ConntrackMatch¶

Example:

>>> from linuxnet.iptables import ConntrackMatch
>>> m = ConntrackMatch()
>>> m.ctstate().equals('NEW')
<linuxnet.iptables.matches.conntrackmatch.ConntrackMatch object at 0x7ffab737e208>
>>> m.to_iptables_args()
['-m', 'conntrack', '--ctstate', 'NEW']

class ConntrackMatch[source]¶

Match against the connection tracking attributes.

static get_match_name() → str[source]¶: Returns the iptables(8) match extension name

get_criteria() → Iterable[Criterion][source]¶: Returns the conntrack match criteria: ctstate, ctstatus

ctstate() → CtStateCriterion[source]¶: Match against the connection tracking state

ctstatus() → CtStatusCriterion[source]¶: Matching against the connection tracking status

ctdir() → CtDirectionCriterion[source]¶: Matching against the connection tracking status

ctproto() → ProtocolCriterion[source]¶: Matching against the L4 protocol

ctorigsrc() → CtOrigSrcCriterion[source]¶: Matching against the origin’s source IP address

ctorigdst() → CtOrigDstCriterion[source]¶: Matching against the origin’s destination IP address

ctreplsrc() → CtReplSrcCriterion[source]¶: Matching against the reply’s source IP address

ctrepldst() → CtReplDstCriterion[source]¶: Matching against the reply’s destination IP address

ctorigsrcport() → CtOrigSrcPortCriterion[source]¶: Matching against the origin’s source port

ctorigdstport() → CtOrigDstPortCriterion[source]¶: Matching against the origin’s destination port

ctreplsrcport() → CtReplSrcPortCriterion[source]¶: Matching against the replin’s source port

ctrepldstport() → CtReplDstPortCriterion[source]¶: Matching against the replin’s destination port

ctexpire() → CtExpireCriterion[source]¶: Matching against the replin’s destination port

CtStateCriterion¶

class CtStateCriterion(match)[source]¶

Compare against the connection tracking state

The comparison value is a string.

any() → Match¶

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) → Match¶: Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

equals(value) → Match¶: Compare with the specified value

get_iptables_option() → str¶: Returns the iptables(8) option

get_value() → Any¶: Returns the criterion value

is_positive() → bool¶

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() → bool¶: Returns True if the criterion has been set

not_equals(*args, **kwargs) → Match¶

Express inequality comparison against the argument values.

The arguments of this method are the same as those of the equals() method.

This method invokes the equals() method and then reverses the polarity.

Returns this Match object.

CtStatusCriterion¶

class CtStatusCriterion(match)[source]¶

Compare against the connection tracking status

The comparison value is a string.

any() → Match¶

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) → Match¶: Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

equals(value) → Match¶: Compare with the specified value

get_iptables_option() → str¶: Returns the iptables(8) option

get_value() → Any¶: Returns the criterion value

is_positive() → bool¶

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() → bool¶: Returns True if the criterion has been set

not_equals(*args, **kwargs) → Match¶

Express inequality comparison against the argument values.

The arguments of this method are the same as those of the equals() method.

This method invokes the equals() method and then reverses the polarity.

Returns this Match object.

CtDirectionCriterion¶

class CtDirectionCriterion(match)[source]¶

Compare against the connection tracking direction

The comparison value is a string.

any() → Match¶

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) → Match¶: Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

equals(value) → Match¶: Compare with the specified value

get_iptables_option() → str¶: Returns the iptables(8) option

get_value() → Any¶: Returns the criterion value

is_positive() → bool¶

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() → bool¶: Returns True if the criterion has been set

not_equals(*args, **kwargs)¶: Indicates that negation is not supported by raising an IptablesError

CtOrigSrcCriterion¶

class CtOrigSrcCriterion(match: Match, *, ipv6: Optional[bool] = None)[source]¶

Compare against the origin’s source IP address.

