From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Wed, 22 Feb 2006 22:33:37 +0200 From: Michael Shigorin To: sysadmins@lists.altlinux.org Message-ID: <20060222203337.GZ12404@osdn.org.ua> Mail-Followup-To: sysadmins@lists.altlinux.org, ruby@lists.altlinux.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="7HhoQoqNsng1reXT" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Cc: ruby@lists.altlinux.org Subject: [Sysadmins] IA: script to migrate iptables state to etcnet/fw X-BeenThere: sysadmins@lists.altlinux.org X-Mailman-Version: 2.1.6 Precedence: list Reply-To: shigorin@gmail.com, ALT Linux sysadmin discuss List-Id: ALT Linux sysadmin discuss List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2006 20:34:14 -0000 Archived-At: List-Archive: --7HhoQoqNsng1reXT Content-Type: multipart/mixed; boundary="6dGMKdYe2Ft9UtxE" Content-Disposition: inline --6dGMKdYe2Ft9UtxE Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable =FA=C4=D2=C1=D7=D3=D4=D7=D5=CA=D4=C5. =E3=C5=D0=CC=D1=C0 =D0=C5=D2=D7=CF=CE=C1=DE=C1=CC=D8=CE=D5=C0 =D7=C5=D2=D3= =C9=C0 =D3=CB=D2=C9=D0=D4=C9=CB=C1, =D0=D2=C5=C4=CE=C1=DA=CE=C1=DE=C5=CE=CE= =CF=C7=CF =C4=CC=D1 =CD=C9=C7=D2=C1=C3=C9=C9 =D3=CF=D3=D4=CF=D1=CE=C9=D1 iptables =D7 =CB=CF=CE= =C6=C9=C7=D5=D2=C1=C3=C9=C0 etcnet (=CE=C1 =D3=C5=CA=DE=C1=D3 =C9=D3=D0=CF=CC=D8=DA=D5=C5=D4=D3=D1 =D7 ALT Linux 3.0+) [1]. =F0=D2=C5=C4=D0=CF=CC=C1=C7=C1=C5=D4=D3=D1 =C4=CF=D0=C9=D3=C1=D4=D8 =CB=CF= =CE=D7=C5=D2=D4=CF=D2 =D3 =C9=D3=D0=CF=CC=D8=DA=CF=D7=C1=CE=C9=C5=CD human = readable syntax =C9=DA =CE=C5=C4=C1=D7=CE=C9=C8 =D7=C5=D2=D3=C9=CA etcnet [2]. =E2=D2=CF=C4=D1=D4 =D2=C1=DA=C4=D5=CD=D8=D1 =D0=CF =DE=C1=D3=D4=C9 =C4=CF= =D0=C9=D3=D9=D7=C1=CE=C9=D1 =CB=CC=C1=D3=D3=C1 Rule =C9 =DE=C5=C7=CF-=CE=C9= =D4=D8 =C8=CF=D2=CF=DB=C5=C7=CF =D7 =CE=A3=CD, =D3 =C4=D2=D5=C7=CF=CA =D3=D4=CF=D2= =CF=CE=D9 -- =C3=C5=CC=C9 =CE=C1=D0=C9=D3=C1=D4=D8 =D7=C1=CC=C9=C4=C1=D4=CF= =D2 =CE=C5=D4. =F4=C1=CB=D6=C5 =C9=DA =DA=C1=CD=C5=DE=C5=CE=CE=CF=C7=CF =D0=CF =C8=CF=C4= =D5 -- =CF=C2=D7=D1=DA=CB=C1 =D7=CF=CB=D2=D5=C7 /sbin/iptables [3], =D7 =C4=C1=CE=CE=CF=CD =D3=CC=D5=DE=C1=C5 =D3=CF=D7=C5=D2=DB=C5=CE=CE=CF = =C2=C5=D3=D0=CF=CC=C5=DA=CE=C1=D1. :) [1] http://linux.kiev.ua/~mike/works/misc/iptables2etcnet/ [2] http://wiki.sisyphus.ru/admin/etcnet/firewall [3] http://raa.ruby-lang.org/project/iptctl/ --=20 ---- WBR, Michael Shigorin ------ Linux.Kiev http://www.linux.kiev.ua/ --6dGMKdYe2Ft9UtxE Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ipt2etcnet.rb" Content-Transfer-Encoding: quoted-printable #!