#1 IPv6 iptables import fails

open
None
3
2008-12-29
2008-08-15
Leif Sawyer
No

Trying to import an existing ip6tables ruleset fails.

Looks like the parser (iptables.g) doesn't contain a rule for IPv6 addresses.

I looked around the net and found a couple of ANTLR examples that might work, but I've never used it, so when I tried to add it to the existing source and recompile, it didn't work.

(well, more specifically, antlr has been running for about 15 hours, trying to build IPTCfgLexer.txt, which makes me think that I'm an absolute n00b at hax0ring the syntax.)

Here's the syntax as crib'd off the 'net. Perhaps somebody with more experience can figure out where I went wrong...

<---------------->8 cut here 8<------------------>

protected
NUM_3DIGIT: ('0'..'9') (('0'..'9') ('0'..'9')?)?;

protected
NUM_HEX_4DIGIT: HEXDIGIT ((HEXDIGIT) ((HEXDIGIT) (HEXDIGIT)?)?)?;

NUMBER
options {
testLiterals = true;
}
{boolean isDecimal=false; Token t=null; }

// IPv4 RULE
: (NUM_3DIGIT '.' NUM_3DIGIT '.')=>
(
NUM_3DIGIT '.' NUM_3DIGIT '.' NUM_3DIGIT '.' NUM_3DIGIT
{ $setType(IPV4); }
)

//
// MAC ADRESS RULE - exactly 6 COLON/DASH separated ints
//
| (NUM_HEX_4DIGIT (':'|'-') NUM_HEX_4DIGIT (':'|'-')
NUM_HEX_4DIGIT (':'|'-') NUM_HEX_4DIGIT (':'|'-')
NUM_HEX_4DIGIT (':'|'-') NUM_HEX_4DIGIT ~(':'))=>
(
NUM_HEX_4DIGIT (':'|'-') NUM_HEX_4DIGIT (':'|'-')
NUM_HEX_4DIGIT (':'|'-') NUM_HEX_4DIGIT (':'|'-')
NUM_HEX_4DIGIT (':'|'-') NUM_HEX_4DIGIT
) { $setType(MAC_ADDRESS); }

// IPv6 RULE
| (NUM_HEX_4DIGIT ':')=>
(

((NUM_HEX_4DIGIT ':')+ ':')=>
(
(NUM_HEX_4DIGIT ':')+ ':'
(NUM_HEX_4DIGIT (':' NUM_HEX_4DIGIT)*)?
) { $setType(IPV6); }

| NUM_HEX_4DIGIT (':' NUM_HEX_4DIGIT)+
{ $setType(IPV6); }

) { $setType(IPV6); }

| (':' ':' NUM_HEX_4DIGIT)=>
':' ':' NUM_HEX_4DIGIT (':' NUM_HEX_4DIGIT)*
{ $setType(IPV6); }

| ':' ':'
{ $setType(IPV6); }

| ':'
{ $setType(COLON); }

// Number beginning with a 0 rule
| ( '0' {isDecimal = true;} // special case for just '0'
( ('x'|'X')
( // hex
// the 'e'|'E' and float suffix stuff look
// like hex digits, hence the (...)+ doesn't
// know when to stop: ambig. ANTLR resolves
// it correctly by matching immediately. It
// is therefor ok to hush warning.
options {
warnWhenFollowAmbig=false;
}
: HEXDIGIT
)+

| ('0'..'7')+ // octal
)?
)?
;

<---------------->8 cut here 8<------------------>

Discussion

  • Leif Sawyer

    Leif Sawyer - 2008-08-18

    Logged In: YES
    user_id=53718
    Originator: YES

    After some further clean-up, I get to this point:

    <---------------->8 cut here 8<------------------>
    protected
    HEXDIGIT : '0'..'9' | 'A'..'F' | 'a'..'f';

    protected
    NUM_3DIGIT: ('0'..'9') (('0'..'9') ('0'..'9')?)?;

    protected
    NUM_HEX_4DIGIT: HEXDIGIT ((HEXDIGIT) ((HEXDIGIT) (HEXDIGIT)?)?)?;

    NUMBER
    options {
    testLiterals = true;
    }
    :
    (
    // IPv4 RULE
    (NUM_3DIGIT '.' NUM_3DIGIT '.')=> ( NUM_3DIGIT '.' NUM_3DIGIT '.' NUM_3DIGIT '.' NUM_3DIGIT )
    { _ttype = IPV4; }

    // IPv6 RULE
    // This first rules causes --long-- parsing times, as in antlr ran over the weekend with no visible progress.
    |
    (NUM_HEX_4DIGIT ':')=>
    ( ((NUM_HEX_4DIGIT ':')+ ':')=>
    ( (NUM_HEX_4DIGIT ':')+ ':'
    (NUM_HEX_4DIGIT (':' NUM_HEX_4DIGIT)* )?
    )
    { _ttype = IPV6; }
    |
    NUM_HEX_4DIGIT (':' NUM_HEX_4DIGIT)+
    { _ttype = IPV6; }
    )
    { _ttype = IPV6; }

    // Everything below here works fine...
    //
    |
    (':' ':' NUM_HEX_4DIGIT)=> ':' ':' NUM_HEX_4DIGIT (':' NUM_HEX_4DIGIT)*
    { _ttype = IPV6; }

    |
    ':' ':'
    { _ttype = IPV6; }

    // END of NUMBERS
    )
    ;

    <---------------->8 cut here 8<------------------>

     
  • Vadim Kurland

    Vadim Kurland - 2008-08-19
    • assigned_to: nobody --> vkurland
     
  • Vadim Kurland

    Vadim Kurland - 2008-08-19

    Logged In: YES
    user_id=6825
    Originator: NO

    Thank you for this report and antlr grammars. It looks like I am going to have to release 3.0 with importer still not working for ipv6 configurations, but I'll get back to this problem soon after the release.

     
  • Vadim Kurland

    Vadim Kurland - 2008-12-07

    I tried to incorporate this grammar into my iptables.g grammar file but antlr seems to take forever to process it to generate parser (more than 2 hours). May be it falls into infinite loop or something, this seems like a bug in antlr. Commenting out sections for MAC_ADDRESS and IPV6 makes it work, but that defeats the purpose. I'll work on this some more in the future, I am posting this to just let you know that this is still work in progress.

    I am using antlr 2.7.7

     
  • Vadim Kurland

    Vadim Kurland - 2008-12-08

    I am sorry, I did not notice your follow-up comment when I posted my last comment. I ended up at about the same stage, no matter how I try to simplify IPv6 rule, antlr takes forever to parse it and I never get the result. Will be looking into this some more in the future.

     
  • Vadim Kurland

    Vadim Kurland - 2008-12-29
    • priority: 5 --> 3
     
  • Anonymous - 2009-06-23

    Hello,
    Just to inform I just tested the import of ip6tables with the 3.0.5 release and it still doesn't work.
    Any news on this item?
    thanks !

     
  • Vadim Kurland

    Vadim Kurland - 2009-06-23

    this bug is still open because it was not resolved and ipv6 import does not work. I can not get ANTLR parser to work for ipv6 addresses.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks