mrash / iptables-parse Goto Github PK

It would be great if the parsed data could be transformed back into a
string in iptables output format so it can be used again with iptables.

Add support for firewalld.

Update the IPTables::Parse module to handle ip6tables policies that handle IPv6 traffic.

Stuart Schneider reported a bug where IPTables::Parse does not handle chain names with dash "-" characters, and he showed that iptables supports many additional chars as well:

iptables -N ' ~!@#$%^&*()+=[]{}|\testing '

iptables -nvL
[...]
Chain ~!@#$%^&*()+=[]{}|\testing (0 references)
pkts bytes target prot opt in out source destination
[...]

Previously, the output of ip6tables and iptables differed, e.g.,

>$ sudo /usr/sbin/iptables -w -t filter -n -L INPUT
Chain INPUT (policy DROP)
target     prot opt source               destination
LOG        0        ::/0                 ::/0                 LOG flags 2 level 4 prefix "[IPTABLES] "

>$ sudo /usr/sbin/iptables -w -t filter -n -L INPUT
Chain INPUT (policy DROP)
target     prot opt source               destination
LOG        0    --  0.0.0.0/0            0.0.0.0/0            LOG flags 2 level 4 prefix "[IPTABLES] "

However, in Debian 12 (bookworm), ip6tables now prints the --, just like iptables does.

This causes checks like psad --fw-analyze to fail with the standard

You may just need to add a default logging rule to the 'filter' 'INPUT' chain on xenon. For more information, see the file "README" in the psad sources directory or visit:

http://www.cipherdyne.org/psad/docs/fwconfig.html

I'm not sure how widespread this change is, whether it's in other distros, or when it happened (I'm having some trouble navigating through debian's package tracker; this is all new to me), but if it's a sensible change, it would be good for this library to support it, I think.

This issue was reported via CPAN:

https://rt.cpan.org/Public/Bug/Display.html?id=76672

Fabien Mazieres submitted a significant patch to IPTables::Parse which needs to be evaluated and applied.