def _add_delete_test(self,
name,
entry,
family,
cmd,
exclusive,
comment=None,
timeout=None,
etype="ip",
packets=None,
bytes=None):
excl_flag = NLM_F_EXCL if exclusive else 0
ip_version = self._family_to_version(family)
data_attrs = self._entry_to_data_attrs(entry, etype, ip_version)
if comment is not None:
data_attrs += [["IPSET_ATTR_COMMENT", comment],
["IPSET_ATTR_CADT_LINENO", 0]]
if timeout is not None:
data_attrs += [["IPSET_ATTR_TIMEOUT", timeout]]
if bytes is not None:
data_attrs += [["IPSET_ATTR_BYTES", bytes]]
if packets is not None:
data_attrs += [["IPSET_ATTR_PACKETS", packets]]
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', name],
['IPSET_ATTR_DATA', {
'attrs': data_attrs
}]]
return self.request(msg,
cmd,
msg_flags=NLM_F_REQUEST | NLM_F_ACK | excl_flag,
terminate=_nlmsg_error)
def get_supported_revisions(self, stype, family=socket.AF_INET):
'''
Return minimum and maximum of revisions supported by the kernel.
Each ipset module (like hash:net, hash:ip, etc) has several
revisions. Newer revisions often have more features or more
performances. Thanks to this call, you can ask the kernel
the list of supported revisions.
You can manually set/force revisions used in IPSet constructor.
Example::
ipset = IPSet()
ipset.get_supported_revisions("hash:net")
ipset.get_supported_revisions("hash:net,port,net")
'''
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_TYPENAME', stype],
['IPSET_ATTR_FAMILY', family]]
response = self.request(msg, IPSET_CMD_TYPE,
msg_flags=NLM_F_REQUEST | NLM_F_ACK,
terminate=_nlmsg_error)
min_revision = response[0].get_attr("IPSET_ATTR_PROTOCOL_MIN")
max_revision = response[0].get_attr("IPSET_ATTR_REVISION")
return min_revision, max_revision
def _add_delete(self, name, entry, family, cmd, exclusive):
if family == socket.AF_INET:
entry_type = 'IPSET_ATTR_IPADDR_IPV4'
elif family == socket.AF_INET6:
entry_type = 'IPSET_ATTR_IPADDR_IPV6'
else:
raise TypeError('unknown family')
excl_flag = NLM_F_EXCL if exclusive else 0
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', name],
[
'IPSET_ATTR_DATA', {
'attrs': [[
'IPSET_ATTR_IP', {
'attrs': [[entry_type, entry]]
}
]]
}
]]
return self.request(msg,
cmd,
msg_flags=NLM_F_REQUEST | NLM_F_ACK | excl_flag,
terminate=_nlmsg_error)
def _add_delete_test(self, name, entry, family, cmd, exclusive,
comment=None, timeout=None, etype="ip",
packets=None, bytes=None, skbmark=None,
skbprio=None, skbqueue=None):
excl_flag = NLM_F_EXCL if exclusive else 0
ip_version = self._family_to_version(family)
data_attrs = self._entry_to_data_attrs(entry, etype, ip_version)
if comment is not None:
data_attrs += [["IPSET_ATTR_COMMENT", comment],
["IPSET_ATTR_CADT_LINENO", 0]]
if timeout is not None:
data_attrs += [["IPSET_ATTR_TIMEOUT", timeout]]
if bytes is not None:
data_attrs += [["IPSET_ATTR_BYTES", bytes]]
if packets is not None:
data_attrs += [["IPSET_ATTR_PACKETS", packets]]
if skbmark is not None:
data_attrs += [["IPSET_ATTR_SKBMARK", skbmark]]
if skbprio is not None:
data_attrs += [["IPSET_ATTR_SKBPRIO", skbprio]]
if skbqueue is not None:
data_attrs += [["IPSET_ATTR_SKBQUEUE", skbqueue]]
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', name],
['IPSET_ATTR_DATA', {'attrs': data_attrs}]]
return self.request(msg, cmd,
msg_flags=NLM_F_REQUEST | NLM_F_ACK | excl_flag,
terminate=_nlmsg_error)
def get_supported_revisions(self, stype, family=socket.AF_INET):
'''
Return minimum and maximum of revisions supported by the kernel.
