[Sysadmins] IA: script to migrate iptables state to etcnet/fw

[Sysadmins] IA: script to migrate iptables state to etcnet/fw

[Michael Shigorin]

[-- Attachment #1.1: Type: text/plain, Size: 790 bytes --]

	Здравствуйте.
Цепляю первоначальную версию скриптика, предназначенного для
миграции состояния iptables в конфигурацию etcnet (на сейчас
используется в ALT Linux 3.0+) [1].

Предполагается дописать конвертор с использованием human readable
syntax из недавних версий etcnet [2].

Бродят раздумья по части дописывания класса Rule и чего-нить
хорошего в нём, с другой стороны -- цели написать валидатор нет.

Также из замеченного по ходу -- обвязка вокруг /sbin/iptables [3],
в данном случае совершенно бесполезная. :)

[1] http://linux.kiev.ua/~mike/works/misc/iptables2etcnet/
[2] http://wiki.sisyphus.ru/admin/etcnet/firewall
[3] http://raa.ruby-lang.org/project/iptctl/

-- 
 ---- WBR, Michael Shigorin <mike@altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/

[-- Attachment #1.2: ipt2etcnet.rb --]
[-- Type: text/plain, Size: 1677 bytes --]

#!/usr/bin/env ruby
# a script to convert _currently_ active iptables rules as dumped by
# iptables-save into /etc/net "human readable" format as documented
# in http://wiki.sisyphus.ru/admin/etcnet/firewall#h468-6 [ru]
# Copyleft 2006 by Michael Shigorin <mike@osdn.org.ua>

require "iptables-save.rb"

DEBUG=true

#IPT_SAVE = "/sbin/iptables-save"
IPT_SAVE = "/bin/cat iptables"
SYNTAX = "/etc/net/ifaces/default/fw/iptables/syntax"
FWOUTDIR = "ifaces/default/fw/iptables"

NEWTABLE = /^\*([a-z]+)$/
NEWCHAIN = /^:([A-Za-z0-9_-]+) (\w+) \[(\d+):(\d+)\]$/
NEWRULE = /^-A (\w+) (.*)$/
HEADER = /^(# Generated by .*)$/
COMMIT = /^COMMIT$/ 

tables = Iptables.new
chains = Table.new(nil)

# slurp existing rules
# FIXME: exception handling
IO.popen(IPT_SAVE) do |rules|
	rules.each do |line|
		case line
		when NEWTABLE then chains = Table.new($1)	# see appropriate regexp
		when NEWCHAIN then chains.add(Chain.new($1,$2))
		when NEWRULE  then chains[$1].add($2.strip)
		when COMMIT   then tables.add(chains.commit)
		end
	end
end

# OK, now fluch them out
# FIXME: IO errors handling!
tables.each do |table|
	tabledir = File.join(FWOUTDIR, table.name)		# one dir per table
	`/bin/mkdir -p #{tabledir}`
	table.each do |chain|
		File.open(File.join(tabledir, chain.name), "w") do |f|
			chain.each do |rule|
				f.puts(rule)
			end
		end
	end
end

# FIXME: figure out what's up with other policies
File.open(File.join(FWOUTDIR, "..", "options"), "w") do |f|
	tables["filter"].each do |chain|
		case chain.name
		when "INPUT", "OUTPUT", "FORWARD"
			f.puts("IPTABLES_#{chain.name}_POLICY=#{chain.policy}")
		end
	end
end

[-- Attachment #1.3: iptables-save.rb --]
[-- Type: text/plain, Size: 996 bytes --]

#!/usr/bin/env ruby
# simple library to accomodate iptables-save data
# Copyleft 2006 by Michael Shigorin <mike@osdn.org.ua>

class ArrayExt < Array
	
	def initialize(name = nil)
		@name = name
	end
	
	attr_reader :name
	
	def add(item)	# push another one onto the stack
		self << item
	end
	
	def list	# returns an array of my object names
		collect { |x| x.name }
	end
	
	def [](key)		# Pickaxe example ;-)
		#return self[key] if key.kind_of?(Integer)
		return find { |x| x.name == key }
	end

	def inspect; "<#{name}> #{super}"; end

end


class Iptables < ArrayExt; end


class Table < ArrayExt
	
	def initialize(name)
		super(name)
		@committed = false
	end
	
	attr_reader :committed
	
	def add(chain)
		self << chain unless @committed
	end

	def commit
		@committed = true
		self
	end
	
end


class Chain < ArrayExt
	
	def initialize(name, policy = "ACCEPT")
		super(name)
		@policy = policy
	end
	
	attr_reader :policy
	
end

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]