From: Michael Shigorin <mike@osdn.org.ua> To: sysadmins@lists.altlinux.org Cc: ruby@lists.altlinux.org Subject: [Sysadmins] IA: script to migrate iptables state to etcnet/fw Date: Wed, 22 Feb 2006 22:33:37 +0200 Message-ID: <20060222203337.GZ12404@osdn.org.ua> (raw) [-- Attachment #1.1: Type: text/plain, Size: 790 bytes --] Здравствуйте. Цепляю первоначальную версию скриптика, предназначенного для миграции состояния iptables в конфигурацию etcnet (на сейчас используется в ALT Linux 3.0+) [1]. Предполагается дописать конвертор с использованием human readable syntax из недавних версий etcnet [2]. Бродят раздумья по части дописывания класса Rule и чего-нить хорошего в нём, с другой стороны -- цели написать валидатор нет. Также из замеченного по ходу -- обвязка вокруг /sbin/iptables [3], в данном случае совершенно бесполезная. :) [1] http://linux.kiev.ua/~mike/works/misc/iptables2etcnet/ [2] http://wiki.sisyphus.ru/admin/etcnet/firewall [3] http://raa.ruby-lang.org/project/iptctl/ -- ---- WBR, Michael Shigorin <mike@altlinux.ru> ------ Linux.Kiev http://www.linux.kiev.ua/ [-- Attachment #1.2: ipt2etcnet.rb --] [-- Type: text/plain, Size: 1677 bytes --] #!/usr/bin/env ruby # a script to convert _currently_ active iptables rules as dumped by # iptables-save into /etc/net "human readable" format as documented # in http://wiki.sisyphus.ru/admin/etcnet/firewall#h468-6 [ru] # Copyleft 2006 by Michael Shigorin <mike@osdn.org.ua> require "iptables-save.rb" DEBUG=true #IPT_SAVE = "/sbin/iptables-save" IPT_SAVE = "/bin/cat iptables" SYNTAX = "/etc/net/ifaces/default/fw/iptables/syntax" FWOUTDIR = "ifaces/default/fw/iptables" NEWTABLE = /^\*([a-z]+)$/ NEWCHAIN = /^:([A-Za-z0-9_-]+) (\w+) \[(\d+):(\d+)\]$/ NEWRULE = /^-A (\w+) (.*)$/ HEADER = /^(# Generated by .*)$/ COMMIT = /^COMMIT$/ tables = Iptables.new chains = Table.new(nil) # slurp existing rules # FIXME: exception handling IO.popen(IPT_SAVE) do |rules| rules.each do |line| case line when NEWTABLE then chains = Table.new($1) # see appropriate regexp when NEWCHAIN then chains.add(Chain.new($1,$2)) when NEWRULE then chains[$1].add($2.strip) when COMMIT then tables.add(chains.commit) end end end # OK, now fluch them out # FIXME: IO errors handling! tables.each do |table| tabledir = File.join(FWOUTDIR, table.name) # one dir per table `/bin/mkdir -p #{tabledir}` table.each do |chain| File.open(File.join(tabledir, chain.name), "w") do |f| chain.each do |rule| f.puts(rule) end end end end # FIXME: figure out what's up with other policies File.open(File.join(FWOUTDIR, "..", "options"), "w") do |f| tables["filter"].each do |chain| case chain.name when "INPUT", "OUTPUT", "FORWARD" f.puts("IPTABLES_#{chain.name}_POLICY=#{chain.policy}") end end end [-- Attachment #1.3: iptables-save.rb --] [-- Type: text/plain, Size: 996 bytes --] #!/usr/bin/env ruby # simple library to accomodate iptables-save data # Copyleft 2006 by Michael Shigorin <mike@osdn.org.ua> class ArrayExt < Array def initialize(name = nil) @name = name end attr_reader :name def add(item) # push another one onto the stack self << item end def list # returns an array of my object names collect { |x| x.name } end def [](key) # Pickaxe example ;-) #return self[key] if key.kind_of?(Integer) return find { |x| x.name == key } end def inspect; "<#{name}> #{super}"; end end class Iptables < ArrayExt; end class Table < ArrayExt def initialize(name) super(name) @committed = false end attr_reader :committed def add(chain) self << chain unless @committed end def commit @committed = true self end end class Chain < ArrayExt def initialize(name, policy = "ACCEPT") super(name) @policy = policy end attr_reader :policy end [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
reply other threads:[~2006-02-22 20:33 UTC|newest] Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20060222203337.GZ12404@osdn.org.ua \ --to=mike@osdn.org.ua \ --cc=ruby@lists.altlinux.org \ --cc=shigorin@gmail.com \ --cc=sysadmins@lists.altlinux.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
ALT Linux sysadmins discussion This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/sysadmins/0 sysadmins/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 sysadmins sysadmins/ http://lore.altlinux.org/sysadmins \ sysadmins@lists.altlinux.org sysadmins@lists.altlinux.ru sysadmins@lists.altlinux.com public-inbox-index sysadmins Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.sysadmins AGPL code for this site: git clone https://public-inbox.org/public-inbox.git