1module Lokkit =
2  autoload xfm
3
4(* Module: Lokkit
5   Parse the config file for lokkit from system-config-firewall
6*)
7
8let comment = Util.comment
9let empty = Util.empty
10let eol = Util.eol
11let spc = Util.del_ws_spc
12let dels = Util.del_str
13
14let eq = del /[ \t=]+/ "="
15let token = store /[a-zA-Z0-9][a-zA-Z0-9-]*/
16
17let long_opt (n:regexp) =
18  [ dels "--" . key n . eq . token . eol ]
19
20let flag (n:regexp) =
21  [ dels "--" . key n . eol ]
22
23let option (l:string) (s:string) =
24  del ("--" . l | "-" . s) ("--" . l) . label l . eq
25
26let opt (l:string) (s:string) =
27  [ option l s . token . eol ]
28
29(* trust directive
30   -t <interface>, --trust=<interface>
31*)
32let trust =
33  [ option "trust" "t" . store Rx.device_name . eol ]
34
35(* port directive
36   -p <port>[-<port>]:<protocol>, --port=<port>[-<port>]:<protocol>
37*)
38let port =
39  let portnum = store /[0-9]+/ in
40  [ option "port" "p" .
41    [ label "start" . portnum ] .
42    (dels "-" . [ label "end" . portnum])? .
43    dels ":" . [ label "protocol" . token ] . eol ]
44
45(* custom_rules directive
46   --custom-rules=[<type>:][<table>:]<filename>
47*)
48let custom_rules =
49  let types = store /ipv4|ipv6/ in
50  let tables = store /mangle|nat|filter/ in
51  let filename = store /[^ \t\n:=][^ \t\n:]*/ in
52  [ dels "--custom-rules" . label "custom-rules" . eq .
53      [ label "type" . types . dels ":" ]? .
54      [ label "table" . tables . dels ":"]? .
55      filename . eol ]
56
57(* forward_port directive
58   --forward-port=if=<interface>:port=<port>:proto=<protocol>[:toport=<destination port>][:toaddr=<destination address>]
59*)
60let forward_port =
61  let elem (n:string) (v:lens) =
62    [ key n . eq . v ] in
63  let ipaddr = store /[0-9.]+/ in
64  let colon = dels ":" in
65  [ dels "--forward-port" . label "forward-port" . eq .
66      elem "if" token . colon .
67      elem "port" token . colon .
68      elem "proto" token .
69      (colon . elem "toport" token)? .
70      (colon . elem "toaddr" ipaddr)? . eol ]
71
72let entry =
73  long_opt /selinux|selinuxtype|addmodule|removemodule|block-icmp/
74 |flag /enabled|disabled/
75 |opt "service" "s"
76 |port
77 |trust
78 |opt "masq" "m"
79 |custom_rules
80 |forward_port
81
82let lns = (comment|empty|entry)*
83
84let xfm = transform lns (incl "/etc/sysconfig/system-config-firewall")
85