/usr/bin/env ruby # a script to convert _currently_ active iptables rules as dumped by # iptables-save into /etc/net "human readable" format as documented # in http://wiki.sisyphus.ru/admin/etcnet/firewall#h468-6 [ru] # Copyleft 2006 by Michael Shigorin require "iptables-save.rb" DEBUG=3Dtrue #IPT_SAVE =3D "/sbin/iptables-save" IPT_SAVE =3D "/bin/cat iptables" SYNTAX =3D "/etc/net/ifaces/default/fw/iptables/syntax" FWOUTDIR =3D "ifaces/default/fw/iptables" NEWTABLE =3D /^\*([a-z]+)$/ NEWCHAIN =3D /^:([A-Za-z0-9_-]+) (\w+) \[(\d+):(\d+)\]$/ NEWRULE =3D /^-A (\w+) (.*)$/ HEADER =3D /^(# Generated by .*)$/ COMMIT =3D /^COMMIT$/=20 tables =3D Iptables.new chains =3D Table.new(nil) # slurp existing rules # FIXME: exception handling IO.popen(IPT_SAVE) do |rules| rules.each do |line| case line when NEWTABLE then chains =3D Table.new($1) # see appropriate regexp when NEWCHAIN then chains.add(Chain.new($1,$2)) when NEWRULE then chains[$1].add($2.strip) when COMMIT then tables.add(chains.commit) end end end # OK, now fluch them out # FIXME: IO errors handling! tables.each do |table| tabledir =3D File.join(FWOUTDIR, table.name) # one dir per table `/bin/mkdir -p #{tabledir}` table.each do |chain| File.open(File.join(tabledir, chain.name), "w") do |f| chain.each do |rule| f.puts(rule) end end end end # FIXME: figure out what's up with other policies File.open(File.join(FWOUTDIR, "..", "options"), "w") do |f| tables["filter"].each do |chain| case chain.name when "INPUT", "OUTPUT", "FORWARD" f.puts("IPTABLES_#{chain.name}_POLICY=3D#{chain.policy}") end end end --6dGMKdYe2Ft9UtxE Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="iptables-save.rb" Content-Transfer-Encoding: quoted-printable #!/usr/bin/env ruby # simple library to accomodate iptables-save data # Copyleft 2006 by Michael Shigorin class ArrayExt < Array =09 def initialize(name =3D nil) @name =3D name end =09 attr_reader :name =09 def add(item) # push another one onto the stack self << item end =09 def list # returns an array of my object names collect { |x| x.name } end =09 def [](key) # Pickaxe example ;-) #return self[key] if key.kind_of?(Integer) return find { |x| x.name =3D=3D key } end def inspect; "<#{name}> #{super}"; end end class Iptables < ArrayExt; end class Table < ArrayExt =09 def initialize(name) super(name) @committed =3D false end =09 attr_reader :committed =09 def add(chain) self << chain unless @committed end def commit @committed =3D true self end =09 end class Chain < ArrayExt =09 def initialize(name, policy =3D "ACCEPT") super(name) @policy =3D policy end =09 attr_reader :policy =09 end --6dGMKdYe2Ft9UtxE-- --7HhoQoqNsng1reXT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFD/MqhbsPDprYMm3IRAg/xAKDRKoFe9tulqcWKyNA0A9a7bnpXdgCfXXpo OMhKBLjww/HuzJQXbCcbSgY= =vHst -----END PGP SIGNATURE----- --7HhoQoqNsng1reXT--