The comparison value is an IPv4Network or an IPv6Network

any() → Match¶

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) → Match¶: Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

equals(value: Union[IPv4Network, IPv6Network, IPv4Address, IPv6Address, str]) → Match¶: Compare with the specified value, which can be specified as an IPv4Network, an IPv6Network, an IPv4Address, an IPv6Address, or as a string. Internally the value is always stored as an IPv4Network, or an IPv6Network.

get_iptables_option() → str¶: Returns the iptables(8) option

get_value() → Optional[Union[IPv4Network, IPv6Network]]¶: Returns the criterion value

is_positive() → bool¶

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() → bool¶: Returns True if the criterion has been set

not_equals(*args, **kwargs) → Match¶

Express inequality comparison against the argument values.

The arguments of this method are the same as those of the equals() method.

This method invokes the equals() method and then reverses the polarity.

Returns this Match object.

CtOrigDstCriterion¶

class CtOrigDstCriterion(match: Match, *, ipv6: Optional[bool] = None)[source]¶

Compare against the origin’s destination IP address.

The comparison value is an IPv4Network or an IPv6Network

any() → Match¶

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) → Match¶: Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

equals(value: Union[IPv4Network, IPv6Network, IPv4Address, IPv6Address, str]) → Match¶: Compare with the specified value, which can be specified as an IPv4Network, an IPv6Network, an IPv4Address, an IPv6Address, or as a string. Internally the value is always stored as an IPv4Network, or an IPv6Network.

get_iptables_option() → str¶: Returns the iptables(8) option

get_value() → Optional[Union[IPv4Network, IPv6Network]]¶: Returns the criterion value

is_positive() → bool¶

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() → bool¶: Returns True if the criterion has been set

not_equals(*args, **kwargs) → Match¶

Express inequality comparison against the argument values.

The arguments of this method are the same as those of the equals() method.

This method invokes the equals() method and then reverses the polarity.

Returns this Match object.

CtReplSrcCriterion¶

class CtReplSrcCriterion(match: Match, *, ipv6: Optional[bool] = None)[source]¶

Compare against the reply’s source IP address.

The comparison value is an IPv4Network or an IPv6Network

any() → Match¶

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) → Match¶: Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

equals(value: Union[IPv4Network, IPv6Network, IPv4Address, IPv6Address, str]) → Match¶: Compare with the specified value, which can be specified as an IPv4Network, an IPv6Network, an IPv4Address, an IPv6Address, or as a string. Internally the value is always stored as an IPv4Network, or an IPv6Network.

get_iptables_option() → str¶: Returns the iptables(8) option

get_value() → Optional[Union[IPv4Network, IPv6Network]]¶: Returns the criterion value

is_positive() → bool¶

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() → bool¶: Returns True if the criterion has been set

not_equals(*args, **kwargs) → Match¶

Express inequality comparison against the argument values.

The arguments of this method are the same as those of the equals() method.

This method invokes the equals() method and then reverses the polarity.

Returns this Match object.

CtReplDstCriterion¶

class CtReplDstCriterion(match: Match, *, ipv6: Optional[bool] = None)[source]¶

Compare against the reply’s destination IP address.

The comparison value is an IPv4Network or an IPv6Network

any() → Match¶

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) → Match¶: Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

equals(value: Union[IPv4Network, IPv6Network, IPv4Address, IPv6Address, str]) → Match¶: Compare with the specified value, which can be specified as an IPv4Network, an IPv6Network, an IPv4Address, an IPv6Address, or as a string. Internally the value is always stored as an IPv4Network, or an IPv6Network.

get_iptables_option() → str¶: Returns the iptables(8) option

get_value() → Optional[Union[IPv4Network, IPv6Network]]¶: Returns the criterion value

is_positive() → bool¶

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() → bool¶: Returns True if the criterion has been set

not_equals(*args, **kwargs) → Match¶

Express inequality comparison against the argument values.

The arguments of this method are the same as those of the equals() method.

This method invokes the equals() method and then reverses the polarity.

Returns this Match object.

CtOrigSrcPortCriterion¶

class CtOrigSrcPortCriterion(match: Match)[source]¶

Compare against the origin’s source port (or port range).

