1 <?xml version=
"1.0" encoding=
"ISO-8859-1"?>
2 <!-- Converts from simple xml iptables format to iptables-save format
3 Copyright 2006 UfoMechanic
4 Author: azez@ufomechanic.net
5 This code is distributed and licensed under the terms of GNU GPL v2
7 This sample usage outputs roughly want goes in
8 iptables-save | iptables-xml -c | xsltproc iptables.xslt -
10 <xsl:transform version=
"1.0" xmlns:
xsl=
"http://www.w3.org/1999/XSL/Transform">
11 <xsl:output method =
"text" />
12 <xsl:strip-space elements=
"*" />
14 <!-- output conditions of a rule but not an action -->
15 <xsl:template match=
"iptables-rules/table/chain/rule/conditions/*">
16 <!-- <match> is the pseudo module when a match module doesn't need to be loaded
17 and when -m does not need to be inserted -->
18 <xsl:if test=
"name() != 'match'">
19 <xsl:text> -m
</xsl:text><xsl:value-of select=
"name()"/>
21 <xsl:apply-templates select=
"node()"/>
24 <!-- delete the actions or conditions containers, and process child nodes -->
25 <xsl:template match=
"iptables-rules/table/chain/rule/actions|table/chain/rule/conditions">
26 <xsl:apply-templates select=
"*"/>
29 <xsl:template match=
"iptables-rules/table/chain/rule/actions/goto">
30 <xsl:text> -g
</xsl:text>
31 <xsl:apply-templates select=
"*"/>
32 <xsl:text>
</xsl:text>
34 <xsl:template match=
"iptables-rules/table/chain/rule/actions/call">
35 <xsl:text> -j
</xsl:text>
36 <xsl:apply-templates select=
"*"/>
37 <xsl:text>
</xsl:text>
39 <!-- all other actions are module actions -->
40 <xsl:template match=
"iptables-rules/table/chain/rule/actions/*">
41 <xsl:text> -j
</xsl:text><xsl:value-of select=
"name()"/>
42 <xsl:apply-templates select=
"*"/>
43 <xsl:text>
</xsl:text>
46 <!-- all child action nodes -->
47 <xsl:template match=
"iptables-rules/table/chain/rule/actions//*|iptables-rules/table/chain/rule/conditions//*" priority=
"0">
48 <xsl:if test=
"@invert=1"><xsl:text> !
</xsl:text></xsl:if>
49 <xsl:text> -
</xsl:text>
50 <!-- if length of name is 1 character, then only do 1 - not 2 -->
51 <xsl:if test=
"string-length(name())>1">
52 <xsl:text>-
</xsl:text>
54 <xsl:value-of select=
"name()"/>
55 <xsl:text> </xsl:text>
56 <xsl:apply-templates select=
"node()"/>
59 <xsl:template match=
"iptables-rules/table/chain/rule/actions/call/*|iptables-rules/table/chain/rule/actions/goto/*">
60 <xsl:value-of select=
"name()"/>
61 <!-- I bet there are no child nodes, should we risk it? -->
62 <xsl:apply-templates select=
"node()"/>
65 <!-- output the head of the rule, and any conditions -->
66 <xsl:template name=
"rule-head">
67 <xsl:if test=
"string-length(@packet-count)+string-length(@byte-count)">
68 <xsl:call-template name=
"counters"><xsl:with-param name=
"node" select=
"."/></xsl:call-template>
69 <xsl:text> </xsl:text>
71 <xsl:text>-A
</xsl:text><!-- a rule must be under a chain -->
72 <xsl:value-of select=
"../@name" />
73 <xsl:apply-templates select=
"conditions"/>
76 <!-- Output a single rule, perhaps as multiple rules if we have more than one action -->
77 <xsl:template match=
"iptables-rules/table/chain/rule">
79 <xsl:when test=
"count(actions/*)>0">
80 <xsl:for-each select=
"actions/*">
81 <!-- and a for-each to re-select the rule as the current node, to write the rule-head -->
82 <xsl:for-each select=
"../..">
83 <xsl:call-template name=
"rule-head"/>
85 <!-- now write the this action -->
86 <xsl:apply-templates select=
"."/>
90 <!-- no need to loop if there are no actions, just output conditions -->
91 <xsl:call-template name=
"rule-head"/>
92 <xsl:text>
</xsl:text>
97 <xsl:template match=
"iptables-rules/table">
98 <xsl:text># Generated by iptables.xslt

</xsl:text>
99 <xsl:text>*
</xsl:text><xsl:value-of select=
"@name"/><xsl:text>
</xsl:text>
100 <!-- Loop through each chain and output the chain header -->
101 <xsl:for-each select=
"chain">
102 <xsl:text>:
</xsl:text>
103 <xsl:value-of select=
"@name"/>
104 <xsl:text> </xsl:text>
106 <xsl:when test=
"not(string-length(@policy))"><xsl:text>-
</xsl:text></xsl:when>
107 <xsl:otherwise><xsl:value-of select=
"@policy"/></xsl:otherwise>
109 <xsl:text> </xsl:text>
110 <xsl:call-template name=
"counters"><xsl:with-param name=
"node" select=
"."/></xsl:call-template>
111 <xsl:text>
</xsl:text>
113 <!-- Loop through each chain and output the rules -->
114 <xsl:apply-templates select=
"node()"/>
115 <xsl:text>COMMIT

# Completed

</xsl:text>
118 <xsl:template name=
"counters">
119 <xsl:param name=
"node"/>
120 <xsl:text>[
</xsl:text>
121 <xsl:if test=
"string-length($node/@packet-count)"><xsl:value-of select=
"$node/@packet-count"/></xsl:if>
122 <xsl:if test=
"string-length($node/@packet-count)=0">0</xsl:if>
123 <xsl:text>:
</xsl:text>
124 <xsl:if test=
"string-length($node/@byte-count)"><xsl:value-of select=
"$node/@byte-count"/></xsl:if>
125 <xsl:if test=
"string-length($node/@byte-count)=0">0</xsl:if>
126 <xsl:text>]
</xsl:text>
129 <!-- the bit that automatically recurses for us, NOTE: we use * not node(), we don't want to copy every white space text -->
130 <xsl:template match=
"@*|node()">
132 <!-- with libxslt xsltproc we can't do @*|node() or the nodes may get processed before the attributes -->
133 <xsl:apply-templates select=
"@*"/>
134 <xsl:apply-templates select=
"node()"/>