# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
iptables_config = {

  plugin_version = "1.2"

  info.1.manufacturer = "Netfilter"
  info.1.device = "IPtables Configuration"
  info.1.version.1 = "1.4.9.1"

  # 2006-30-03 - 1.0beta - new version
  # 2006-03-31 - 1.1beta - added support for no asterisks on one line type
  # 2007-09-11 - 1.1 - KBB - renumbered per new beta policy and changed file name
  #                          from beta_iptables_config.cfg
  # 2010-10-01 - 1.2 - MSG - Edited info lines.


  # The name of the log format
  log.format.format_label = "IPTables Config Log Format"
  log.miscellaneous.log_data_type = "firewall"  
  log.miscellaneous.log_format_type = "firewall"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = "iptables"

  # An entry is called a packet
  statistics.miscellaneous.entry_name = "events"

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"
  
  # treat lines starting "#" as lines, not as headers to read field names from
  log.format.ignore_format_lines = "true"

  # Log fields
  log.fields = {

    rule_number = ""
    rule = ""
    type = ""
    proto = ""
    inbound_interface = ""
    outbound_interface = ""
    src_ip = ""
    src_port = ""
    dst_ip = ""
    dst_port = ""
    action = ""
#    debug = ""

  } # log.fields


  # Declare parsing filter variable v.line
  log.filter_initialization = `
   v.line = '';
  `


  # Log Parsing Filters
  log.parsing_filters.parse = `

   # debug line to check to see if we are catching all the rules   
#    if (matches_regular_expression(current_log_line(), '^()# ([0-9]+)')) then set_collected_field($1, 'debug', $2);

    
    # if we see a line starting with # we start collecting the lines or start the parsing
    if (matches_regular_expression(current_log_line(), '^#.*')) then (
     if (v.line eq '') then (v.line = current_log_line());
     else if (v.line ne '') then (

      if (matches_regular_expression(v.line, '^()# ([0-9]+) [ *-]*([^/]*)[^ ]+ (.*)$')) then (
       v.key = $1;
       v.rule = $2;

       # we need to sort_by the rule number column, but can't do it in v7, so 
       # we need to add zeros in front of all non-3 digit rule numbers untill we
       # have a 3 digit rule number, so that we can sort numerically in a string
       while (length(v.rule) < 3) v.rule = '0' . v.rule;

       set_collected_field(v.key, 'rule_number', v.rule);
       set_collected_field(v.key, 'rule', replace_all($3, '*', ''));
       v.name_value_pairs = $4;

       # once we have pulled out the current line for parsing (or collecting)
       # we need to save the current_log_line for the next parse
       v.line = current_log_line();

       v.done = false;
         while (v.name_value_pairs ne '') (
          if (matches_regular_expression(v.name_value_pairs, '^([-A-Za-z]+) (.*)$')) then (
            v.name = $1;
            v.value_and_remainder = $2;
             if (v.name eq '-A') then v.name = 'type';
             else if (v.name eq '-p') then v.name = 'proto';
             else if (v.name eq '-i') then v.name = 'inbound_interface';
             else if (v.name eq '-o') then v.name = 'outbound_interface';
             else if (v.name eq '-s') then v.name = 'src_ip';
             else if (v.name eq '--sport') then v.name = 'src_ports';
             else if (v.name eq '-d') then v.name = 'dst_ip';
             else if (v.name eq '--dport') then v.name = 'dst_ports';
             else if (v.name eq '-j') then v.name = 'action';
             if (matches_regular_expression(v.value_and_remainder, '^([^ ]+) (.*)$')) then (
              v.value = $1;
              v.name_value_pairs = $2;
             );
             else (
              v.value = v.value_and_remainder;
              v.name_value_pairs = '';
             );
            set_collected_field(v.key, v.name, v.value);
          ) else v.name_value_pairs = '';
         ); # while (v.name_value_pairs ne '')
       accept_collected_entry(v.key, false);
      ); # if rule type ****

      else if (matches_regular_expression(v.line, '^()# ([0-9]+) XXX +([A-Z ]+ +\\(LOG\\)) \\**')) then (
       v.key = $1;
       set_collected_field(v.key, 'rule_number', $2);
       set_collected_field(v.key, 'rule', $3);
       v.line = current_log_line();
       accept_collected_entry(v.key, false);
       ); # if rule type XXX
      
#      else if (matches_regular_expression(v.line, '^()# ([0-9]+) XXX +([A-Z ]+ +\\(LOG\\)) \\**')) then (
      
      
      # if we have a line of data we can't read, it is not config data, so remove it from v.line
      else v.line = '';
     );
   );
   # if this does not start #, add it to v.line
   else if (matches_regular_expression(current_log_line(), '^[^#].*')) then (
   v.line .= current_log_line();
   );
  `


  # Database fields
  database.fields = {

    rule_number = ""
    rule = ""
    type = ""
    proto = ""
    inbound_interface = ""
    outbound_interface = ""
    src_ip = ""
    src_port = ""
    dst_ip = ""
    dst_port = ""
    action = ""
#    debug = ""


  } # database.fields

  database.numerical_fields = {

    events = {
      label = "$lang_stats.field_labels.events"
      default = true
      requires_log_field = false
      type = "int"
      display_format_type = "integer"
      entries_field = true
    } # events

  } # database.numerical_fields


  log.filters = {

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'events = 1;'
    } # mark_entry

  } # log.filters

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
    rule_number.report_elements.rule_number.sort_by = "rule_number"
    } # report_groups

  } # create_profile_wizard_options

} # iptables_config