Each ipset module (like hash:net, hash:ip, etc) has several
revisions. Newer revisions often have more features or more
performances. Thanks to this call, you can ask the kernel
the list of supported revisions.
You can manually set/force revisions used in IPSet constructor.
Example::
ipset = IPSet()
ipset.get_supported_revisions("hash:net")
ipset.get_supported_revisions("hash:net,port,net")
'''
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_TYPENAME', stype],
['IPSET_ATTR_FAMILY', family]]
response = self.request(msg,
IPSET_CMD_TYPE,
msg_flags=NLM_F_REQUEST | NLM_F_ACK,
terminate=_nlmsg_error)
min_revision = response[0].get_attr("IPSET_ATTR_PROTOCOL_MIN")
max_revision = response[0].get_attr("IPSET_ATTR_REVISION")
return min_revision, max_revision
def _list_or_headers(self, cmd, name=None, flags=None):
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version]]
if name is not None:
msg['attrs'].append(['IPSET_ATTR_SETNAME', name])
if flags is not None:
msg['attrs'].append(['IPSET_ATTR_FLAGS', flags])
return self.request(msg, cmd)
def _list_or_headers(self, cmd, name=None, flags=None):
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version]]
if name is not None:
msg['attrs'].append(['IPSET_ATTR_SETNAME', name])
if flags is not None:
msg['attrs'].append(['IPSET_ATTR_FLAGS', flags])
return self.request(msg, cmd)
def get_proto_version(self, version=6):
'''
Get supported protocol version by kernel.
version parameter allow to set mandatory (but unused?)
IPSET_ATTR_PROTOCOL netlink attribute in the request.
'''
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', version]]
return self.request(msg, IPSET_CMD_PROTOCOL)
def destroy(self, name):
'''
Destroy an ipset
'''
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', name]]
return self.request(msg, IPSET_CMD_DESTROY,
msg_flags=NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL,
terminate=_nlmsg_error)
def get_proto_version(self, version=6):
'''
Get supported protocol version by kernel.
version parameter allow to set mandatory (but unused?)
IPSET_ATTR_PROTOCOL netlink attribute in the request.
'''
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', version]]
return self.request(msg, IPSET_CMD_PROTOCOL)
def flush(self, name):
"""
Destroy an ipset
"""
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', name]]
return self.request(msg, IPSET_CMD_FLUSH,
msg_flags=NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL,
terminate=_nlmsg_error)
def swap(self, set_a, set_b):
"""
Swap two ipsets
"""
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', set_a],
['IPSET_ATTR_TYPENAME', set_b]]
return self.request(msg, IPSET_CMD_SWAP,
msg_flags=NLM_F_REQUEST | NLM_F_ACK,
terminate=_nlmsg_error)
def destroy(self, name=None):
'''
Destroy one or all ipset (when name is None)
'''
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version]]
if name is not None:
msg['attrs'].append(['IPSET_ATTR_SETNAME', name])
return self.request(msg, IPSET_CMD_DESTROY,
msg_flags=NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL,
terminate=_nlmsg_error)
def rename(self, name_src, name_dst):
'''
Rename the ipset.
'''
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', name_src],
['IPSET_ATTR_TYPENAME', name_dst]]
return self.request(msg, IPSET_CMD_RENAME,
msg_flags=NLM_F_REQUEST | NLM_F_ACK,
terminate=_nlmsg_error)
def swap(self, set_a, set_b):
'''
Swap two ipsets. They must have compatible content type.
'''
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', set_a],
['IPSET_ATTR_TYPENAME', set_b]]
return self.request(msg, IPSET_CMD_SWAP,
msg_flags=NLM_F_REQUEST | NLM_F_ACK,
terminate=_nlmsg_error)
def rename(self, name_src, name_dst):
'''
Rename the ipset.
