ChainRule

class ChainRule(*, match: Optional[Match] = None, match_list: Optional[List[Match]] = None, target: Optional[Target] = None, uses_goto: Optional[bool] = False, goto_chain: Optional[Chain] = None)

This class represents a rule in an iptables(8) chain. A ChainRule has a (possibly empty) list of Match objects and an optional Target object.

Multiple Match objects of the same type can be included in a rule. Since multiple Match objects imply a logical-AND, including objects of the same type may be useful when using negation. However, there can be at most one PacketMatch object included.

A ChainRule object is iterable, returning the rule’s Match instances.

Parameters:

• match – optional Match object; if present, it is added to the rule’s list of Match objects

• match_list – optional list of Match objects; if present, it is appended to the rule’s list of Match objects

• target – a Target object; either this parameter or the goto_chain parameter may be specified

• uses_goto – if True, rule processing continues at the specified target (which must be a ChainTarget) short-circuiting any rules following this one in the chain

• goto_chain – an optional Chain object that is the target of this rule via a goto (instead of jump); either this parameter or the target parameter may be specified

parsing_failed() → bool

Returns True if the rule has not been parsed successfully

get_iptables_line() → Optional[str]

Returns the iptables line if this rule was created from the output of iptables(8), otherwise it returns None.

get_packet_count() → int

Returns the packet count of the rule

get_byte_count() → int

Returns the byte count of the rule

get_chain() → Chain

Returns the Chain where this rule belongs (returns None if this rule is not in any chain)

get_rulenum() → int

Returns the rule number

get_target() → Optional[Target]

Returns the rule target (a Target object) or None

uses_goto() → bool

Returns True if this rule ‘goes’ to its (chain) target instead of ‘jumping’ to it.

set_target(target: Target) → None

Set the rule target

iter_match_list() → Iterator[Match]

Returns an iterator for the matches of this rule.

This method is deprecated and will be removed at a future version.

iter_matches(lookfor: Optional[Match] = None) → Iterator[Match]

Returns an iterator for the matches of this rule. If lookfor is not None, the iterator will return Match instances with criteria that compare equal to those of the lookfor Match; if lookfor has no criteria defined, the iterator will return Match instances of the same type as the lookfor Match.

get_match_count() → int

Returns the number of matches.

get_match_list() → List[Match]

Returns the match list of this rule.

has_match(match: Match, is_only_match=True) → bool

Returns True if the match list of this rule consists only of the specified match (when is_only_match is True) or if the match list contains the specified match (when is_only_match is False).

An object of MatchNone can be used to test for an empty match list.

has_target(target: Target) → bool

Returns True if the rule has the specified target. An object of TargetNone can be used to test for lack of target.

targets_chain(chain: Chain) → bool

Returns True if the target of this rule is the specified chain

Parameters:

chain – a Chain object

get_target_chain() → Optional[Chain]

Returns the Chain object that is the target of this rule, or None if this rule does not target a chain.

matches_all_packets() → bool

Returns True iff this rule matches all packets. This can be because the rule has no matches, or because the only matches are comments.

to_iptables_args() → List[str]

Returns a list suitable to be used as an argument to the iptables(8) command

Raises an IptablesError if this is an unparsed rule

jump_to(*, target: Optional[Target] = None, chain: Optional[Chain] = None) → ChainRule

Add a jump to the specified target. The target is identified either via the target argument or via the chain argument.

Raises an IptablesError if:

• both target and chain arguments are not None

• the rule is already part of a Chain

Parameters:

• target – optional Target object

• chain – optional Chain object

Return type:

this ChainRule object

go_to(*, chain: Chain) → ChainRule

Add a goto to the specified chain.

Raises an IptablesError if the rule is already part of a Chain

Parameters:

chain – a Chain object

Return type:

this ChainRule object

zero_counters() → None

Zero the packet and byte counters of this rule

classmethod create_from_existing(iptables_output_line: str, pft: IptablesPacketFilterTable) → ChainRule

Create a ChainRule from a line of iptables -xnv output

Parameters:

• iptables_output_line – line of iptables -xnv output

• pft – an IptablesPacketFilterTable object