python-iptables how to specify multi argument matches

Question

How do I specify multi-argument matches with python-iptables?

For example, the following iptables command:

-A INPUT -s 1.1.1.1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

If I create the following:

import iptc
rule = iptc.Rule()
rule.src = '1.1.1.1'
rule.protocol = 'tcp'
t = rule.create_target('DROP')
m = rule.create_match('tcp')
m.tcp_flags = 'FIN,SYN,RST,ACK SYN'

it will complain:

ValueError: invalid value FIN,SYN,RST,ACK SYN

PS: I know that for my particular example, I can simply use m.syn = '1', but I'm trying to generalize on how to specify multi-argument matches.

score 1 · Answer 1 · answered Dec 18 '14 at 11:54

1

Are you using the latest version? See this issue.

answered Dec 18 '14 at 11:54

miles82

6,584
38
28

Aaah, I see... btw, your answer came in just seconds before I actually found that page myself. My Google-fu is getting rusty, it seems :/ ... – pepoluan Dec 18 '14 at 11:56

score 0 · Answer 2 · answered Dec 18 '14 at 12:07

Okay... someone tried to post an answer, but he/she deleted it when I was commenting on it.

The answer attempt was:

m.tcp_flags = ['FIN', 'SYN', 'RST', 'ACK SYN']

which gave the wrong result:

print m.parameters
{u'tcp_flags': u'FIN SYN'}

However, that inspired me to try the following:

m.tcp_flags = ['FIN,SYN,RST,ACK', 'SYN']

which gives:

>>> match.parameters
{u'tcp_flags': u'FIN,SYN,RST,ACK SYN'}

Committing that rule into the INPUT chain and running iptables-save shows that it properly returns the rule I want.

So, thank you!

python-iptables how to specify multi argument matches

2 Answers2