Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error parsing rules with tcp flag matches #26

Closed
josh-cf opened this issue Apr 29, 2013 · 4 comments
Closed

Error parsing rules with tcp flag matches #26

josh-cf opened this issue Apr 29, 2013 · 4 comments

Comments

@josh-cf
Copy link

josh-cf commented Apr 29, 2013

I have iptables rules matching TCP SYN traffic. I can successfully add rules with SYN flag matches. But when I try and parse rules with TCP flag matches, I get a ValueError.

Code to replicate:

import iptc
rule = iptc.Rule()
rule.protocol = "tcp"
rule.dst = "1.1.1.1"
match = iptc.Match(rule, "tcp")
match.syn = "1"
rule.add_match(match)
rule.target = iptc.Target(rule, "ACCEPT")
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "iptc_test_chain")
iptc.Table(iptc.Table.FILTER).create_chain(chain)
chain.insert_rule(rule)
try:
    print chain.rules[0].matches[0].name
except:
    print "error parsing rule"

chain.delete_rule(rule)
iptc.Table(iptc.Table.FILTER).delete_chain(chain)

The error:

File "/usr/local/lib/python2.7/dist-packages/python_iptables-0.2.0_dev-py2.7-linux-x86_64.egg/iptc/ip4tc.py", line 1236, in _get_rules
return [self.table.create_rule(e, self) for e in entries]
File "/usr/local/lib/python2.7/dist-packages/python_iptables-0.2.0_dev-py2.7-linux-x86_64.egg/iptc/ip4tc.py", line 1525, in create_rule
return Rule(entry, chain)
File "/usr/local/lib/python2.7/dist-packages/python_iptables-0.2.0_dev-py2.7-linux-x86_64.egg/iptc/ip4tc.py", line 711, in init
self.rule = entry
File "/usr/local/lib/python2.7/dist-packages/python_iptables-0.2.0_dev-py2.7-linux-x86_64.egg/iptc/ip4tc.py", line 1090, in _set_rule
m = Match(self, match=match)
File "/usr/local/lib/python2.7/dist-packages/python_iptables-0.2.0_dev-py2.7-linux-x86_64.egg/iptc/ip4tc.py", line 428, in init
self._update_parameters()
File "/usr/local/lib/python2.7/dist-packages/python_iptables-0.2.0_dev-py2.7-linux-x86_64.egg/iptc/ip4tc.py", line 344, in update_parameters
self.setattr(k, v)
File "/usr/local/lib/python2.7/dist-packages/python_iptables-0.2.0_dev-py2.7-linux-x86_64.egg/iptc/ip4tc.py", line 348, in setattr
self.parse(name.replace("", "-"), value)
File "/usr/local/lib/python2.7/dist-packages/python_iptables-0.2.0_dev-py2.7-linux-x86_64.egg/iptc/ip4tc.py", line 267, in parse
self._parse(argv, inv, entry)
File "/usr/local/lib/python2.7/dist-packages/python_iptables-0.2.0_dev-py2.7-linux-x86_64.egg/iptc/ip4tc.py", line 450, in _parse
ct.cast(self._ptrptr, ct.POINTER(ct.c_void_p)))
File "/usr/local/lib/python2.7/dist-packages/python_iptables-0.2.0_dev-py2.7-linux-x86_64.egg/iptc/xtables.py", line 735, in new
ret = fn(*args)
File "/usr/local/lib/python2.7/dist-packages/python_iptables-0.2.0_dev-py2.7-linux-x86_64.egg/iptc/xtables.py", line 1024, in parse_match
self._parse(m, argv, invert, flags, fw, ptr)
File "/usr/local/lib/python2.7/dist-packages/python_iptables-0.2.0_dev-py2.7-linux-x86_64.egg/iptc/xtables.py", line 931, in _parse
raise ValueError("invalid value %s" % (argv[1]))
ValueError: invalid value FIN,SYN,RST,ACK SYN
@ldx
Copy link
Owner

ldx commented Apr 30, 2013

Can you check the git hash version you use? I believe this one has been fixed recently.

@ldx ldx closed this as completed Apr 30, 2013
@ldx ldx reopened this Apr 30, 2013
@josh-cf
Copy link
Author

josh-cf commented May 6, 2013

I pulled and tcp flag matches have been fixed. Thank you for your work on this module.

>>> import iptc
>>> rule = iptc.Rule()
>>> match = iptc.Match(rule, 'tcp')
>>> match.tcp_flags = "FIN,SYN,RST,ACK ACK"
>>> print match.parameters
{'tcp_flags': 'FIN,SYN,RST,ACK ACK'}
>>> match.syn = "1"
>>> print match.parameters
{'tcp_flags': 'FIN,SYN,RST,ACK SYN'}

@josh-cf josh-cf closed this as completed May 6, 2013
@ccrssaa
Copy link

ccrssaa commented Aug 18, 2018

regression ?

>>> print(iptc.version.__version__)
0.14.0-dev
>>> rule = iptc.Rule()
>>> match = iptc.Match(rule, 'tcp')
>>> match.tcp_flags = "FIN,SYN,RST,ACK ACK"
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/root/python-iptables/iptc/ip4tc.py", line 455, in __setattr__
    self.parse(name.replace("_", "-"), value)
  File "/root/python-iptables/iptc/ip4tc.py", line 332, in parse
    self._parse(argv, inv, entry)
  File "/root/python-iptables/iptc/ip4tc.py", line 600, in _parse
    self._orig_parse, self._orig_options)
  File "/root/python-iptables/iptc/xtables.py", line 869, in new
    return fn(*args)
  File "/root/python-iptables/iptc/xtables.py", line 1174, in parse_match
    self._parse(m, argv, invert, flags, fw, ptr)
  File "/root/python-iptables/iptc/xtables.py", line 1081, in _parse
    raise ValueError("invalid value %s" % (argv[1]))
ValueError: invalid value b'FIN,SYN,RST,ACK ACK'
>>>

@ccrssaa
Copy link

ccrssaa commented Aug 18, 2018

oops sorry looks like an undocumented feature:

>>> import iptc
>>> rule = iptc.Rule()
>>> match = iptc.Match(rule, 'tcp')
>>> match.tcp_flags = [ 'FIN,SYN,RST,ACK', 'ACK' ]
>>> print(match.tcp_flags)
FIN,SYN,RST,ACK ACK
>>>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ldx @josh-cf @ccrssaa