stackoom
  简体   繁体   中英

Is there a python interface to iptables?

 原文  2011-05-05 01:42:03       python/ linux/ sockets/ networking/ iptables

Question

Im trying to retrieve the current iptables chains configured on the system via python. If I strace the iptables command, it outputs:

strace iptables -L INPUT
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3
getsockopt(3, SOL_IP, 0x40 /* IP_??? */, "filter\0\377`\2\351\1\0\210\377\377\210}\313\276\0\210\377\377\354\206\0\201\377\377\377\377"..., [84]) = 0

full output here: http://pastebin.com/e7XEsaZV

In python I create the socket obj and try to call getsockopt and it errors:

>>> s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
>>> s.getsockopt(socket.SOL_IP, 0x40)
Traceback (most recent call last):
  File "<pyshell#46>", line 1, in <module>
    s.getsockopt(socket.SOL_IP, 0x40)
  File "/usr/lib/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
error: [Errno 22] Invalid argument
>>>
>>> s = socket.socket(2, socket.SOCK_RAW, socket.IPPROTO_RAW)
>>> s.getsockopt(socket.SOL_IP, 0x41)
Traceback (most recent call last):
  File "<pyshell#48>", line 1, in <module>
    s.getsockopt(socket.SOL_IP, 0x41)
  File "/usr/lib/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
error: [Errno 22] Invalid argument
>>>

Is this just not possible?

2 answers

solution1
 18 ACCPTED  2011-05-05 02:14:22

Have you seen python-iptables ?

Python-iptables provides python bindings to iptables under Linux. Interoperability with iptables is achieved via using the iptables C libraries (libiptc, libxtables, and the iptables extensions), not calling the iptables binary and parsing its output.

solution2
 0  2020-01-19 14:29:34

The reason for error 22 is obvious. getsockopt() call with type IPT_SO_GET_INFO requires third argument of a pointer to struct ipt_getinfo . The struct has include file in my Linux at /usr/include/linux/netfilter_ipv4/ip_tables.h .

Further, there are more requirements. The buffer size given for getsockopt() call needs to match the size of struct, in my machine that is 84 bytes. Why this call really fails is the requirement of struct member .name must indicate which table you're interested in querying. Unspecified size and random bytes a table name will result in this error 22.

With Python, ultimately all this fails as there is no API for entering user defined bytes as an argument for getsockopt() . Assuming IPT_SO_GET_INFO would work, the natural next step would be to read all the chains of a table with a IPT_SO_GET_ENTRIES , which in Python is also impossible. Python's getsockopt() won't allow buffers larger than 1024 bytes. In any real Linux using IPtables, the chain rules can easily exceed that 1 KiB limit.

A good C example on how to read IPtables rules is at https://github.com/mozilla/rr/blob/master/src/test/netfilter.c

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Python pxssh execute iptables not working python-iptables installation error Python/iptables: Original Destination IP How to write specific iptables rules using python-iptables NOT root user execute iptables shell by python Python-iptables how to optimize code Regex code to parse full Iptables log Python NFQUEUE/IPtables - Suricata Inline With Python Intercept for DNS call IPtables command within python script Python to remove iptables rule at specific time
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM