Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: iptables: Devel

[PATCH] iptables-xml

  

 
iptables devel RSS feed   Index | Next | Previous | View Threaded


azez at ufomechanic

Jul 16, 2007, 3:10 AM

Post #1 of 3 (632 views)
Permalink
[PATCH] iptables-xml
Attached are:
1. A man page for iptables-xml

2. A fix for iptables.xslt allowing for an arbitrary depth of arguments
or modifiers.

Although iptables-xml cannot generate more than two levels deep, xml
generated by other systems may prefer to generate

<action>
<restore-mark>
<mask>0xff00</mask>
</restore-mark>
</action>

than

<action>
<restore-mark/>
<mask>0xff00</mask>
</action>

(which is what iptables-xml generates)
even though the same iptables is re-generated on conversion.

3. A fix for iptables-xml.c so that combining of consecutive targets of
rules with the same match into one XML rule, will not combine over a
terminating action; i.e. there is no point in converting

-A table -p tcp -j DROP
-A table -p tcp -j MARK --set-mark 25
-A table -p tcp -j RETURN

into one XML rule with multiple actions as they are probably not
logically combined in the mind of the author.


Signed-off by: Sam Liddicott <azez [at] ufomechanic>
Attachments: iptables.xslt.diff (1.06 KB)
  iptables-xml.8.diff (3.08 KB)
  iptables-xml.c.diff (1.32 KB)


kaber at trash

Jul 17, 2007, 8:10 AM

Post #2 of 3 (588 views)
Permalink
Re: [PATCH] iptables-xml [In reply to]
Amin Azez wrote:
> Attached are:
> 1. A man page for iptables-xml
>
> 2. A fix for iptables.xslt allowing for an arbitrary depth of arguments
> or modifiers.
>
> Although iptables-xml cannot generate more than two levels deep, xml
> generated by other systems may prefer to generate
>
> <action>
> <restore-mark>
> <mask>0xff00</mask>
> </restore-mark>
> </action>
>
> than
>
> <action>
> <restore-mark/>
> <mask>0xff00</mask>
> </action>
>
> (which is what iptables-xml generates)
> even though the same iptables is re-generated on conversion.
>
> 3. A fix for iptables-xml.c so that combining of consecutive targets of
> rules with the same match into one XML rule, will not combine over a
> terminating action; i.e. there is no point in converting
>
> -A table -p tcp -j DROP
> -A table -p tcp -j MARK --set-mark 25
> -A table -p tcp -j RETURN
>
> into one XML rule with multiple actions as they are probably not
> logically combined in the mind of the author.


I assume these changes are compatible with previous versions?


kaber at trash

Jul 17, 2007, 8:54 AM

Post #3 of 3 (586 views)
Permalink
Re: [PATCH] iptables-xml [In reply to]
Amin Azez wrote:
> * Patrick McHardy wrote, On 17/07/07 16:10:
>
>>I assume these changes are compatible with previous versions?
>>
>
> Yes, although (3) indicates a change in behaviour,
> a. nothing here will prevent previously generated xml from forming the
> same iptables rules.
> b. although slightly different xml may be generated (due to different
> target combining with the -c switch), the new or old xslt will still
> generate the same iptables rules from the new xml.


OK, I trust you know what you're doing (when it comes to XML,
I certainly don't :))

Applied.

iptables devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.