RecentMatch

The RecentMatch class provides access to the recent match extension. It supports the following iptables(8) options: --name, --set, --rsource, --rdest, --rcheck, --update, --remove, --seconds, --hitcount, --rttl.

Example:

>>> from linuxnet.iptables import RecentMatch
>>> m = RecentMatch()
>>> m.name().equals('badip').action().equals(RecentMatch.UPDATE).seconds().equals(60)
<linuxnet.iptables.matches.recentmatch.RecentMatch object at 0x7f2aa82212b0>
>>> m.to_iptables_args()
['-m', 'recent', '--update', '--name', 'badip', '--seconds', '60', '--rsource']
class RecentMatch[source]

Match against list of IP addresses.

SET = '--set'

SET action

UPDATE = '--update'

UPDATE action

CHECK = '--rcheck'

CHECK action

REMOVE = '--remove'

REMOVE action

SOURCE_ADDRESS = '--rsource'

select packet source address

DEST_ADDRESS = '--rdest'

select packet destination address

static get_match_name() str[source]

Returns the iptables(8) match extension name

get_criteria() Iterable[Criterion][source]

Returns the recent match criteria.

name() GenericPositiveCriterion[source]

Identify the list name

action() ActionCriterion[source]

Identify the action

address_selection() AddressSelectionCriterion[source]

Identify the address selection

seconds() GenericPositiveCriterion[source]

Specify number of seconds

hitcount() GenericPositiveCriterion[source]

Specify a hitcount

same_ttl() BooleanCriterion[source]

Specify same-TTL comparison.

reap() BooleanCriterion[source]

Specify old address reaping

mask() MaskCriterion[source]

Specify a source mask

RecentMatchAction

class RecentMatchAction(value)[source]

Bases: Enum

Actions for the recent match. The value of each is the corresponding iptables option.

SET = '--set'

SET action

UPDATE = '--update'

UPDATE action

CHECK = '--rcheck'

CHECK action

REMOVE = '--remove'

REMOVE action

ActionCritetion

class ActionCriterion(match: Match)[source]

Specify the action to take

get_value() RecentMatchAction[source]

Returns the action

equals(action: RecentMatchAction, *, match_if_found=True) Match[source]
Parameters:

  • action – identifies the action to take

  • match_if_found – if False, when the packet address is present in the identified list, the recent match will cause the rule to fail to match the packet

not_equals(*args, **kwargs)[source]

This criterion does not support inequality testing. This method will raise an IptablesError

any() Match

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) Match

Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

is_positive() bool

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() bool

Returns True if the criterion has been set

AddressSelection

class AddressSelection(value)[source]

Bases: Enum

Identify whether we are comparing against the packet’s source or destination address

SOURCE_ADDRESS = '--rsource'

select packet source address

DEST_ADDRESS = '--rdest'

select packet destination address

AddressSelectionCriterion

class AddressSelectionCriterion(match: Match)[source]

Compare against the packet’s source or destination address

get_value() AddressSelection[source]

Returns the value of the criterion (identification of which packet address is selected)

equals(selection: AddressSelection) Match[source]

Express equality comparison against the argument values.

Subclasses will implement this method to express comparisons against a specific value (or values). These values will be the arguments of the subclass method and will be stored in the subclass object.

Subclasses overriding this method should invoke the _set_polarity() method of this class to set the polarity to True.

Returns this Match object.

not_equals(*args, **kwargs)[source]

This criterion does not support inequality comparison. This method raises an IptablesError

any() Match

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) Match

Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

is_positive() bool

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() bool

Returns True if the criterion has been set