From 3c6196b8140b17e243aa68029495575927c17be6 Mon Sep 17 00:00:00 2001
From: Yaser Amiri <yaser.amiri95@gmail.com>
Date: Wed, 24 Jan 2018 21:51:23 +0330
Subject: [PATCH] Cast ports and some other field to integer. Remove MAC.

---
 iptables.patterns | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/iptables.patterns b/iptables.patterns
index 0f67259..f8f48e0 100644
--- a/iptables.patterns
+++ b/iptables.patterns
@@ -1,28 +1,29 @@
 UNSIGNED_INT [0-9]+
-IPTABLES_ETHERNET IN=%{WORD:in_device} OUT=%{WORD:out_device}? MAC=(?:[^\s]+)
+IPTABLES_ETHERNET IN=%{WORD:in_device}? OUT=%{WORD:out_device}?
 
-IPTABLES_PORT_PAIR SPT=%{UNSIGNED_INT:src_port} DPT=%{UNSIGNED_INT:dst_port}
+IPTABLES_PORT_PAIR SPT=%{UNSIGNED_INT:src_port:int} DPT=%{UNSIGNED_INT:dst_port:int}
 
 IPTABLES_TCP_FLAGS ((?<= )(CWR|ECE|URG|ACK|PSH|RST|SYN|FIN))*
-IPTABLES_TCP_SEQ SEQ=%{UNSIGNED_INT:seq_seq} ACK=%{UNSIGNED_INT:seq_ack}
-IPTABLES_TCP_DETAILS (?:%{IPTABLES_TCP_SEQ} )?WINDOW=%{UNSIGNED_INT:window} RES=0x%{BASE16NUM:res} %{IPTABLES_TCP_FLAGS:tcp_flags} 
+IPTABLES_TCP_SEQ SEQ=%{UNSIGNED_INT:seq_seq:int} ACK=%{UNSIGNED_INT:seq_ack:int}
+IPTABLES_TCP_DETAILS (?:%{IPTABLES_TCP_SEQ} )?WINDOW=%{UNSIGNED_INT:window:int} RES=0x%{BASE16NUM:res} %{IPTABLES_TCP_FLAGS:tcp_flags} 
 IPTABLES_INCOMPLETE_PACKET INCOMPLETE \[%{UNSIGNED_INT:incomplete} bytes\]
 
-IPTABLES_UDP_DETAILS LEN=%{UNSIGNED_INT:udp_len}
+IPTABLES_UDP_DETAILS LEN=%{UNSIGNED_INT:udp_len:int}
 
-IPTABLES_ICMP_EXTRA_ECHO ID=%{UNSIGNED_INT:icmp_id} SEQ=%{UNSIGNED_INT:icmp_seq}
+IPTABLES_ICMP_EXTRA_ECHO ID=%{UNSIGNED_INT:icmp_id:int} SEQ=%{UNSIGNED_INT:icmp_seq:int}
 IPTABLES_ICMP_EXTRA_PARAM PARAMETER=%{UNSIGNED_INT:icmp_parameter}
 IPTABLES_ICMP_EXTRA_REDIRECT GATEWAY=%{IP:icmp_redirect}
 IPTABLES_ICMP_EXTRA ( (?:%{IPTABLES_ICMP_EXTRA_ECHO}|%{IPTABLES_ICMP_EXTRA_PARAM}|%{IPTABLES_ICMP_EXTRA_REDIRECT}))*
 
-IPTABLES_ICMP_DETAILS TYPE=%{UNSIGNED_INT:icmp_type} CODE=%{UNSIGNED_INT:icmp_code}(( %{IPTABLES_INCOMPLETE_PACKET})|%{IPTABLES_ICMP_EXTRA})
+IPTABLES_ICMP_DETAILS TYPE=%{UNSIGNED_INT:icmp_type:int} CODE=%{UNSIGNED_INT:icmp_code:int}(( %{IPTABLES_INCOMPLETE_PACKET})|%{IPTABLES_ICMP_EXTRA})
 
 IPTABLES_PROTOCOL PROTO=(?<proto>[a-zA-Z0-9]+)
 
 IPTABLES_IP_PAYLOAD %{IPTABLES_PROTOCOL}( %{IPTABLES_PORT_PAIR})?( (%{IPTABLES_TCP_DETAILS}|%{IPTABLES_UDP_DETAILS}|%{IPTABLES_ICMP_DETAILS}|%{IPTABLES_INCOMPLETE_PACKET}))?
 
 IPTABLES_IP_FRAGFLAG ((?<= )(CE|DF|MF))*
-IPTABLES_IP_START SRC=%{IP:src_ip} DST=%{IP:dst_ip} LEN=%{UNSIGNED_INT:length} TOS=0x%{BASE16NUM:tos} PREC=0x%{BASE16NUM:prec} TTL=%{UNSIGNED_INT:ttl} ID=%{UNSIGNED_INT:id}(?: %{IPTABLES_IP_FRAGFLAG:fragment_flags})?(?: FRAG: %{UNSIGNED_INT:fragment})?
+IPTABLES_IP_START SRC=%{IP:src_ip} DST=%{IP:dst_ip} LEN=%{UNSIGNED_INT:length:int} TOS=0x%{BASE16NUM:tos} PREC=0x%{BASE16NUM:prec} TTL=%{UNSIGNED_INT:ttl:int} ID=%{UNSIGNED_INT:id}(?: %{IPTABLES_IP_FRAGFLAG:fragment_flags})?(?: FRAG: %{UNSIGNED_INT:fragment})?
 IPTABLES_IP %{IPTABLES_IP_START} %{IPTABLES_IP_PAYLOAD}
 
-IPTABLES %{IPTABLES_ETHERNET} %{IPTABLES_IP}
+IPTABLES %{IPTABLES_ETHERNET}(.*)?%{IPTABLES_IP}
+