'''
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', name_src],
['IPSET_ATTR_TYPENAME', name_dst]]
return self.request(msg, IPSET_CMD_RENAME,
msg_flags=NLM_F_REQUEST | NLM_F_ACK,
terminate=_nlmsg_error)
def destroy(self, name=None):
'''
Destroy one (when name is set) or all ipset (when name is None)
'''
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version]]
if name is not None:
msg['attrs'].append(['IPSET_ATTR_SETNAME', name])
return self.request(msg, IPSET_CMD_DESTROY,
msg_flags=NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL,
terminate=_nlmsg_error)
def swap(self, set_a, set_b):
'''
Swap two ipsets
'''
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', set_a],
['IPSET_ATTR_TYPENAME', set_b]]
return self.request(msg, IPSET_CMD_SWAP,
msg_flags=NLM_F_REQUEST | NLM_F_ACK,
terminate=_nlmsg_error)
def flush(self, name=None):
'''
Flush all ipsets. When name is set, flush only this ipset.
'''
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version]]
if name is not None:
msg['attrs'].append(['IPSET_ATTR_SETNAME', name])
return self.request(msg, IPSET_CMD_FLUSH,
msg_flags=NLM_F_REQUEST | NLM_F_ACK,
terminate=_nlmsg_error)
def flush(self, name):
"""
Destroy an ipset
"""
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', name]]
return self.request(msg,
IPSET_CMD_FLUSH,
msg_flags=NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL,
terminate=_nlmsg_error)
def flush(self, name=None):
'''
Flush all ipsets. When name is set, flush only this ipset.
'''
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version]]
if name is not None:
msg['attrs'].append(['IPSET_ATTR_SETNAME', name])
return self.request(msg, IPSET_CMD_FLUSH,
msg_flags=NLM_F_REQUEST | NLM_F_ACK,
terminate=_nlmsg_error)
def _add_delete_test(self,
name,
entry,
family,
cmd,
exclusive,
comment=None,
timeout=None,
etype="ip",
packets=None,
bytes=None,
skbmark=None,
skbprio=None,
skbqueue=None,
wildcard=False,
physdev=False):
excl_flag = NLM_F_EXCL if exclusive else 0
adt_flags = 0
if wildcard:
adt_flags |= IPSET_FLAG_IFACE_WILDCARD
if physdev:
adt_flags |= IPSET_FLAG_PHYSDEV
ip_version = self._family_to_version(family)
data_attrs = self._entry_to_data_attrs(entry, etype, ip_version)
if comment is not None:
data_attrs += [["IPSET_ATTR_COMMENT", comment],
["IPSET_ATTR_CADT_LINENO", 0]]
if timeout is not None:
data_attrs += [["IPSET_ATTR_TIMEOUT", timeout]]
if bytes is not None:
data_attrs += [["IPSET_ATTR_BYTES", bytes]]
if packets is not None:
data_attrs += [["IPSET_ATTR_PACKETS", packets]]
if skbmark is not None:
data_attrs += [["IPSET_ATTR_SKBMARK", skbmark]]
if skbprio is not None:
data_attrs += [["IPSET_ATTR_SKBPRIO", skbprio]]
if skbqueue is not None:
data_attrs += [["IPSET_ATTR_SKBQUEUE", skbqueue]]
if adt_flags:
data_attrs += [["IPSET_ATTR_CADT_FLAGS", adt_flags]]
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', name],
['IPSET_ATTR_DATA', {
'attrs': data_attrs
}]]
return self.request(msg,
cmd,
msg_flags=NLM_F_REQUEST | NLM_F_ACK | excl_flag,
terminate=_nlmsg_error)
def list(self, name=None):
'''
List installed ipsets. If `name` is provided, list
the named ipset or return an empty list.
It looks like nfnetlink doesn't return an error,
when requested ipset doesn't exist.
'''
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version]]
if name is not None:
msg['attrs'].append(['IPSET_ATTR_SETNAME', name])
return self.request(msg, IPSET_CMD_LIST)
def list(self, name=None):
'''
List installed ipsets. If `name` is provided, list
the named ipset or return an empty list.
