lutterkort <lutter at redhat.com>
CommitterDate: Fri Mar 27 20:58:26 2009 -0700

Iptables: fix ticket #51

 * allow more characters in chain names
 * allow comments mixed in with chains and rules
---
 lenses/iptables.aug               |    9 +++++----
 lenses/tests/test_iptables.aug    |   29 ++++++++++++++++++++++++++++-
 tests/root/etc/sysconfig/iptables |   10 ++++++++++
 3 files changed, 43 insertions(+), 5 deletions(-)

diff --git a/lenses/iptables.aug b/lenses/iptables.aug
index 6a1810c..64a195e 100644
--- a/lenses/iptables.aug
+++ b/lenses/iptables.aug
@@ -16,11 +16,12 @@ let eol = Util.eol
 let spc = Util.del_ws_spc
 let dels = Util.del_str
 
+let chain_name = store /[A-Za-z0-9-]+/
 let chain =
-  let policy = [ label "policy" . store /ACCEPT|DROP|REJECT/ ] in
+  let policy = [ label "policy" . store /ACCEPT|DROP|REJECT|-/ ] in
   let counters_eol = del /[ \t]*(\[[0-9:]+\])?[ \t]*\n/ "\n" in
     [ label "chain" .
-        dels ":" . store /[A-Za-z]+/ . spc . policy . counters_eol ]
+        dels ":" . chain_name . spc . policy . counters_eol ]
 
 let param (long:string) (short:string) =
   [ label long .
@@ -48,11 +49,11 @@ let add_rule =
   let chain_action (n:string) (o:string) =
     [ label n .
         del (/--/ . n | o) o .
-        spc . store /[A-Z]+/ . ipt_match . eol ] in
+        spc . chain_name . ipt_match . eol ] in
     chain_action "append" "-A" | chain_action "insert" "-I"
 
 let table = [ del /\*/ "*" . label "table" . store /[a-z]+/ . eol .
-                chain* . add_rule* .
+                (chain|comment)* . (add_rule . comment*)* .
                 dels "COMMIT" . eol ]
 
 let lns = (comment|empty|table)*
diff --git a/lenses/tests/test_iptables.aug b/lenses/tests/test_iptables.aug
index e9390bd..5faa0c3 100644
--- a/lenses/tests/test_iptables.aug
+++ b/lenses/tests/test_iptables.aug
@@ -62,6 +62,27 @@ test add_rule get
   { "append" = "INPUT"
       { "jump" = "REJECT" } { "reject-with" = "icmp-host-prohibited" } }
 
+test add_rule get
+  "-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT\n" =
+  { "append" = "RH-Firewall-1-INPUT"
+      { "protocol" = "icmp" }
+      { "icmp-type" = "any" }
+      { "jump" = "ACCEPT" } }
+
+test Iptables.table get "*filter
+:RH-Firewall-1-INPUT - [0:0]
+-A FORWARD -j RH-Firewall-1-INPUT
+-A RH-Firewall-1-INPUT -i lo -j ACCEPT
+COMMIT\n" =
+  { "table" = "filter"
+      { "chain" = "RH-Firewall-1-INPUT"
+          { "policy" = "-" } }
+      { "append" = "FORWARD"
+          { "jump" = "RH-Firewall-1-INPUT" } }
+      { "append" = "RH-Firewall-1-INPUT"
+          { "in-interface" = "lo" }
+          { "jump" = "ACCEPT" } } }
+
 let conf = "# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002
 *filter
 :INPUT DROP [1:229]
@@ -86,8 +107,11 @@ COMMIT
 *nat
 :PREROUTING ACCEPT [1:229]
 :POSTROUTING ACCEPT [3:450]
+# The output chain
 :OUTPUT ACCEPT [3:450]
+# insert something
 --insert POSTROUTING -o eth0 -j SNAT --to-source 195.233.192.1 \t
+# and now commit
 COMMIT
 # Completed on Wed Apr 24 10:19:55 2002\n"
 
@@ -131,9 +155,12 @@ test Iptables.lns get conf =
   { "table" = "nat"
     { "chain" = "PREROUTING" { "policy" = "ACCEPT" } }
     { "chain" = "POSTROUTING" { "policy" = "ACCEPT" } }
+    { "#comment" = "The output chain" }
     { "chain" = "OUTPUT" { "policy" = "ACCEPT" } }
+    { "#comment" = "insert something" }
     { "insert" = "POSTROUTING"
       { "out-interface" = "eth0" }
       { "jump" = "SNAT" }
-      { "to-source" = "195.233.192.1" } } }
+      { "to-source" = "195.233.192.1" } }
+    { "#comment" = "and now commit" } }
   { "#comment" = "Completed on Wed Apr 24 10:19:55 2002" }
diff --git a/tests/root/etc/sysconfig/iptables b/tests/root/etc/sysconfig/iptables
index 40714b1..1440488 100644
--- a/tests/root/etc/sysconfig/iptables
+++ b/tests/root/etc/sysconfig/iptables
@@ -4,6 +4,7 @@
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
+:RH-Firewall-1-INPUT - [0:0]
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
@@ -34,4 +35,13 @@
 -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -j RH-Firewall-1-INPUT
+-A FORWARD -j RH-Firewall-1-INPUT
+-A RH-Firewall-1-INPUT -i lo -j ACCEPT
+-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
+-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
+-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
+-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
+-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
+-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
 COMMIT

More information about the augeas-devel mailing list