From 3311c33b5536f535cf3d9f9e7812874effbd209a Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Tue, 18 Nov 2008 14:01:07 +0000
Subject: Added more parameters to iptables rules.

git-svn-id: svn://svn.alpinelinux.org/acf/iptables/trunk@1597 ab2d0c66-481e-0410-8bed-d214d4d58bed
---
 iptables-model.lua | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 81 insertions(+), 6 deletions(-)

(limited to 'iptables-model.lua')

diff --git a/iptables-model.lua b/iptables-model.lua
index 84e6687..67304b7 100644
--- a/iptables-model.lua
+++ b/iptables-model.lua
@@ -35,7 +35,7 @@ local getdetails = function()
 					table.insert(details[tab], {name=name, policy=policy, references=references})
 				elseif not string.match(line, "target%s+prot") then
 					local block = {}
-					block.packets, block.bytes, block.rule = string.match(line, "^%s*(%S+)%s+(%S+)%s+(.*)$")
+					block.packets, block.bytes, block.rule = string.match(line, "^%s*(%S+)%s+(%S+)%s+(.*%S)")
 					table.insert(details[tab][#details[tab]], block)
 					--table.insert(details[tab][#details[tab]], line)
 				elseif not details[tab].header then
@@ -102,10 +102,14 @@ local function validate_rule(rule)
 		rule.value.comment.errtxt = "Cannot contain quotes"
 		success = false
 	end
-	if rule.value.jump.value == "" and rule.value.goto.value == "" then
-		rule.value.jump.errtxt = "Must define target or goto"
-		success = false
-	end
+	basiccheck(rule.value.icmp_type)
+	basiccheck(rule.value.src_range)
+	basiccheck(rule.value.dst_range)
+	basiccheck(rule.value.mac_source)
+	basiccheck(rule.value.sports)
+	basiccheck(rule.value.dports)
+	basiccheck(rule.value.ports)
+	basiccheck(rule.value.state)
 
 	return success, rule
 end
@@ -113,8 +117,16 @@ end
 local function generate_rule_specification(rule)
 	local spec = {}
 
-	function addparameter(value, option)
+	function addparameter(value, option, notfirst)
 		if value ~= "" then
+			if string.find(value, "^!") then
+				if notfirst then
+					spec[#spec + 1] = '!'
+					value = string.sub(value, 2)
+				else
+					value = string.sub(value,1,1) .. " " .. string.sub(value,2)
+				end
+			end
 			spec[#spec + 1] = option
 			spec[#spec + 1] = value
 		end
@@ -148,6 +160,19 @@ local function generate_rule_specification(rule)
 	if rule.value.comment.value ~= "" then
 		addparameter('"' .. rule.value.comment.value .. '"', "--comment")
 	end
+	addmodule({rule.value.icmp_type.value}, "icmp")
+	addparameter(rule.value.icmp_type.value, "--icmp-type", false)
+	addmodule({rule.value.src_range.value, rule.value.dst_range.value}, "iprange")
+	addparameter(rule.value.src_range.value, "--src-range", true)
+	addparameter(rule.value.dst_range.value, "--dst-range", true)
+	addmodule({rule.value.mac_source.value}, "mac")
+	addparameter(rule.value.mac_source.value, "--mac-source", false)
+	addmodule({rule.value.sports.value, rule.value.dports.value, rule.value.ports.value}, "multiport")
+	addparameter(rule.value.sports.value, "--sports", false)
+	addparameter(rule.value.dports.value, "--dports", false)
+	addparameter(rule.value.ports.value, "--ports", false)
+	addmodule({rule.value.state.value}, "state")
+	addparameter(rule.value.state.value, "--state")
 
