我正在尝试将数据从xml加载到iptables。我使用以下命令:
xsltproc /usr/share/iptables/iptables.xslt myiptable.xml | iptables-restore
但是我收到了这个错误
iptables-restore v1.4.12:无法加载匹配`ptcp':没有这样的文件或目录
我比较了ip-tables-save和xsltproc /usr/share/iptables/iptables.xslt myiptable.xml的输出,我得到了这个
xsltproc /usr/share/iptables/iptables.xslt myiptable.xml的输出:
-A INPUT -m ptcp -m tcp --dport 22 -j ACCEPT
ip-tables-save的输出:
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
有人可以解释一下发生了什么。另外,我可以下载一个标准的iptables.xslt文件吗?
答案 0 :(得分:1)
嗯,XSLT的输出似乎在语法上是不正确的。
所以-m ptcp -m tcp应该是-p tcp -m tcp。 IIRC -m匹配,-p是协议。
我对此进行了进一步调查
这似乎是/usr/share/iptables/iptables.xslt中的错误。实际的XSLT与XML格式不同步,因此输出无法使用。
在原始iptables.xslt(2011-07-22)中,使用
<xsl:if test="name() != 'match'">
但生成的XML文件中没有<match>元素,因此评估为始终为true - 创建-m ptcp输出(在许多其他错误字符串旁边)。
<强>解决方案:
我重写了iptables.xslt,将第一个与conditions匹配的模板替换为
<!-- output conditions of a rule but not an action -->
<xsl:template match="iptables-rules/table/chain/rule/conditions/*">
<!-- <match> is the psuedo module when a match module doesn't need to be loaded and when -m does not need to be inserted -->
<xsl:choose>
<xsl:when test="document('ipt-ext.xml')//@name = name()">
<xsl:text> -m </xsl:text><xsl:value-of select="name()"/>
</xsl:when>
<xsl:otherwise>
<xsl:value-of select="concat(' -',name(),' ')"/>
</xsl:otherwise>
</xsl:choose>
<xsl:apply-templates select="node()"/>
</xsl:template>
此模板需要在同一目录中有一个辅助XML帮助程序文件,用于标识 match-extensions ,这些文件列在此文件中,名为ipt-ext.xml。在/usr/share/iptables/
<?xml version="1.0" encoding="ISO-8859-1"?>
<IPTablesMatchExtensions>
<IPText name="addrtype" />
<IPText name="ah" />
<IPText name="ah" />
<IPText name="bpf" />
<IPText name="cluster" />
<IPText name="comment" />
<IPText name="connbytes" />
<IPText name="connlimit" />
<IPText name="connmark" />
<IPText name="conntrack" />
<IPText name="cpu" />
<IPText name="dccp" />
<IPText name="devgroup" />
<IPText name="dscp" />
<IPText name="dst" />
<IPText name="ecn" />
<IPText name="esp" />
<IPText name="eui64" />
<IPText name="frag" />
<IPText name="hashlimit" />
<IPText name="hbh" />
<IPText name="helper" />
<IPText name="hl" />
<IPText name="icmp" />
<IPText name="icmp6" />
<IPText name="iprange" />
<IPText name="ipv6header" />
<IPText name="ipvs" />
<IPText name="length" />
<IPText name="limit" />
<IPText name="mac" />
<IPText name="mark" />
<IPText name="mh" />
<IPText name="multiport" />
<IPText name="nfacct" />
<IPText name="osf" />
<IPText name="owner" />
<IPText name="physdev" />
<IPText name="pkttype" />
<IPText name="policy" />
<IPText name="quota" />
<IPText name="rateest" />
<IPText name="realm" />
<IPText name="recent" />
<IPText name="rpfilter" />
<IPText name="rt" />
<IPText name="sctp" />
<IPText name="set" />
<IPText name="socket" />
<IPText name="state" />
<IPText name="statistic" />
<IPText name="string" />
<IPText name="tcp" />
<IPText name="tcpmss" />
<IPText name="time" />
<IPText name="tos" />
<IPText name="ttl" />
<IPText name="u32" />
<IPText name="udp" />
<IPText name="unclean" />
</IPTablesMatchExtensions>
<强>应用
从IPTables规则到XML文件:
