README
¶
iptables-parser
Parse lines generated by iptables-save.
This parser is inspired by Ben Johnson's SQL Parser.
Description
This parser parses lines returned from iptables-save or iptables -S and returns a Line or an Error.
A Line can be a Rule, Comment, Policy (default rule) or Header,
all of them being structs.
Match Extensions
iptables has a lot of match extensions.
Only a few are implemented.
If one is not implemented, the parses returns an error for that line.
Target Extensions
Just like in Match Extensions, not all of the target extensions are implemented.
Example
package main
import (
"fmt"
"log"
ipt "github.com/coreos/go-iptables/iptables"
iptp "github.com/kilo-io/iptables_parser"
)
func main() {
t, err := ipt.NewWithProtocol(ipt.ProtocolIPv4)
if err != nil {
log.Fatal(err.Error())
}
rs, err := t.List("filter", "DOCKER")
if err != nil {
log.Fatal(err.Error())
}
for _, r := range rs {
fmt.Println(r)
tr, err := iptp.NewFromString(r)
if err != nil {
fmt.Printf("Error: %v", err)
continue
}
switch r := tr.(type) {
case iptp.Rule:
fmt.Printf("rule parsed: %v\n", r)
case iptp.Policy:
fmt.Printf("policy parsed: %v\n", r)
default:
fmt.Printf("something else happend: %v\n", r)
}
}
}
Documentation
¶
Index ¶
Constants ¶
const BUFSIZE = 16
BUFSIZE is the max buffer size of the ring buffer in the parser.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Comment ¶
type Comment struct {
Content string
}
Comment represents a comment in an iptables dump. Comments start with #.
type Counter ¶
type Counter struct {
// contains filtered or unexported fields
}
Counter represents the package and byte counters.
type DNSOrIP ¶
type DNSOrIP struct {
// contains filtered or unexported fields
}
DNSOrIP represents either a DNS name or an IP address. IPs, as they are more specific, are preferred.
func NewDNSOrIP ¶
NewDNSOrIP takes a string and return a DNSOrIP, or an error. It tries to parse it as an IP, if this fails it will check, whether the input is a valid DNS name.
type DNSOrIPPair ¶
DNSOrIPPair either holds an IP or DNS and a flag. The boolean not-flag is used when an address or DNS name is reverted with a "!" character.
func (DNSOrIPPair) Spec ¶
func (d DNSOrIPPair) Spec(f string) []string
Spec returns a DNSOrIPPair how coreos' iptables package would expect it.
func (DNSOrIPPair) String ¶
func (d DNSOrIPPair) String(f string) string
String returns the part of the iptables rule. It requires its flag as string to generate the correct string, e.g. "! -s 10.0.0.1/32".
type Flag ¶
Flag is flag, e.g. --dport 8080. It can be negated with a leading !. Sometimes a flag is followed by several arguments.
type Header ¶
type Header struct {
Content string
}
Header represents a header in an iptables dump and introduce a new table. They start with *.
type Line ¶
type Line interface {
String() string
}
Line represents a line in a iptables dump, e.g. generated with iptables-save. It is either Comment, Header, Default or Rule.
func NewFromString ¶
NewFromString takes a string a parses it until the EOF or NEWLINE to return a Header, Policy or Rule. It will return an error otherwise.
type Match ¶
Match represents one match expression from the iptables-extension. See man iptables-extenstion for more info.
type Parser ¶
type Parser struct {
// contains filtered or unexported fields
}
Parser represents a parser.
type Policy ¶
type Policy struct {
Chain string
Action string
UserDefined *bool // nil if unknown
Counter *Counter
}
Policy represents a build-in policy. They can be parsed from iprables-save looking like ":FORWARD DROP [0:100]" They start with :. They can also be parsed from "iptables -S" looking like "-N|-P chain [target]". In the latter case, UserDefined will be set. For user defined policies, Action should be an empty string "" or "-".
type Rule ¶
type Rule struct {
Chain string // Name of the chain
Source *DNSOrIPPair // Will be nil, if -s flag was not set.
Destination *DNSOrIPPair // Will be nil, if -s flag was not set.
InInterf *StringPair // Will be nil, if -i flag was not set.
OutInterf *StringPair // Will be nil, if -o flag was not set.
Protocol *StringPair // Be aware that the protocol names can be different depending on your system.
Fragment *bool // Will be nil, if flag was not set.
IPv4 bool // False, if flag was not set.
IPv6 bool // False, if flag was not set.
Jump *Target // Will be nil, if -j flag was not set.
Goto *Target // Will be nil, if -g flag was not set.
Counter *Counter // Will be nil, if no counter was parsed.
Matches []Match // Matches need to be a slice because order can matter. See man iptables-extension.
}
Rule represents a rule in an iptables dump. Normally the start with -A. The parser treats the -A flag like any other flag, thus does not require the -A flag as the leading flag.
func NewRuleFromSpec ¶
NewRuleFromSpec returns a rule from a given rulespec and chain name. It will return nil and an error, if the rulespec does not resemble a valid rule, or contains unknown, or not implemented extensions.
func NewRuleFromString ¶
NewRuleFromString returns a rule for the given string. It can only handle appended rules with the "-A <chain name>" flag. It will return nil and an error, if the given string does not resemble a valid rule, or contains unknown, or not implemented extensions.
func (Rule) Spec ¶
Spec returns the rule specifications of the rule. The rulespec does not contain the chain name. Different rule specs can describe the same rule, so don't use the rulespec to compare rules. The rule spec can be used to append, insert or delete rules with coreos' go-iptables module.
type StringPair ¶
StringPair is a string with a flag. It is used to represent flags that specify a string value and can be negated with a "!".
func (StringPair) Spec ¶
func (sp StringPair) Spec(f string) []string
Spec returns a StringPair how coreos' iptables package would expect it.
func (StringPair) String ¶
func (sp StringPair) String(f string) string
Source Files
Directories