ipmininet.router.config.iptables module

This module defines IP(6)Table configuration. Due to the current (sad) state of affairs of IPv6, one is required to explicitly make two different daemon instances, one to manage iptables, one to manage ip6tables …

class ipmininet.router.config.iptables.AddressClause(code, args)

Bases: ipmininet.router.config.iptables.MatchClause

class ipmininet.router.config.iptables.Allow(**kwargs)

Bases: ipmininet.router.config.iptables.ChainRule

Shorthand for ChainRule(action=’ACCEPT’, …). Expresses a whitelisting rule.

class ipmininet.router.config.iptables.Chain(table='filter', name='INPUT', default='DROP', rules=())

Bases: object

Chains are the hooks location for the respective tables. Tables support a limited subset of the available chains, see man iptables.

Build a chain description. For convenience, most parameters have more intuitive aliases than their one-letter CLI params.

Params table:The table on which the chain applies.
Params name:The chain name
Params default:The default verdict if nothing matches
Params rules:The ordered list of ChainRule to apply
TABLE_CHAINS = {'filter': {'FORWARD', 'INPUT', 'OUTPUT'}, 'mangle': {'FORWARD', 'INTPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'}, 'nat': {'INTPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'}, 'raw': {'OUTPUT', 'PREROUTING'}, 'security': {'CONNSECMARK', 'FORWARD', 'INPUT', 'OUTPUT', 'SECMARK'}}
build()
class ipmininet.router.config.iptables.ChainRule(action='DROP', **kwargs)

Bases: object

Describe one set of matching criteria and the corresponding action when embedded in a chain.

Params action:The action to perform on matching packets.
Params oif:match in the output interface (optional)
Params iif:match on the input interface (optional)
Params src:match on the source address/network (optional)
Params dst:match on the destination address/network (optional)
Params proto:match on the protocol name/number (optional)
Params match:additional matching clauses, per man iptables (optional)
Params port:match on the source or destination port number/range (optional)
Params sport:match on the source port number/range/name (optional)
Params dport:match on the destination port number/range/name (optional)
ALIASES = {'d': 'd', 'destination': 'd', 'destination_port': 'dport', 'destination_ports': 'dport', 'dport': 'dport', 'dports': 'dport', 'dst': 'd', 'i': 'i', 'iif': 'i', 'in_interface': 'i', 'in_intf': 'i', 'm': 'm', 'match': 'm', 'matching': 'm', 'o': 'o', 'oif': 'o', 'out_interface': 'o', 'out_intf': 'o', 'p': 'p', 'port': 'port', 'proto': 'p', 'protocol': 'p', 'r': 'port', 's': 's', 'source': 's', 'source_port': 'sport', 'source_ports': 'sport', 'sport': 'sport', 'sports': 'sport', 'src': 's', 't': 'port'}
build()
class ipmininet.router.config.iptables.Deny(**kwargs)

Bases: ipmininet.router.config.iptables.ChainRule

Shorthand for ChainRule(action=’DROP’, …). Expresses a blacklisting rule.

class ipmininet.router.config.iptables.Filter(**kwargs)

Bases: ipmininet.router.config.iptables.Chain

The filter table acts as inbound, outbound, and forwarding firewall.

class ipmininet.router.config.iptables.IP6Tables(node: IPNode, template_lookup: mako.lookup.TemplateLookup = <mako.lookup.TemplateLookup object>, **kwargs)

Bases: ipmininet.router.config.iptables.IPTables

The IPv6 counterpart to iptables …

Parameters:
  • node – The node for which we build the config
  • template_lookup – The TemplateLookup object of the template directory
  • kwargs – Pre-set options for the daemon, see defaults()
NAME = 'ip6tables'
class ipmininet.router.config.iptables.IPTables(node: IPNode, template_lookup: mako.lookup.TemplateLookup = <mako.lookup.TemplateLookup object>, **kwargs)

Bases: ipmininet.router.config.base.Daemon

iptables: the default Linux firewall/ACL engine for IPv4. This is currently mainly a proxy class to generate a list of static rules to pass to iptables.

As such, see man iptables and man iptables-extensions to see the various table names, commands, pre-existing chains, …

Parameters:
  • node – The node for which we build the config
  • template_lookup – The TemplateLookup object of the template directory
  • kwargs – Pre-set options for the daemon, see defaults()
NAME = 'iptables'
build()

Build the configuration tree for this daemon

Returns:ConfigDict-like object describing this configuration
dry_run

The startup line to use to check that the daemon is well-configured

has_started(node_exec=None) → bool

Return whether this daemon has started or not :param node_exec:

set_defaults(defaults)
Parameters:rules – The (ordered) list of iptables Rules that should be executed or the list of Chain objects each containing rules. If a rule is an iterable of strings, these will be joined using a space.
startup_line

Return the corresponding startup_line for this daemon

class ipmininet.router.config.iptables.InputFilter(**kwargs)

Bases: ipmininet.router.config.iptables.Filter

The inbound firewall.

class ipmininet.router.config.iptables.InterfaceClause(code, args)

Bases: ipmininet.router.config.iptables.MatchClause

class ipmininet.router.config.iptables.MatchClause(code, args)

Bases: object

build()
render(v)
class ipmininet.router.config.iptables.NOT(clause)

Bases: object

Negates the match clause :param clause: The value of the match clause to negate

class ipmininet.router.config.iptables.OutputFilter(**kwargs)

Bases: ipmininet.router.config.iptables.Filter

The outbound firewall.

class ipmininet.router.config.iptables.PortClause(code, val)

Bases: ipmininet.router.config.iptables.MatchClause

class ipmininet.router.config.iptables.Rule(*args, **kw)

Bases: object

A Simple wrapper to represent an IPTable rule

Parameters:
  • args – the rule members, which will joined by a whitespace
  • table – Specify the table in which the rule should be installed. Defaults to filter.
class ipmininet.router.config.iptables.TransitFilter(**kwargs)

Bases: ipmininet.router.config.iptables.Filter

The forward firewall.