sudo iptables-save | iptables-xml -c&gt; myiptable.xml
从XML文件回到IPTables-rules:
xsltproc /usr/share/iptables/iptables.xslt myiptable.xml | sudo iptables-restore
测试用例:我使用这些iptables规则测试了新的样式表:
$ sudo iptables-save
# Generated by iptables-save v1.4.12 on Thu May 19 12:00:00 2016
*nat
:PREROUTING ACCEPT [11:568]
:INPUT ACCEPT [1:248]
:OUTPUT ACCEPT [35:2284]
:POSTROUTING ACCEPT [35:2284]
-A PREROUTING -s 192.168.69.9/32 -i eth1 -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A PREROUTING -d 192.168.70.124/32 -i eth1 -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
COMMIT
# Completed on Thu May 19 12:00:00 2016
# Generated by iptables-save v1.4.12 on Thu May 19 12:00:00 2016
*filter
:INPUT ACCEPT [138:40810]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [135:24836]
-A INPUT -p tcp -m tcp --dport 65002 -j ACCEPT
-A INPUT -s 10.0.0.0/32 -p tcp -m tcp --dport 65003 -j ACCEPT
-A INPUT -d 10.0.0.1/32 -m connbytes --connbytes 1:4 --connbytes-mode bytes --connbytes-dir both -j ACCEPT
COMMIT
# Completed on Thu May 19 12:00:00 2016
然后我使用上面的命令将此输出转换为XML
sudo iptables-save | iptables-xml -c&gt; myiptable.xml
生成的XML文件如下所示:
<iptables-rules version="1.0">
<!-- # Generated by iptables*-save v1.4.12 on Thu May 19 12:00:00 2016 -->
<table name="nat" >
<chain name="PREROUTING" policy="ACCEPT" packet-count="3" byte-count="96" >
<rule >
<conditions>
PREROUTING <s >192.168.69.9/32</s>
<i >eth1</i>
<p >tcp</p>
<tcp >
<dport >80</dport>
<tcp-flags >FIN,SYN,RST,ACK SYN</tcp-flags>
</tcp>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
<rule >
<conditions>
PREROUTING <d >192.168.70.124/32</d>
<i >eth1</i>
<p >tcp</p>
<tcp >
<dport >80</dport>
<tcp-flags >FIN,SYN,RST,ACK SYN</tcp-flags>
</tcp>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
</chain>
<chain name="INPUT" policy="ACCEPT" packet-count="0" byte-count="0" />
<chain name="OUTPUT" policy="ACCEPT" packet-count="8" byte-count="541" />
<chain name="POSTROUTING" policy="ACCEPT" packet-count="8" byte-count="541" />
</table>
<!-- # Completed on Thu May 19 12:00:00 2016 -->
<!-- # Generated by iptables*-save v1.4.12 on Thu May 19 12:00:00 2016 -->
<table name="filter" >
<chain name="INPUT" policy="ACCEPT" packet-count="127" byte-count="27749" >
<rule >
<conditions>
INPUT <p >tcp</p>
<tcp >
<dport >65002</dport>
</tcp>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
<rule >
<conditions>
INPUT <s >10.0.0.0/32</s>
<p >tcp</p>
<tcp >
<dport >65003</dport>
</tcp>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
<rule >
<conditions>
INPUT <d >10.0.0.1/32</d>
<connbytes >
<connbytes >1:4</connbytes>
<connbytes-mode >bytes</connbytes-mode>
<connbytes-dir >both</connbytes-dir>
</connbytes>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
</chain>
<chain name="FORWARD" policy="ACCEPT" packet-count="0" byte-count="0" />
<chain name="OUTPUT" policy="ACCEPT" packet-count="78" byte-count="6909" />
</table>
<!-- # Completed on Thu May 19 12:00:00 2016 -->
</iptables-rules>
然后再从XML回到iptables
xsltproc /usr/share/iptables/iptables.xslt myiptable.xml | sudo iptables-restore
这一切都按预期无缝运作。