Chain¶
- class Chain(chain_name: str, policy: Optional[str] = None, reference_count=0, packet_count=0, byte_count=0)[source]¶
This class is used to represent an iptables chain. A chain contains a list of rules which can be referenced by number (rule numbers start with 1).
- Parameters:
chain_name – real chain name
policy – the chain policy if this is a builtin chain,
Noneotherwisereference_count – number of rules referencing this chain
packet_count – number of packets that flowed through this chain
byte_count – number of bytes that flowed through this chain
- clear_pft() None[source]¶
Reset the
IptablesPacketFilterTablewhere thisChainbelongs.
- classmethod create_from_existing(line_list: List[str], pft: IptablesPacketFilterTable, log_parsing_failures=True) Chain[source]¶
Parse a set of lines from the output of
iptables -xnvinto aChainobject.It returns a
Chainobject.It raises an
IptablesParsingErrorif there is a parsing error.- Parameters:
line_list – list of iptables(8) output lines
pft – an
IptablesPacketFilterTableobjectlog_parsing_failures – if
True, log any parsing failures
- delete_rule(rule: ChainRule) None[source]¶
Delete the specified
rule: the rule must belong to this chain.
- delete_rule_by_pred(pred: Callable[[ChainRule], bool]) int[source]¶
Delete all rules for which
predreturnsTrue.Returns the number of deleted rules
- Parameters:
pred – a
Callableobject
- delete_rule_by_target_chain(chain: Chain) int[source]¶
Delete all rules that jump/goto the specified chain.
Returns the number of deleted rules
- Parameters:
chain – a
Chainobject
- delete_rule_if(*, match=None, target=None) int[source]¶
Delete all rules with the specified
matchand/ortarget. If nomatchortargetis present, this is a no-op.Returns the number of deleted rules.
- Parameters:
match – optional
Matchobject; use aMatchNoneobject to delete a rule that has no matchestarget – optional
Targetobject; use aTargetNoneobject to delete a rule that has no target
- delete_rulenum(rulenum: int) None[source]¶
Delete the rule with the specified rule number
Raises an
IptablesErrorif the number is invalid- Parameters:
rulenum – rule number (numbering starts from 1)
- find_rule_by(*, match=None, target=None) List[ChainRule][source]¶
Return a list of
ChainRuleobjects where the rule contains the specifiedmatchobject or has the specifiedtarget(target comparison is by name), or both. If nomatchortargetis present, an empty list is returned.- Parameters:
match – optional
Matchobject; use aMatchNoneobject to find a rule that has no matchestarget – optional
Targetobject; use aTargetNoneobject to find a rule that has no target
- find_rule_by_target_lcn(logical_chain_name: str) List[ChainRule][source]¶
Return a list of rules with the specified target
- Parameters:
logical_chain_name – identifies the chain targetted by the rule
- get_pft()[source]¶
Returns the
IptablesPacketFilterTablewhere this chain belongs
- get_policy() Optional[str][source]¶
Returns the policy of the (builtin) chain, or
Noneif this is not a builtin chain.
- get_policy_byte_count() int[source]¶
Returns the number of bytes that were handled as per the chain policy; returns 0 for non-builtin chains
- get_policy_packet_count() int[source]¶
Returns the number of packets that were handled as per the chain policy; returns 0 for non-builtin chains
- get_reference_count() int[source]¶
Returns the reference count of a (non-builtin) chain; returns 0 for builtin chains
- get_rules() List[ChainRule][source]¶
Returns the chain rules.
The return value is a copy to avoid inadvertent modifications of the internal rule list (since the internal rule list should reflect the system’s state).
- insert_rule(rule: ChainRule, rulenum=0) None[source]¶
Insert the new rule at the beginning of the chain (by default) or as rule number
rulenum.- Parameters:
rulenum – rule number (starting with 1)
- set_pft(pft) None[source]¶
Set the
IptablesPacketFilterTablewhere thisChainbelongs.- Parameters:
pft – an
IptablesPacketFilterTableobject