Chain¶

class Chain(chain_name: str, policy: Optional[str] = None, reference_count=0, packet_count=0, byte_count=0)[source]¶

This class is used to represent an iptables chain. A chain contains a list of rules which can be referenced by number (rule numbers start with 1).

Parameters:

chain_name – real chain name
policy – the chain policy if this is a builtin chain, None otherwise
reference_count – number of rules referencing this chain
packet_count – number of packets that flowed through this chain
byte_count – number of bytes that flowed through this chain

append_rule(rule: ChainRule) → None[source]¶: Append the new rule at the end of the chain

clear_pft() → None[source]¶: Reset the IptablesPacketFilterTable where this Chain belongs.

classmethod create_from_existing(line_list: List[str], pft: IptablesPacketFilterTable, log_parsing_failures=True) → Chain[source]¶

Parse a set of lines from the output of iptables -xnv into a Chain object.

It returns a Chain object.

It raises an IptablesParsingError if there is a parsing error.

Parameters:

line_list – list of iptables(8) output lines
pft – an IptablesPacketFilterTable object
log_parsing_failures – if True, log any parsing failures

delete_rule(rule: ChainRule) → None[source]¶: Delete the specified rule: the rule must belong to this chain.

delete_rule_by_pred(pred: Callable[[ChainRule], bool]) → int[source]¶

Delete all rules for which pred returns True.

Returns the number of deleted rules

Parameters:: pred – a Callable object

delete_rule_by_target_chain(chain: Chain) → int[source]¶

Delete all rules that jump/goto the specified chain.

Returns the number of deleted rules

Parameters:: chain – a Chain object

delete_rule_if(*, match=None, target=None) → int[source]¶

Delete all rules with the specified match and/or target. If no match or target is present, this is a no-op.

Returns the number of deleted rules.

Parameters:

match – optional Match object; use a MatchNone object to delete a rule that has no matches
target – optional Target object; use a TargetNone object to delete a rule that has no target

delete_rulenum(rulenum: int) → None[source]¶

Delete the rule with the specified rule number

Raises an IptablesError if the number is invalid

Parameters:: rulenum – rule number (numbering starts from 1)

find_rule_by(*, match=None, target=None) → List[ChainRule][source]¶

Return a list of ChainRule objects where the rule contains the specified match object or has the specified target (target comparison is by name), or both. If no match or target is present, an empty list is returned.

Parameters:

match – optional Match object; use a MatchNone object to find a rule that has no matches
target – optional Target object; use a TargetNone object to find a rule that has no target

find_rule_by_target_lcn(logical_chain_name: str) → List[ChainRule][source]¶

Return a list of rules with the specified target

Parameters:: logical_chain_name – identifies the chain targetted by the rule

flush() → None[source]¶: Delete all rules from this chain

get_byte_count() → int[source]¶: Returns the byte count of the chain

get_logical_name() → str[source]¶: Returns the logical chain name

get_packet_count() → int[source]¶: Returns the packet count of the chain

get_pft()[source]¶: Returns the IptablesPacketFilterTable where this chain belongs

get_policy() → Optional[str][source]¶: Returns the policy of the (builtin) chain, or None if this is not a builtin chain.

get_policy_byte_count() → int[source]¶: Returns the number of bytes that were handled as per the chain policy; returns 0 for non-builtin chains

get_policy_packet_count() → int[source]¶: Returns the number of packets that were handled as per the chain policy; returns 0 for non-builtin chains

get_real_name() → str[source]¶: Returns the real chain name

get_reference_count() → int[source]¶: Returns the reference count of a (non-builtin) chain; returns 0 for builtin chains

get_rules() → List[ChainRule][source]¶

Returns the chain rules.

The return value is a copy to avoid inadvertent modifications of the internal rule list (since the internal rule list should reflect the system’s state).

get_unparsed_rule_count() → int[source]¶: Returns the number of unparsed rules

has_unparsed_rules() → bool[source]¶: Returns True if the chain contains unparsed rules

insert_rule(rule: ChainRule, rulenum=0) → None[source]¶

Insert the new rule at the beginning of the chain (by default) or as rule number rulenum.

Parameters:: rulenum – rule number (starting with 1)

is_builtin() → bool[source]¶: Returns True if this is a built-in chain (e.g. INPUT)

set_pft(pft) → None[source]¶

Set the IptablesPacketFilterTable where this Chain belongs.

Parameters:: pft – an IptablesPacketFilterTable object

Chain¶

linuxnet-iptables

Navigation

Related Topics