a new utility

a new utility

[Elf King]

Hello all:

I've developed and released a utility called iptables-xml which is 
derived from iptables-save code,
and I would like to contribute it to the iptables user-land toolset.  It 
was made to make the creation
of a slick interface to iptables easier, but the way it generates the 
rule information can have
many other uses like performing relational analysis of rules, gathering 
stats etc...

Those who are interested can read about it as well as download it from
http://www.googgun.com/iptables-xml/

Cheers,

Ahmed Masud.

Re: iptables-xml userland tool and feedback

[Elf King]

Hello Harald and all netfilter devers:

Harald, not sure if you got a chance to see my post about an 
iptables-xml utility. If not have a glance at 
http://www.googgun.com/iptables-xml/.

Would there be interest in bundling it into the iptables userland tools?

When you deliberate on whether or not to include a "new feature" like 
this into iptables do remember that while it is a _new_ feature, it 
isn't modifying any code of any existing tools or libraries, nor does 
the tool require any external libraries or components other than those 
required by iptables itself, it is quite standalone and production grade 
and won't interfere with any of the mainline pieces.

Everyone, I am also hoping for some feedback on the proposed XML so i 
can finalize a formal DTD/xsd, as well as create an XSLT template that 
does the reverse a la iptables-restore, so do drop me a note to let me 
know what you think (both positives and negatives because the comparison 
helps).

Cheers,

Ahmed.

Re: iptables-xml userland tool and feedback

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 2282 bytes --]

On Thu, Jan 22, 2004 at 03:11:48PM -0500, Elf King wrote:
> Hello Harald and all netfilter devers:
> 
> Harald, not sure if you got a chance to see my post about an 
> iptables-xml utility. If not have a glance at 
> http://www.googgun.com/iptables-xml/.

yes, I read your email. unfortunately you didn't include a patch in
your email, which I could have read inline without first having to get
internet connectivity (I'm almost always travelling, currently
LinuxWorldExpo NYC) again, downloading/untarring/... something.

> Would there be interest in bundling it into the iptables userland tools?

I'm now reviewing your patch (after deleting lots of bogus CVS/* hunks).

> When you deliberate on whether or not to include a "new feature" like 
> this into iptables do remember that while it is a _new_ feature, it 
> isn't modifying any code of any existing tools or libraries, nor does 
> the tool require any external libraries or components other than those 
> required by iptables itself, it is quite standalone and production grade 
> and won't interfere with any of the mainline pieces.

To be frank:
I don't think it is of much use to create yet another new format for
saving iptables rules.  This might be of interest for the future
pkttables, however.

Also, given the fact that it doesn't change any existing code, it is
quite easy for you to continue distributing it as a patch... patch hunks
shouldn't break as long as you just add new files.  Please contact
Collin (collin@gnumonks.org), who is currently re-building the links
section of www.netfilter.org.  He would certainly like to include a link
to your iptables-xml project.
 
I would love to invite you at a later point in the pkttables development
to contribute something like pkttables-xml to the project.  However, at
the moment it is too early for starting with that work.

> Cheers,
> Ahmed.

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: iptables-xml userland tool and feedback

[Amin Azez]

Elf King wrote:
> Hello Harald and all netfilter devers:
> 
> Harald, not sure if you got a chance to see my post about an 
> iptables-xml utility. If not have a glance at 
> http://www.googgun.com/iptables-xml/.

Ahmed, are you still about?
I see that iptables-xml has recently vanished from googgun.com

I've just produced some bash scripts that convert iptables-save to xml 
format (bash! indeed! see some of the tricks it uses!) and am doing xslt 
to convert back to iptables-save format.

The reason for this is that it is easy to transform and merge rulesets 
with xslt than perl and friends, thanks to xpath etc.

I'm anxious (as Harald hints) not to introduce yet-another-format, hence 
the full round-tripping support for the format.

Naturally the XML schema is so close to the iptables argument format (a 
very simple transform) that a native incorporation (should it ever be 
worthwhile) is trivial.

Sam