ChainRule

class ChainRule(*, match: Optional[Match] = None, match_list: Optional[List[Match]] = None, target: Optional[Target] = None, uses_goto: Optional[bool] = False)

This class represents a rule in an iptables(8) chain. A ChainRule has a (possibly empty) list of Match objects and an optional Target object.

Multiple Match objects of the same type can be included in a rule. Since multiple Match objects imply a logical-AND, including objects of the same type may be useful when using negation. However, there can be at most one PacketMatch object included.

Parameters:

• match – optional Match object; if present, it is added to the rule’s list of Match objects

• match_list – optional list of Match objects; if present, it is appended to the rule’s list of Match objects

• target – a Target object

• uses_goto – if True, rule processing continues at the specified target (which must be a ChainTarget) short-circuiting any rules following this one in the chain

parsing_failed() → bool

Returns True if the rule has not been parsed successfully

get_iptables_line() → Optional[str]

Returns the iptables line if this rule was created from the output of iptables(8), otherwise it returns None.

get_packet_count() → int

Returns the packet count of the rule

get_byte_count() → int

Returns the byte count of the rule

get_chain() → Chain

Returns the Chain where this rule belongs (returns None if this rule is not in any chain)

get_rulenum() → int

Returns the rule number

get_target() → Optional[Target]

Returns the rule target (a Target object) or None

uses_goto() → bool

Returns True if this rule ‘goes’ to its (chain) target instead of ‘jumping’ to it.

set_target(target: Target) → None

Set the rule target

get_match_list() → List[Match]

Returns the match list of this rule.

has_match(match: Match, is_only_match=True) → bool

Returns True if the match list of this rule consists only of the specified match (when is_only_match is True) or if the match list contains the specified match (when is_only_match is False).

An object of MatchNone can be used to test for an empty match list.

has_target(target: Target) → bool

Returns True if the rule has the specified target. An object of TargetNone can be used to test for lack of target.

targets_chain(chain: Chain) → bool

Returns True if the target of this rule is the specified chain

Parameters:

chain – a Chain object

get_target_chain() → Optional[Chain]

Returns the Chain object that is the target of this rule, or None if this rule does not target a chain.

matches_all_packets() → bool

Returns True iff this rule matches all packets

to_iptables_args() → List[str]

Returns a list suitable to be used as an argument to the iptables(8) command

Raises an IptablesError if this is an unparsed rule

jump_to(*, target: Optional[Target] = None, chain: Optional[Chain] = None) → ChainRule

Add a jump to the specified target. The target is identified either via the target argument or via the chain argument.

Raises an IptablesError if:

• both target and chain arguments are not None

• the rule is already part of a Chain

Parameters:

• target – optional Target object

• chain – optional Chain object

Return type:

this ChainRule object

go_to(*, chain: Chain) → ChainRule

Add a goto to the specified chain.

Raises an IptablesError if the rule is already part of a Chain

Parameters:

chain – a Chain object

Return type:

this ChainRule object

classmethod create_from_existing(iptables_output_line: str, pft: IptablesPacketFilterTable) → ChainRule

Create a ChainRule from a line of iptables -xnv output

Parameters:

• iptables_output_line – line of iptables -xnv output

• pft – an IptablesPacketFilterTable object