The comparison value is the tuple (port, last_port) where last_port may be None

any() → Match¶

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) → Match¶: Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

equals(first: int, last: Optional[int] = None) → Match¶: Compare with a number (or inclusion in number-range if last is present)

get_value() → Tuple[int, Optional[int]]¶

Returns the value that the criterion is comparing against

Return type:: a tuple of (int, int|None)

is_positive() → bool¶

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() → bool¶: Returns True if the criterion has been set

not_equals(*args, **kwargs) → Match¶

Express inequality comparison against the argument values.

The arguments of this method are the same as those of the equals() method.

This method invokes the equals() method and then reverses the polarity.

Returns this Match object.

CtOrigDstPortCriterion¶

class CtOrigDstPortCriterion(match: Match)[source]¶

Compare against the origin’s destination port (or port range).

The comparison value is the tuple (port, last_port) where last_port may be None

any() → Match¶

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) → Match¶: Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

equals(first: int, last: Optional[int] = None) → Match¶: Compare with a number (or inclusion in number-range if last is present)

get_value() → Tuple[int, Optional[int]]¶

Returns the value that the criterion is comparing against

Return type:: a tuple of (int, int|None)

is_positive() → bool¶

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() → bool¶: Returns True if the criterion has been set

not_equals(*args, **kwargs) → Match¶

Express inequality comparison against the argument values.

The arguments of this method are the same as those of the equals() method.

This method invokes the equals() method and then reverses the polarity.

Returns this Match object.

CtReplSrcPortCriterion¶

class CtReplSrcPortCriterion(match: Match)[source]¶

Compare against the reply’s source port (or port range).

The comparison value is the tuple (port, last_port) where last_port may be None

any() → Match¶

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) → Match¶: Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

equals(first: int, last: Optional[int] = None) → Match¶: Compare with a number (or inclusion in number-range if last is present)

get_value() → Tuple[int, Optional[int]]¶

Returns the value that the criterion is comparing against

Return type:: a tuple of (int, int|None)

is_positive() → bool¶

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() → bool¶: Returns True if the criterion has been set

not_equals(*args, **kwargs) → Match¶

Express inequality comparison against the argument values.

The arguments of this method are the same as those of the equals() method.

This method invokes the equals() method and then reverses the polarity.

Returns this Match object.

CtReplDstPortCriterion¶

class CtReplDstPortCriterion(match: Match)[source]¶

Compare against the origin’s destination port (or port range).

The comparison value is the tuple (port, last_port) where last_port may be None

any() → Match¶

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) → Match¶: Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

equals(first: int, last: Optional[int] = None) → Match¶: Compare with a number (or inclusion in number-range if last is present)

get_value() → Tuple[int, Optional[int]]¶

Returns the value that the criterion is comparing against

Return type:: a tuple of (int, int|None)

is_positive() → bool¶

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() → bool¶: Returns True if the criterion has been set

not_equals(*args, **kwargs) → Match¶

Express inequality comparison against the argument values.

The arguments of this method are the same as those of the equals() method.

This method invokes the equals() method and then reverses the polarity.

Returns this Match object.

CtExpireCriterion¶

class CtExpireCriterion(match: Match)[source]¶

Compare against the remaining lifetime of the connection tracking

The comparison value is the tuple (time, end_time) where end_time may be None (time is measured in seconds)

any() → Match¶

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) → Match¶: Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

equals(first: int, last: Optional[int] = None) → Match¶: Compare with a number (or inclusion in number-range if last is present)

get_value() → Tuple[int, Optional[int]]¶

Returns the value that the criterion is comparing against

Return type:: a tuple of (int, int|None)

is_positive() → bool¶

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() → bool¶: Returns True if the criterion has been set

not_equals(*args, **kwargs) → Match¶

Express inequality comparison against the argument values.

The arguments of this method are the same as those of the equals() method.

This method invokes the equals() method and then reverses the polarity.

Returns this Match object.

ConntrackMatch¶

CtStateCriterion¶

CtStatusCriterion¶

CtDirectionCriterion¶

CtOrigSrcCriterion¶

CtOrigDstCriterion¶

CtReplSrcCriterion¶

CtReplDstCriterion¶

CtOrigSrcPortCriterion¶

CtOrigDstPortCriterion¶

CtReplSrcPortCriterion¶

CtReplDstPortCriterion¶

CtExpireCriterion¶

linuxnet-iptables

Navigation

Related Topics