IPChains is used by Linux kernels version 2.2.x, and this code can be used to append, delete or change packet filtering rules from within Zorp.
![]() | Note that this code doesn't call the user space program ipchains, it calls system calls directly. |
from Domain import InetDomain
Module implementing address domains.
import Zorp
Module defining global constants, and interface entry points to the Zorp core.
Function calculating the IP, netmask values of dom.
calcIpMask ( dom ) |
This function returns a tuple containing an IP and a netmask value in network byte order extracted from the parameter dom.
Table 4-56. Arguments for .calcIpMask()
dom | an InetDomain or SockAddrInet instance, the exact type is determined at runtime. |
ValueError
a tuple of (ip, netmask)
This class is an interface to the kernel packet filter named ipchains.
Table 4-57. Attributes for class IPChains
rules | an array of rules added by this object, these rules are implicitly cleared when this object is deleted |
ipchains | an instance of the Zorp.IPChains class implemented by the Zorp core. |
Constructor to initialize an IPChains instance
__init__ ( self ) |
This constructor initializes an IPChains instance by setting default values for attributes, and creating a Zorp.IPChains instance.
Table 4-58. Arguments for IPChains.__init__()
self | this instance |
Destructor to delete rules added by this object.
__del__ ( self ) |
This destructor is called when the IPChains instance is freed. It automatically removes all rules we didn't explicitly remove.
Table 4-59. Arguments for IPChains.__del__()
self | this instance |
Method specialized to add an ACCEPT rule.
addACCEPT ( self, chain, sdom, sports, ddom, dports, iface="", mark=0, proto=0, flags=0, inv_flags=0, redirport=0, tosand=0xff, tosxor=0x00, ) |
This is a wrapper around addRule() to add an ACCEPT rule to one of the chains.
Table 4-60. Arguments for IPChains.addACCEPT()
self | this instance |
others | rule details, see the documentation for addREDIRECT or the ipchains(8) manual page. |
Method specialized to add a DENY rule.
addDENY ( self, chain, sdom, sports, ddom, dports, iface="", mark=0, proto=0, flags=0, inv_flags=0, redirport=0, tosand=0xff, tosxor=0x00, ) |
This is a wrapper around addRule() to add an DENY rule to one of the chains.
Table 4-61. Arguments for IPChains.addDENY()
self | this instance |
others | rule details, see the documentation for addREDIRECT or the ipchains(8) manual page. |
Method specialized to add a REDIRECT rule
addREDIRECT ( self, chain, sdom, sports, ddom, dports, redirport, iface="", mark=0, proto=0, flags=0, inv_flags=0, tosand=0xff, tosxor=0x00, ) |
This is a wrapper around the addRule() function making it easier to add REDIRECT rules. It returns the full rule added, so that later invocations of delRule() can delete it. For more information on different arguments check out the ipchains(8) manual page.
Table 4-62. Arguments for IPChains.addREDIRECT()
self | this instance |
chain | chain to append this rule to |
sdom | source address range (specified as an InetDomain or SockAddrInet instance) |
sports | a tuple of two ports specifying matching port range |
ddom | destination address range |
dports | destination port range |
redirport | redirect connections to this local port |
iface | interface specified as a string (default none) |
mark | mark packets with this fwmark, (default 0) |
proto | match packets with this protocoll (default 0) |
flags | a combination of IP_FW_F_* flags above (default 0) |
inv_flags | a combination of IP_FW_INV_F_* flags above (default 0) |
tosand | mask to type of service (default 0xff) |
tosxor | xor to type of service (default 0x00) |
Method specialized to add a REJECT rule.
addREJECT ( self, chain, sdom, sports, ddom, dports, iface="", mark=0, proto=0, flags=0, inv_flags=0, redirport=0, tosand=0xff, tosxor=0x00, ) |
This is a wrapper around addRule() to add an REJECT rule to one of the chains.
Table 4-63. Arguments for IPChains.addREJECT()
self | this instance |
others | rule details, see the documentation for addREDIRECT or the ipchains(8) manual page. |
Method specialized to add a RETURN rule.
addRETURN ( self, chain, sdom, sports, ddom, dports, iface="", mark=0, proto=0, flags=0, inv_flags=0, redirport=0, tosand=0xff, tosxor=0x00, ) |
This is a wrapper around addRule() to add an RETURN rule to one of the chains.
Table 4-64. Arguments for IPChains.addRETURN()
self | this instance |
others | rule details, see the documentation for addREDIRECT or the ipchains(8) manual page. |
Method to actually add a rule to a chain.
addRule ( self, rule ) |
This is a general function called by more specific methods.
Table 4-65. Arguments for IPChains.addRule()
self | this instance |
rule | a tuple describing the rule to add in the syntax (target, (src, smask), (dst, dmask), mark, proto, flags, inv_flags, (sportmin, sportmax), (dportmin, dportmax), redirport, iface, tosand, tosxor) |
Method to delete a rule.
delRule ( self, rule ) |
This method deletes a rule specified in its rule argument.
Table 4-66. Arguments for IPChains.delRule()
self | this instance |
rule | rule to delete |