python-iptables icon indicating copy to clipboard operation
python-iptables copied to clipboard

Published 20 hours ago verified publisher icon ldx

Not adding parameters 'proto' and 'reqid' to policy match

Open ccsalway opened this issue 6 years ago • 1 comments

The following Rule does not add the 'proto' or ''reqid'

    rule = iptc.Rule()
    rule.src = "172.31.31.124/32"
    rule.dst = SOURCEIP
    rule.out_interface = INTERFACE
    rule.target = iptc.Target(rule, "ACCEPT")
    match = rule.create_match("policy")
    match.set_parameter("dir", "out")
    match.set_parameter("pol", "ipsec")
    match.set_parameter("proto", "esp")
    match.set_parameter("reqid", REQID)
    rule.add_match(match)
    chain.insert_rule(rule)

>>> match = rule.create_match("policy")
>>> print(iptc.easy.decode_iptc_rule(rule))
{'policy': {'dir': 'out', 'pol': 'ipsec'}}

http://ipset.netfilter.org/iptables-extensions.man.html#lbBS

{'src': '10.0.0.1/32', 'dst': '172.31.31.124/32', 'in-interface': 'eth0', 'policy': {'dir': 'in', 'pol': 'ipsec'}, 'target': 'ACCEPT'}

Not sure why this doesn't error the first time it is called.

>>> import iptc
>>> table = iptc.Table(iptc.Table.FILTER, autocommit=False)
>>> chain = iptc.Chain(table, 'FORWARD')
>>> rule = iptc.Rule()
>>> rule.src = "172.31.31.124/32"
>>> rule.dst = "10.0.0.1/32"
>>> rule.out_interface = "eth0"
>>> rule.target = rule.create_target("ACCEPT")
>>> match = rule.create_match("policy")
>>> match.set_parameter("proto", "esp")
>>> match.set_parameter("proto", "esp")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib64/python3.7/site-packages/iptc/ip4tc.py", line 285, in set_parameter
    return self.parse(parameter.replace("_", "-"), value)
  File "/usr/local/lib64/python3.7/site-packages/iptc/ip4tc.py", line 332, in parse
    self._parse(argv, inv, entry)
  File "/usr/local/lib64/python3.7/site-packages/iptc/ip4tc.py", line 598, in _parse
    self._orig_parse, self._orig_options)
  File "/usr/local/lib64/python3.7/site-packages/iptc/xtables.py", line 869, in new
    return fn(*args)
  File "/usr/local/lib64/python3.7/site-packages/iptc/xtables.py", line 1168, in parse_match
    m.name, len(argv) > 1 and argv[1] or "", rv))
iptc.errors.XTablesError: b'policy': parameter 'b'esp'' error -2

ccsalway avatar Oct 31 '19 14:10 ccsalway

Yeah, I tried the following and run into the same issue. While we are able to retrieve the rule, we cannot create a new one.

I did this:

>> First add the command via iptables
# iptables -A OUTPUT -s 172.31.31.124/32 -d 10.0.0.1/32 -o eth0 -m policy --dir out --pol ipsec --reqid 1234 --proto esp -j ACCEPT

>> Inside a Python3 interpreter
import iptc
rule_d = iptc.easy.dump_chain('filter', 'OUTPUT')[0]
print(rule_d)
[{'counters': (0, 0),
  'dst': '10.0.0.1/32',
  'out-interface': 'eth0',
  'policy': {'dir': 'out', 'pol': 'ipsec', 'proto': 'esp', 'reqid': '1234'},
  'src': '172.31.31.124/32',
  'target': 'ACCEPT'}]

>> I try to add the same rule again
iptc.easy.add_rule('filter','OUTPUT', rule_d, position=1)
iptc.easy.dump_chain('filter', 'OUTPUT')
[{'counters': (0, 0),
  'dst': '10.0.0.1/32',
  'out-interface': 'eth0',
  'policy': {'dir': 'out', 'pol': 'ipsec'},
  'src': '172.31.31.124/32',
  'target': 'ACCEPT'},
 {'counters': (0, 0),
  'dst': '10.0.0.1/32',
  'out-interface': 'eth0',
  'policy': {'dir': 'out', 'pol': 'ipsec', 'proto': 'esp', 'reqid': '1234'},
  'src': '172.31.31.124/32',
  'target': 'ACCEPT'}]

jllorente avatar Nov 02 '19 19:11 jllorente