Matches

The programmatic interface to packet matching is based on the concept of a Match object that provides methods returning Criterion objects which in turn allow for equality (and inequality) testing against a stored value.

The various iptables(8) matches are provided by match-specific subclasses of the Match class, as shown in the example below.

---

PacketMatch provides matching against packet attributes such as protocol, source address, etc.

m = PacketMatch()
m.protocol().equals('udp')

The protocol() method returns a ProtocolCriterion object which stores the value that we want to compare against (udp in this case).

A Match object may have multiple criteria; such criteria are specific to the Match subclass.

Continuing the example:

a = IPv4Network('1.2.3.4/32')
mcast = IPV4Network('224.0.0.0/4')
m.source_address().equals(a).dest_address().not_equals(mcast)

The source_address() method returns a SourceAddressCriterion object, while the dest_address() method returns a DestAddressCriterion object. The resulting Match object now matches UDP packets with a source address of 1.2.3.4 and a destination address that is not a multicast address.

---

The following Match subclasses are available:

• AddressTypeMatch
• CommentMatch
• ConnbytesMatch
• ConnmarkMatch
• ConntrackMatch
• IcmpMatch
• LengthMatch
• LimitMatch
• MacMatch
• MarkMatch
• MultiportMatch
• OwnerMatch
• PacketMatch
• PacketTypeMatch
• RecentMatch
• SetMatch
• StateMatch
• StatisticMatch
• TcpMatch
• TcpmssMatch
• TtlMatch
• UdpMatch