1<?xml version="1.0" encoding="ISO-8859-1"?> 2<!-- Converts from simple xml iptables format to iptables-save format 3 Copyright 2006 UfoMechanic 4 Author: azez@ufomechanic.net 5 This code is distributed and licensed under the terms of GNU GPL v2 6 7 This sample usage outputs roughly want goes in 8 iptables-save | iptables-xml -c | xsltproc iptables.xslt - 9 --> 10<xsl:transform version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> 11 <xsl:output method = "text" /> 12 <xsl:strip-space elements="*" /> 13 14 <!-- output conditions of a rule but not an action --> 15 <xsl:template match="iptables-rules/table/chain/rule/conditions/*"> 16 <!-- <match> is the psuedo module when a match module doesn't need to be loaded 17 and when -m does not need to be inserted --> 18 <xsl:if test="name() != 'match'"> 19 <xsl:text> -m </xsl:text><xsl:value-of select="name()"/> 20 </xsl:if> 21 <xsl:apply-templates select="node()"/> 22 </xsl:template> 23 24 <!-- delete the actions or conditions containers, and process child nodes --> 25 <xsl:template match="iptables-rules/table/chain/rule/actions|table/chain/rule/conditions"> 26 <xsl:apply-templates select="*"/> 27 </xsl:template> 28 29 <xsl:template match="iptables-rules/table/chain/rule/actions/goto"> 30 <xsl:text> -g </xsl:text> 31 <xsl:apply-templates select="*"/> 32 <xsl:text>
</xsl:text> 33 </xsl:template> 34 <xsl:template match="iptables-rules/table/chain/rule/actions/call"> 35 <xsl:text> -j </xsl:text> 36 <xsl:apply-templates select="*"/> 37 <xsl:text>
</xsl:text> 38 </xsl:template> 39 <!-- all other actions are module actions --> 40 <xsl:template match="iptables-rules/table/chain/rule/actions/*"> 41 <xsl:text> -j </xsl:text><xsl:value-of select="name()"/> 42 <xsl:apply-templates select="*"/> 43 <xsl:text>
</xsl:text> 44 </xsl:template> 45 46 <!-- all child action nodes --> 47 <xsl:template match="iptables-rules/table/chain/rule/actions/*/*|iptables-rules/table/chain/rule/actions/*//*|iptables-rules/table/chain/rule/conditions/*/*|iptables-rules/table/chain/rule/conditions/*//*"> 48 <xsl:if test="@invert=1"><xsl:text> !</xsl:text></xsl:if> 49 <xsl:text> -</xsl:text> 50 <!-- if length of name is 1 character, then only do 1 - not 2 --> 51 <xsl:if test="string-length(name())>1"> 52 <xsl:text>-</xsl:text> 53 </xsl:if> 54 <xsl:value-of select="name()"/> 55 <xsl:text> </xsl:text><xsl:value-of select="."/> 56 </xsl:template> 57 58 <xsl:template match="iptables-rules/table/chain/rule/actions/call/*|iptables-rules/table/chain/rule/actions/goto/*"> 59 <xsl:value-of select="name()"/> 60 <!-- I bet there are no child nodes, should we risk it? --> 61 <xsl:apply-templates select="node()"/> 62 </xsl:template> 63 64 <!-- output the head of the rule, and any conditions --> 65 <xsl:template name="rule-head"> 66 <xsl:if test="string-length(@packet-count)+string-length(@byte-count)"> 67 <xsl:call-template name="counters"><xsl:with-param name="node" select="."/></xsl:call-template> 68 <xsl:text> </xsl:text> 69 </xsl:if> 70 <xsl:text>-A </xsl:text><!-- a rule must be under a chain --> 71 <xsl:value-of select="../@name" /> 72 <xsl:apply-templates select="conditions"/> 73 </xsl:template> 74 75 <!-- Output a single rule, perhaps as multiple rules if we have more than one action --> 76 <xsl:template match="iptables-rules/table/chain/rule"> 77 <xsl:choose> 78 <xsl:when test="count(actions/*)>0"> 79 <xsl:for-each select="actions/*"> 80 <!-- and a for-each to re-select the rule as the current node, to write the rule-head --> 81 <xsl:for-each select="../.."> 82 <xsl:call-template name="rule-head"/> 83 </xsl:for-each> 84 <!-- now write the this action --> 85 <xsl:apply-templates select="."/> 86 </xsl:for-each> 87 </xsl:when> 88 <xsl:otherwise> 89 <!-- no need to loop if there are no actions, just output conditions --> 90 <xsl:call-template name="rule-head"/> 91 <xsl:text>
</xsl:text> 92 </xsl:otherwise> 93 </xsl:choose> 94 </xsl:template> 95 96 <xsl:template match="iptables-rules/table"> 97 <xsl:text># Generated by iptables.xslt
</xsl:text> 98 <xsl:text>*</xsl:text><xsl:value-of select="@name"/><xsl:text>
</xsl:text> 99 <!-- Loop through each chain and output the chain header --> 100 <xsl:for-each select="chain"> 101 <xsl:text>:</xsl:text> 102 <xsl:value-of select="@name"/> 103 <xsl:text> </xsl:text> 104 <xsl:choose> 105 <xsl:when test="not(string-length(@policy))"><xsl:text>-</xsl:text></xsl:when> 106 <xsl:otherwise><xsl:value-of select="@policy"/></xsl:otherwise> 107 </xsl:choose> 108 <xsl:text> </xsl:text> 109 <xsl:call-template name="counters"><xsl:with-param name="node" select="."/></xsl:call-template> 110 <xsl:text>
</xsl:text> 111 </xsl:for-each> 112 <!-- Loop through each chain and output the rules --> 113 <xsl:apply-templates select="node()"/> 114 <xsl:text>COMMIT
# Completed
</xsl:text> 115 </xsl:template> 116 117 <xsl:template name="counters"> 118 <xsl:param name="$node"/> 119 <xsl:text>[</xsl:text> 120 <xsl:if test="string-length($node/@packet-count)"><xsl:value-of select="$node/@packet-count"/></xsl:if> 121 <xsl:if test="string-length($node/@packet-count)=0">0</xsl:if> 122 <xsl:text>:</xsl:text> 123 <xsl:if test="string-length($node/@byte-count)"><xsl:value-of select="$node/@byte-count"/></xsl:if> 124 <xsl:if test="string-length($node/@byte-count)=0">0</xsl:if> 125 <xsl:text>]</xsl:text> 126 </xsl:template> 127 128 <!-- the bit that automatically recurses for us, NOTE: we use * not node(), we don't want to copy every white space text --> 129 <xsl:template match="@*|node()"> 130 <xsl:copy> 131 <!-- with libxslt xsltproc we can't do @*|node() or the nodes may get processed before the attributes --> 132 <xsl:apply-templates select="@*"/> 133 <xsl:apply-templates select="node()"/> 134 </xsl:copy> 135 </xsl:template> 136 137</xsl:transform> 138