Module IPChains

IPChains is used by Linux kernels version 2.2.x, and this code can be used to append, delete or change packet filtering rules from within Zorp.

Note

Note that this code doesn't call the user space program ipchains, it calls system calls directly.

Imported modules

Functions

Function calcIpMask

Function calculating the IP, netmask values of dom.

Synopsis

calcIpMask ( dom )

Description

This function returns a tuple containing an IP and a netmask value in network byte order extracted from the parameter dom.

Arguments

Table 4-56. Arguments for .calcIpMask()

doman InetDomain or SockAddrInet instance, the exact type is determined at runtime.

Exceptions

  • ValueError

Returns

a tuple of (ip, netmask)

Class IPChains

This class is an interface to the kernel packet filter named ipchains.

Attributes

Table 4-57. Attributes for class IPChains

rulesan array of rules added by this object, these rules are implicitly cleared when this object is deleted
ipchainsan instance of the Zorp.IPChains class implemented by the Zorp core.

Constructor __init__

Constructor to initialize an IPChains instance

Synopsis

__init__ ( self )

Description

This constructor initializes an IPChains instance by setting default values for attributes, and creating a Zorp.IPChains instance.

Arguments

Table 4-58. Arguments for IPChains.__init__()

selfthis instance

Destructor __del__

Destructor to delete rules added by this object.

Synopsis

__del__ ( self )

Description

This destructor is called when the IPChains instance is freed. It automatically removes all rules we didn't explicitly remove.

Arguments

Table 4-59. Arguments for IPChains.__del__()

selfthis instance

Method addACCEPT

Method specialized to add an ACCEPT rule.

Synopsis

addACCEPT (
        self,
        chain,
        sdom,
        sports,
        ddom,
        dports,
        iface="",
        mark=0,
        proto=0,
        flags=0,
        inv_flags=0,
        redirport=0,
        tosand=0xff,
        tosxor=0x00,
        )

Description

This is a wrapper around addRule() to add an ACCEPT rule to one of the chains.

Arguments

Table 4-60. Arguments for IPChains.addACCEPT()

selfthis instance
othersrule details, see the documentation for addREDIRECT or the ipchains(8) manual page.

Method addDENY

Method specialized to add a DENY rule.

Synopsis

addDENY (
        self,
        chain,
        sdom,
        sports,
        ddom,
        dports,
        iface="",
        mark=0,
        proto=0,
        flags=0,
        inv_flags=0,
        redirport=0,
        tosand=0xff,
        tosxor=0x00,
        )

Description

This is a wrapper around addRule() to add an DENY rule to one of the chains.

Arguments

Table 4-61. Arguments for IPChains.addDENY()

selfthis instance
othersrule details, see the documentation for addREDIRECT or the ipchains(8) manual page.

Method addREDIRECT

Method specialized to add a REDIRECT rule

Synopsis

addREDIRECT (
        self,
        chain,
        sdom,
        sports,
        ddom,
        dports,
        redirport,
        iface="",
        mark=0,
        proto=0,
        flags=0,
        inv_flags=0,
        tosand=0xff,
        tosxor=0x00,
        )

Description

This is a wrapper around the addRule() function making it easier to add REDIRECT rules. It returns the full rule added, so that later invocations of delRule() can delete it. For more information on different arguments check out the ipchains(8) manual page.

Arguments

Table 4-62. Arguments for IPChains.addREDIRECT()

selfthis instance
chainchain to append this rule to
sdomsource address range (specified as an InetDomain or SockAddrInet instance)
sportsa tuple of two ports specifying matching port range
ddomdestination address range
dportsdestination port range
redirportredirect connections to this local port
ifaceinterface specified as a string (default none)
markmark packets with this fwmark, (default 0)
protomatch packets with this protocoll (default 0)
flagsa combination of IP_FW_F_* flags above (default 0)
inv_flagsa combination of IP_FW_INV_F_* flags above (default 0)
tosand mask to type of service (default 0xff)
tosxor xor to type of service (default 0x00)

Method addREJECT

Method specialized to add a REJECT rule.

Synopsis

addREJECT (
        self,
        chain,
        sdom,
        sports,
        ddom,
        dports,
        iface="",
        mark=0,
        proto=0,
        flags=0,
        inv_flags=0,
        redirport=0,
        tosand=0xff,
        tosxor=0x00,
        )

Description

This is a wrapper around addRule() to add an REJECT rule to one of the chains.

Arguments

Table 4-63. Arguments for IPChains.addREJECT()

selfthis instance
othersrule details, see the documentation for addREDIRECT or the ipchains(8) manual page.

Method addRETURN

Method specialized to add a RETURN rule.

Synopsis

addRETURN (
        self,
        chain,
        sdom,
        sports,
        ddom,
        dports,
        iface="",
        mark=0,
        proto=0,
        flags=0,
        inv_flags=0,
        redirport=0,
        tosand=0xff,
        tosxor=0x00,
        )

Description

This is a wrapper around addRule() to add an RETURN rule to one of the chains.

Arguments

Table 4-64. Arguments for IPChains.addRETURN()

selfthis instance
othersrule details, see the documentation for addREDIRECT or the ipchains(8) manual page.

Method addRule

Method to actually add a rule to a chain.

Synopsis

addRule ( self,  rule )

Description

This is a general function called by more specific methods.

Arguments

Table 4-65. Arguments for IPChains.addRule()

selfthis instance
rulea tuple describing the rule to add in the syntax (target, (src, smask), (dst, dmask), mark, proto, flags, inv_flags, (sportmin, sportmax), (dportmin, dportmax), redirport, iface, tosand, tosxor)

Method delRule

Method to delete a rule.

Synopsis

delRule ( self,  rule )

Description

This method deletes a rule specified in its rule argument.

Arguments

Table 4-66. Arguments for IPChains.delRule()

selfthis instance
rulerule to delete