PacketMatch¶

Example:

>>> m = PacketMatch()
>>> m.input_interface().equals('eth0')
<linuxnet.iptables.match.PacketMatch object at 0x7ff96e466e10>
>>> m.fragment().not_equals()
<linuxnet.iptables.match.PacketMatch object at 0x7ff96e466e10>
>>> m.source_address().equals(IPv4Network('192.168.1.0/24'))
<linuxnet.iptables.match.PacketMatch object at 0x7ff96e466e10>
>>> m.to_iptables_args()
['-i', 'eth0', '!', '-f', '-s', '192.168.1.0/24']

class PacketMatch(*, ipv6=False)[source]¶

This class provides matching against the following attributes of a packet:

input interface
output interface
protocol
source address
destination address
fragment bit (IPv4-only)

Parameters:: ipv6 – optional boolean to indicate IPv6 address matching when True; the default is IPv4

static get_match_name() → Optional[str][source]¶: Returns the iptables(8) match extension name. In the case of the standard packet match, there is no name.

get_criteria() → Iterable[Criterion][source]¶: Returns the packet match criteria: input-interface, output-interface, protocol, fragmented, source, destination.

protocol() → ProtocolCriterion[source]¶: Match against the protocol

input_interface() → InputInterfaceCriterion[source]¶: Match against the input interface

output_interface() → OutputInterfaceCriterion[source]¶: Match against the output interface

source_address() → SourceAddressCriterion[source]¶: Match against the source address

dest_address() → DestAddressCriterion[source]¶: Match against the destination address

fragment() → FragmentCriterion[source]¶: Match if packet has (or has not) the fragment bit set

InputInterfaceCriterion¶

class InputInterfaceCriterion(match: Match)[source]¶

Compare with the input interface.

The comparison value is an interface name (a string).

any() → Match¶

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) → Match¶: Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

equals(value) → Match¶: Compare with the specified value

get_iptables_option() → str¶: Returns the iptables(8) option

get_value() → Any¶: Returns the criterion value

is_positive() → bool¶

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() → bool¶: Returns True if the criterion has been set

not_equals(*args, **kwargs) → Match¶

Express inequality comparison against the argument values.

The arguments of this method are the same as those of the equals() method.

This method invokes the equals() method and then reverses the polarity.

Returns this Match object.

OutputInterfaceCriterion¶

class OutputInterfaceCriterion(match: Match)[source]¶

Compare with the output interface.

The comparison value is an interface name (a string).

any() → Match¶

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) → Match¶: Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

equals(value) → Match¶: Compare with the specified value

get_iptables_option() → str¶: Returns the iptables(8) option

get_value() → Any¶: Returns the criterion value

is_positive() → bool¶

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() → bool¶: Returns True if the criterion has been set

not_equals(*args, **kwargs) → Match¶

Express inequality comparison against the argument values.

The arguments of this method are the same as those of the equals() method.

This method invokes the equals() method and then reverses the polarity.

Returns this Match object.

ProtocolCriterion¶

class ProtocolCriterion(match: Match)[source]¶

Compare with the protocol.

The comparison value is a protocol name (a string); it may also be a number in string form if there is no mapping of that number to a protocol name in /etc/protocols.

get_value() → str[source]¶: Return protocol name

equals(proto) → Match[source]¶

Compare with the specified protocol.

Parameters:: proto – the parameter can a string or an integer; if it is an integer, it will be converted to the corresponding protocol name, if possible, otherwise it will be used as-is in string form (i.e. 199 will be converted to “199”)

any() → Match¶

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) → Match¶: Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

is_positive() → bool¶

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() → bool¶: Returns True if the criterion has been set

not_equals(*args, **kwargs) → Match¶

Express inequality comparison against the argument values.

The arguments of this method are the same as those of the equals() method.

This method invokes the equals() method and then reverses the polarity.

Returns this Match object.

SourceAddressCriterion¶

class SourceAddressCriterion(match: Match, *, ipv6: Optional[bool] = None)[source]¶

Compare with the source address.

The comparison value is an IPv4Network or an IPv6Network

any() → Match¶

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) → Match¶: Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

equals(value: Union[IPv4Network, IPv6Network, IPv4Address, IPv6Address, str]) → Match¶: Compare with the specified value, which can be specified as an IPv4Network, an IPv6Network, an IPv4Address, an IPv6Address, or as a string. Internally the value is always stored as an IPv4Network, or an IPv6Network.

get_iptables_option() → str¶: Returns the iptables(8) option

get_value() → Optional[Union[IPv4Network, IPv6Network]]¶: Returns the criterion value

is_positive() → bool¶

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() → bool¶: Returns True if the criterion has been set

not_equals(*args, **kwargs) → Match¶

Express inequality comparison against the argument values.

The arguments of this method are the same as those of the equals() method.

This method invokes the equals() method and then reverses the polarity.

Returns this Match object.

DestAddressCriterion¶

class DestAddressCriterion(match: Match, *, ipv6: bool)[source]¶

Compare with the destination address.

The comparison value is an IPv4Network or an IPv6Network

any() → Match¶

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) → Match¶: Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

equals(value: Union[IPv4Network, IPv6Network, IPv4Address, IPv6Address, str]) → Match¶: Compare with the specified value, which can be specified as an IPv4Network, an IPv6Network, an IPv4Address, an IPv6Address, or as a string. Internally the value is always stored as an IPv4Network, or an IPv6Network.

get_iptables_option() → str¶: Returns the iptables(8) option

get_value() → Optional[Union[IPv4Network, IPv6Network]]¶: Returns the criterion value

is_positive() → bool¶

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() → bool¶: Returns True if the criterion has been set

not_equals(*args, **kwargs) → Match¶

Express inequality comparison against the argument values.

The arguments of this method are the same as those of the equals() method.

This method invokes the equals() method and then reverses the polarity.

Returns this Match object.

FragmentCriterion¶

class FragmentCriterion(match: Match)[source]¶

Check if a packet is a fragment.

any() → Match¶

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

bit_not_set() → Match¶: Check if the bit is set

bit_set() → Match¶: Check if the bit is set

compare(is_equal: bool, *args, **kwargs) → Match¶: Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

equals() → Match¶: Compare with the setting of the bit

get_value() → bool¶: Returns the criterion value

is_positive() → bool¶

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() → bool¶: Returns True if the criterion has been set

not_equals() → Match¶: Express a test against the criterion being False

PacketMatch¶

InputInterfaceCriterion¶

OutputInterfaceCriterion¶

ProtocolCriterion¶

SourceAddressCriterion¶

DestAddressCriterion¶

FragmentCriterion¶

linuxnet-iptables

Navigation

Related Topics