iptables 是否有 python 接口?
[英]Is there a python interface to iptables?
问题描述
Im trying to retrieve the current iptables chains configured on the system via python.
我试图通过 python 检索系统上配置的当前 iptables 链。 If I strace the iptables command, it outputs:如果我 strace iptables 命令,它会输出:
strace iptables -L INPUT
socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 3
getsockopt(3, SOL_IP, 0x40 /* IP_??? */, "filter\0\377`\2\351\1\0\210\377\377\210}\313\276\0\210\377\377\354\206\0\201\377\377\377\377"..., [84]) = 0
full output here: http://pastebin.com/e7XEsaZV完整的 output 在这里: http://pastebin.com/e7XEsaZV
In python I create the socket obj and try to call getsockopt and it errors:在 python 中,我创建了套接字 obj 并尝试调用 getsockopt 并出现错误:
>>> s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
>>> s.getsockopt(socket.SOL_IP, 0x40)
Traceback (most recent call last):
File "<pyshell#46>", line 1, in <module>
s.getsockopt(socket.SOL_IP, 0x40)
File "/usr/lib/python2.7/socket.py", line 224, in meth
return getattr(self._sock,name)(*args)
error: [Errno 22] Invalid argument
>>>
>>> s = socket.socket(2, socket.SOCK_RAW, socket.IPPROTO_RAW)
>>> s.getsockopt(socket.SOL_IP, 0x41)
Traceback (most recent call last):
File "<pyshell#48>", line 1, in <module>
s.getsockopt(socket.SOL_IP, 0x41)
File "/usr/lib/python2.7/socket.py", line 224, in meth
return getattr(self._sock,name)(*args)
error: [Errno 22] Invalid argument
>>>
Is this just not possible?这是不可能的吗?
2 个解决方案
解决方案1
18 已采纳 2011-05-05 02:14:22
Have you seen python-iptables ?你见过python-iptables吗?
Python-iptables provides python bindings to iptables under Linux.
解决方案2
0 2020-01-19 14:29:34
The reason for error 22 is obvious.错误 22 的原因很明显。 getsockopt() call with type IPT_SO_GET_INFO requires third argument of a pointer to struct ipt_getinfo .类型为IPT_SO_GET_INFO的getsockopt()调用需要指向struct ipt_getinfo的指针的第三个参数。 The struct has include file in my Linux at /usr/include/linux/netfilter_ipv4/ip_tables.h .该结构在我的 Linux 中包含文件,位于/usr/include/linux/netfilter_ipv4/ip_tables.h 。
Further, there are more requirements.此外,还有更多的要求。 The buffer size given for getsockopt() call needs to match the size of struct, in my machine that is 84 bytes.为getsockopt()调用提供的缓冲区大小需要与结构的大小相匹配,在我的机器中为 84 字节。 Why this call really fails is the requirement of struct member .name must indicate which table you're interested in querying.为什么这个调用真的失败是 struct member .name的要求必须表明你有兴趣查询哪个表。 Unspecified size and random bytes a table name will result in this error 22.表名未指定大小和随机字节将导致此错误 22。
With Python, ultimately all this fails as there is no API for entering user defined bytes as an argument for getsockopt() .使用 Python,最终所有这些都失败了,因为没有 API 用于输入用户定义的字节作为getsockopt()的参数。 Assuming IPT_SO_GET_INFO would work, the natural next step would be to read all the chains of a table with a IPT_SO_GET_ENTRIES , which in Python is also impossible.假设IPT_SO_GET_INFO可以工作,下一步自然是使用IPT_SO_GET_ENTRIES读取表的所有链,这在 Python 中也是不可能的。 Python's getsockopt() won't allow buffers larger than 1024 bytes. Python 的getsockopt()不允许缓冲区大于 1024 字节。 In any real Linux using IPtables, the chain rules can easily exceed that 1 KiB limit.在任何使用 IPtables 的真实 Linux 中,链式规则很容易超过 1 KiB 的限制。
A good C example on how to read IPtables rules is at https://github.com/mozilla/rr/blob/master/src/test/netfilter.c关于如何阅读 IPtables 规则的一个很好的 C 示例位于https://github.com/mozilla/rr/blob/master/src/test/netfilter.Z4A8A08F09D37B7379564903348
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.