It looks like nfnetlink doesn't return an error,
when requested ipset doesn't exist.
'''
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version]]
if name is not None:
msg['attrs'].append(['IPSET_ATTR_SETNAME', name])
return self.request(msg, IPSET_CMD_LIST)
def create(self, name, stype='hash:ip', family=socket.AF_INET,
exclusive=True, counters=False, comment=False,
maxelem=IPSET_DEFAULT_MAXELEM, forceadd=False,
hashsize=None, timeout=None):
'''
Create an ipset `name` of type `stype`, by default
`hash:ip`.
Common ipset options are supported:
* exclusive -- if set, raise an error if the ipset exists
* counters -- enable data/packets counters
* comment -- enable comments capability
* maxelem -- max size of the ipset
* forceadd -- you should refer to the ipset manpage
* hashsize -- size of the hashtable (if any)
* timeout -- enable and set a default value for entries (if not None)
'''
excl_flag = NLM_F_EXCL if exclusive else 0
msg = ipset_msg()
cadt_flags = 0
if counters:
cadt_flags |= IPSET_FLAG_WITH_COUNTERS
if comment:
cadt_flags |= IPSET_FLAG_WITH_COMMENT
if forceadd:
cadt_flags |= IPSET_FLAG_WITH_FORCEADD
data = {"attrs": [["IPSET_ATTR_CADT_FLAGS", cadt_flags],
["IPSET_ATTR_MAXELEM", maxelem]]}
if hashsize is not None:
data['attrs'] += [["IPSET_ATTR_HASHSIZE", hashsize]]
if timeout is not None:
data['attrs'] += [["IPSET_ATTR_TIMEOUT", timeout]]
if self._attr_revision is None:
# Get the last revision supported by kernel
revision = self.get_supported_revisions(stype)[1]
else:
revision = self._attr_revision
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', name],
['IPSET_ATTR_TYPENAME', stype],
['IPSET_ATTR_FAMILY', family],
['IPSET_ATTR_REVISION', revision],
["IPSET_ATTR_DATA", data]]
return self.request(msg, IPSET_CMD_CREATE,
msg_flags=NLM_F_REQUEST | NLM_F_ACK | excl_flag,
terminate=_nlmsg_error)
def _get_set_by(self, cmd, value):
# Check that IPSet version is supported
if self._proto_version < 7:
raise NotImplementedError()
msg = ipset_msg()
if cmd == IPSET_CMD_GET_BYNAME:
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', value]]
if cmd == IPSET_CMD_GET_BYINDEX:
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_INDEX', value]]
return self.request(msg, cmd)
def _get_set_by(self, cmd, value):
# Check that IPSet version is supported
if self._proto_version < 7:
raise NotImplementedError()
msg = ipset_msg()
if cmd == IPSET_CMD_GET_BYNAME:
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', value]]
if cmd == IPSET_CMD_GET_BYINDEX:
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_INDEX', value]]
return self.request(msg, cmd)
def get_supported_revisions(self, stype, family=socket.AF_INET):
'''
Return minimum and maximum of revisions supported by the kernel
'''
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_TYPENAME', stype],
['IPSET_ATTR_FAMILY', family]]
response = self.request(msg, IPSET_CMD_TYPE,
msg_flags=NLM_F_REQUEST | NLM_F_ACK,
terminate=_nlmsg_error)
min_revision = response[0].get_attr("IPSET_ATTR_PROTOCOL_MIN")
max_revision = response[0].get_attr("IPSET_ATTR_REVISION")
return min_revision, max_revision
def get_supported_revisions(self, stype, family=socket.AF_INET):
'''
Return minimum and maximum of revisions supported by the kernel
'''
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_TYPENAME', stype],
['IPSET_ATTR_FAMILY', family]]
response = self.request(msg, IPSET_CMD_TYPE,
msg_flags=NLM_F_REQUEST | NLM_F_ACK,
terminate=_nlmsg_error)
min_revision = response[0].get_attr("IPSET_ATTR_PROTOCOL_MIN")
max_revision = response[0].get_attr("IPSET_ATTR_REVISION")
return min_revision, max_revision
def create(self,
name,
stype='hash:ip',
family=socket.AF_INET,
exclusive=True,
counters=False,
comment=False,
maxelem=IPSET_DEFAULT_MAXELEM,
forceadd=False,
hashsize=None,
timeout=None):
'''
Create an ipset `name` of type `stype`, by default
`hash:ip`.
