linuxnet.iptables APIΒΆ

The linuxnet.iptables API provides the following classes:

  • IptablesPacketFilterTable : an object of this class contains Chain objects representing the chains of the corresponding table

  • Chain : an object of this class contains ChainRule objects representing the rules of the corresponding chain; the subclass BuiltinChain provides additional methods to access the policy-related attributes of a builtin chain

  • ChainRule : objects of this class contain a list of Match objects and a Target object

  • Match subclasses to match against specific attributes of a packet

  • Target subclasses to provide access to the various iptables(8) targets

An IptablesPacketFilterTable instance can be populated by reading the current system configuration. The IptablesPacketFilterTable.read_system_config() method invokes the iptables command and parses its output. The Chain objects it returns via its accessor methods are stable: for a given chain name, the same Chain object will always be returned. This holds true until the next time the IptablesPacketFilterTable is populated by reading the system configuration.

An IptablesPacketFilterTable instance is either IPv4-specific or IPv6-specific. When dealing with an IptablesPacketFilterTable instance, any IP addresses obtained and/or specified (e.g. source/destination packet addresses used in filtering) will be IPv4 addresses or IPv6 addresses depending on how the instance was initialized.

A Chain object keeps track of the IptablesPacketFilterTable that it belongs to. This association is reset when the IptablesPacketFilterTable is repopulated.

A ChainRule object provides methods to construct iptables(8) rules. The ChainRule can then be inserted into a Chain. ChainRule objects that are part of a Chain are immutable. They are also stable: the same objects will be returned by the Chain accessor methods.

ChainRule objects that are part of a Chain keep track of their rule number. This number is updated as rules are inserted or deleted from the Chain.

The packet and byte count statistics that are part of every Chain and ChainRule object are current as of the time of reading the system configuration.

Target objects can be compared to each other. Comparison is by name; target arguments are not considered.