TcpMatch¶

The TcpMatch class provides access to the tcp match extension. It supports the following iptables(8) options: --sport, --dport, --tcp-flags, --sync, --tcp-options

Example:

Type "help", "copyright", "credits" or "license" for more information.
>>> from linuxnet.iptables import TcpMatch
>>> m = TcpMatch()
>>> m.dest_port().equals(22).syn().bit_set()
<linuxnet.iptables.matches.tcpmatch.TcpMatch object at 0x7fa49c330dc0>
>>> m.to_iptables_args()
['-m', 'tcp', '--syn', '--dport', '22']

class TcpMatch[source]¶

Match against the fields of the TCP header

static get_match_name() → str[source]¶: Returns the iptables(8) match extension name, in this case, tcp

get_criteria() → Iterable[Criterion][source]¶: Returns the TCP match criteria: flags, source-port, dest-port, tcp-option

syn() → TcpFlagsCriterion[source]¶: Criterion for matching against a SYN packet

tcp_flags() → TcpFlagsCriterion[source]¶: Compare with TCP flags

source_port() → SourcePortCriterion[source]¶: Matching against the source port

dest_port() → DestPortCriterion[source]¶: Match against the destination port

tcp_option() → TcpOptionCriterion[source]¶: Match against a TCP option

TcpFlagsCriterion¶

class TcpFlagsCriterion(match: Match, syn_only=False)[source]¶

A criterion for comparing against packets with an arbitrary set of TCP flags set, or for comparing against SYN packets. This is an either-or use, determined at the time of object instantiation.

The value is the tuple (flags-checked, flags-set); both flags-checked and flags-set are comma-separated lists of TCP flag names as defined in TcpFlag

get_value() → Tuple[Set[TcpFlag], Set[TcpFlag]][source]¶: Returns the value that the criterion is comparing against

is_syn_only() → bool[source]¶: Returns True if the criterion is only meant to check for the SYN flag (but note that it may not be set yet)

bit_set() → Match[source]¶: This method can be used if this criterion implements a SYN-only comparison to check if the packet flags include only the SYN bit.

bit_not_set() → Match[source]¶: This method can be used if this criterion implements a SYN-only comparison to check for the non-existence of the SYN bit

equals(flags_checked: Optional[Set[TcpFlag]] = None, flags_set: Optional[List[TcpFlag]] = None) → Match[source]¶: Perform flags comparison

any() → Match¶

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) → Match¶: Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

is_positive() → bool¶

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() → bool¶: Returns True if the criterion has been set

not_equals(*args, **kwargs) → Match¶

Express inequality comparison against the argument values.

The arguments of this method are the same as those of the equals() method.

This method invokes the equals() method and then reverses the polarity.

Returns this Match object.

class TcpFlag(value)[source]¶

Names and values for the TCP flags.

FIN = 1¶: FIN bit

SYN = 2¶: SYN bit

RST = 4¶: RST bit

PSH = 8¶: PSH bit

ACK = 16¶: ACK bit

URG = 32¶: URG bit

SourcePortCriterion¶

class SourcePortCriterion(match: Match)[source]¶

Compare with a source port or check for inclusion in port-range

The value is the tuple (port, last_port) where last_port may be None

any() → Match¶

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) → Match¶: Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

equals(first: int, last: Optional[int] = None) → Match¶: Compare with a number (or inclusion in number-range if last is present)

get_value() → Tuple[int, Optional[int]]¶

Returns the value that the criterion is comparing against

Return type:: a tuple of (int, int|None)

is_positive() → bool¶

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() → bool¶: Returns True if the criterion has been set

not_equals(*args, **kwargs) → Match¶

Express inequality comparison against the argument values.

The arguments of this method are the same as those of the equals() method.

This method invokes the equals() method and then reverses the polarity.

Returns this Match object.

DestPortCriterion¶

class DestPortCriterion(match: Match)[source]¶

Compare against a destination port or check for inclusion in port-range

The value is the tuple (port, last_port) where last_port may be None

any() → Match¶

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) → Match¶: Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

equals(first: int, last: Optional[int] = None) → Match¶: Compare with a number (or inclusion in number-range if last is present)

get_value() → Tuple[int, Optional[int]]¶

Returns the value that the criterion is comparing against

Return type:: a tuple of (int, int|None)

is_positive() → bool¶

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() → bool¶: Returns True if the criterion has been set

not_equals(*args, **kwargs) → Match¶

Express inequality comparison against the argument values.

The arguments of this method are the same as those of the equals() method.

This method invokes the equals() method and then reverses the polarity.

Returns this Match object.

TcpOptionCriterion¶

class TcpOptionCriterion(match: Match)[source]¶

Compare against a TCP option number.

The value is an integer.

any() → Match¶

Match any value.

This method is used when creating a Criterion in order to search an existing chain for rules that try to match against certain packet properties (e.g. input interface) without being particular about the specific property value (e.g. eth0).

compare(is_equal: bool, *args, **kwargs) → Match¶: Alternative method used for comparisons. It invokes equals() (or not_equals()) with args and kwargs if is_equal is True (or False).

equals(value) → Match¶: Compare with the specified value

get_iptables_option() → str¶: Returns the iptables(8) option

get_value() → Any¶: Returns the criterion value

is_positive() → bool¶

Returns the ‘polarity’ of the criterion: True for equals() or False for not_equals()

Raises IptablesError if the criterion is not set

is_set() → bool¶: Returns True if the criterion has been set

not_equals(*args, **kwargs) → Match¶

Express inequality comparison against the argument values.

The arguments of this method are the same as those of the equals() method.

This method invokes the equals() method and then reverses the polarity.

Returns this Match object.

TcpMatch¶

TcpFlagsCriterion¶

SourcePortCriterion¶

DestPortCriterion¶

TcpOptionCriterion¶

linuxnet-iptables

Navigation

Related Topics