6 Parse the iptables file format as produced by iptables-save. The
7 resulting tree is fairly simple; in particular a rule is simply
8 a long list of options/switches and their values (if any)
10 This lens should be considered experimental
13 let comment = Util.comment
14 let empty = Util.empty
16 let spc = Util.del_ws_spc
17 let dels = Util.del_str
19 let chain_name = store /[A-Za-z0-9_-]+/
21 let policy = [ label "policy" . store /ACCEPT|DROP|REJECT|-/ ] in
22 let counters_eol = del /[ \t]*(\[[0-9:]+\])?[ \t]*\n/ "\n" in
24 dels ":" . chain_name . spc . policy . counters_eol ]
26 let param (long:string) (short:string) =
28 spc . del (/--/ . long | /-/ . short) ("-" . short) . spc .
29 store /(![ \t]*)?[^ \t\n!-][^ \t\n]*/ ]
31 (* A negatable parameter, which can either be FTW
36 let neg_param (long:string) (short:string) =
38 [ spc . dels "!" . label "not" ]? .
39 spc . del (/--/ . long | /-/ . short) ("-" . short) . spc .
40 store /(![ \t]*)?[^ \t\n!-][^ \t\n]*/ ]
43 let flags = /SYN|ACK|FIN|RST|URG|PSH|ALL|NONE/ in
44 let flag_list (name:string) =
45 Build.opt_list [label name . store flags] (dels ",") in
47 spc . dels "--tcp-flags" .
48 spc . flag_list "mask" . spc . flag_list "set" ]
50 (* misses --set-counters *)
52 let any_key = /[a-zA-Z-][a-zA-Z0-9-]+/ -
53 /protocol|source|destination|jump|goto|in-interface|out-interface|fragment|match|tcp-flags/ in
54 let any_val = /([^" \t\n!-][^ \t\n]*)|"([^"\\\n]|\\\\.)*"/ in
56 [ [ spc . dels "!" . label "not" ]? .
57 spc . dels "--" . key any_key . (spc . store any_val)? ] in
58 (neg_param "protocol" "p"
59 |neg_param "source" "s"
60 |neg_param "destination" "d"
63 |neg_param "in-interface" "i"
64 |neg_param "out-interface" "o"
65 |neg_param "fragment" "f"
70 let chain_action (n:string) (o:string) =
72 del (/--/ . n | o) o .
73 spc . chain_name . ipt_match . eol ]
75 let table_rule = chain_action "append" "-A"
76 | chain_action "insert" "-I"
80 let table = [ del /\*/ "*" . label "table" . store /[a-z]+/ . eol .
81 (chain|comment|table_rule)* .
84 let lns = (comment|empty|table)*
85 let xfm = transform lns (incl "/etc/sysconfig/iptables"
86 . incl "/etc/sysconfig/iptables.save"
87 . incl "/etc/iptables-save")