 	return table.concat(spec, " ")
 end
@@ -316,6 +341,14 @@ function read_rule(tab, chain, pos)
 	retval.addrtype_src_type = cfe({ type="select", label="Source Address Type", option={"", "UNSPEC", "UNICAST", "LOCAL", "BROADCAST", "ANYCAST", "MULTICAST", "BLACKHOLE", "UNREACHABLE", "PROHIBIT"} })
 	retval.addrtype_dst_type = cfe({ type="select", label="Destination Address Type", option={"", "UNSPEC", "UNICAST", "LOCAL", "BROADCAST", "ANYCAST", "MULTICAST", "BLACKHOLE", "UNREACHABLE", "PROHIBIT"} })
 	retval.comment = cfe({ label="Comment" })
+	retval.icmp_type = cfe({ label="ICMP Type", descr="Type by name or number" })
+	retval.src_range = cfe({ label="Source IP Range", descr="'ip-ip' to match source IP. A '!' before the range inverts the test." })
+	retval.dst_range = cfe({ label="Destination IP Range", descr="'ip-ip' to match destination IP. A '!' before the range inverts the test." })
+	retval.mac_source = cfe({ label="Source MAC address", descr="'XX:XX:XX:XX:XX:XX' to match the ethernet source MAC. A '!' before the address inverts the test." })
+	retval.sports = cfe({ label="Source Ports", descr="Up to 15 comma-separated ports can be specified. Port ranges (port:port) count as two ports. A '!' before the port definition inverts the test." })
+	retval.dports = cfe({ label="Destination Ports", descr="Up to 15 comma-separated ports can be specified. Port ranges (port:port) count as two ports. A '!' before the port definition inverts the test." })
+	retval.ports = cfe({ label="Ports", descr="Up to 15 comma-separated ports can be specified. Port ranges (port:port) count as two ports. A '!' before the port definition inverts the test." })
+	retval.state = cfe({ label="State", descr="Comma-separated list of states to match. Possible states are INVALID, ESTABLISHED, NEW, and RELATED." })
 
 	getdetails()
 	if tab and not details[tab] then
@@ -335,6 +368,10 @@ function read_rule(tab, chain, pos)
 			-- We found the rule, update the settings
 			local words = {}
 			for word in string.gmatch(chn[tonumber(pos)].rule, "%S+") do words[#words + 1] = word end
+			-- the target might be missing, so we need to check
+			if #words[2] == 2 and string.match(words[2], "^[%-!]") then
+				table.insert(words, 1, "")
+			end
 			retval.jump.value = words[1] or ""
 			retval.protocol.value = words[2] or ""
 			if words[3] == "-f" then
@@ -360,6 +397,44 @@ function read_rule(tab, chain, pos)
 				elseif words[i] == "dst-type" then
 					retval.addrtype_dst_type.value = words[i+1]
 					i = i+1
+				elseif words[i] == "icmp" then
+					retval.icmp_type.value = words[i+2]
+					i = i+2
+				elseif words[i] == "source" and words[i+1] == "IP" and words[i+2] == "range" then
+					if words[i+3] == "!" then
+						retval.src_range.value = "!" .. words[i+4]
+						i = i+4
+					else
+						retval.src_range.value = words[i+3]
+						i = i+3
+					end
+				elseif words[i] == "destination" and words[i+1] == "IP" and words[i+2] == "range" then
+					if words[i+3] == "!" then
+						retval.dst_range.value = "!" .. words[i+4]
+						i = i+4
+					else
+						retval.dst_range.value = words[i+3]
+						i = i+3
+					end
+				elseif words[i] == "MAC" then
+					if words[i+1] == "!" then
+						retval.mac_source.value = "!" .. words[i+2]
+						i = i+2
+					else
+						retval.mac_source.value = words[i+1]
+						i = i+1
+					end						
+				elseif words[i] == "multiport" then
+					if words[i+2] == "!" then
+						retval[words[i+1]].value = "!" .. words[i+3]
+						i = i+3
+					else
+						retval[words[i+1]].value = words[i+2]
+						i = i+2
+					end
+				elseif words[i] == "state" then
+					retval.state.value = words[i+1]
+					i = i+1
 				end
 				i = i+1
 			end
-- 
cgit v1.2.3