Very simple and stupid method, should be extended
to support more ipset options.
'''
excl_flag = NLM_F_EXCL if exclusive else 0
msg = ipset_msg()
cadt_flags = 0
if counters:
cadt_flags |= IPSET_FLAG_WITH_COUNTERS
if comment:
cadt_flags |= IPSET_FLAG_WITH_COMMENT
if forceadd:
cadt_flags |= IPSET_FLAG_WITH_FORCEADD
data = {
"attrs": [["IPSET_ATTR_CADT_FLAGS", cadt_flags],
["IPSET_ATTR_MAXELEM", maxelem]]
}
if hashsize is not None:
data['attrs'] += [["IPSET_ATTR_HASHSIZE", hashsize]]
if timeout is not None:
data['attrs'] += [["IPSET_ATTR_TIMEOUT", timeout]]
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', name],
['IPSET_ATTR_TYPENAME', stype],
['IPSET_ATTR_FAMILY', family],
['IPSET_ATTR_REVISION', self._attr_revision],
["IPSET_ATTR_DATA", data]]
return self.request(msg,
IPSET_CMD_CREATE,
msg_flags=NLM_F_REQUEST | NLM_F_ACK | excl_flag,
terminate=_nlmsg_error)
def _add_delete_test(self, name, entry, family, cmd, exclusive,
comment=None, timeout=None, etype="ip"):
excl_flag = NLM_F_EXCL if exclusive else 0
data_attrs = self._entry_to_data_attrs(entry, etype, family)
if comment is not None:
data_attrs += [["IPSET_ATTR_COMMENT", comment],
["IPSET_ATTR_CADT_LINENO", 0]]
if timeout is not None:
data_attrs += [["IPSET_ATTR_TIMEOUT", timeout]]
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', name],
['IPSET_ATTR_DATA', {'attrs': data_attrs}]]
return self.request(msg, cmd,
msg_flags=NLM_F_REQUEST | NLM_F_ACK | excl_flag,
terminate=_nlmsg_error)
def _add_delete(self, name, entry, family, cmd, exclusive):
if family == socket.AF_INET:
entry_type = 'IPSET_ATTR_IPADDR_IPV4'
elif family == socket.AF_INET6:
entry_type = 'IPSET_ATTR_IPADDR_IPV6'
else:
raise TypeError('unknown family')
excl_flag = NLM_F_EXCL if exclusive else 0
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', name],
['IPSET_ATTR_DATA',
{'attrs': [['IPSET_ATTR_IP',
{'attrs': [[entry_type, entry]]}]]}]]
return self.request(msg, cmd,
msg_flags=NLM_F_REQUEST | NLM_F_ACK | excl_flag,
terminate=_nlmsg_error)
def create(self, name, stype='hash:ip', family=socket.AF_INET,
exclusive=True, counters=False, comment=False,
maxelem=IPSET_DEFAULT_MAXELEM, forceadd=False,
hashsize=None, timeout=None):
'''
Create an ipset `name` of type `stype`, by default
`hash:ip`.
Very simple and stupid method, should be extended
to support more ipset options.
'''
excl_flag = NLM_F_EXCL if exclusive else 0
msg = ipset_msg()
cadt_flags = 0
if counters:
cadt_flags |= IPSET_FLAG_WITH_COUNTERS
if comment:
cadt_flags |= IPSET_FLAG_WITH_COMMENT
if forceadd:
cadt_flags |= IPSET_FLAG_WITH_FORCEADD
data = {"attrs": [["IPSET_ATTR_CADT_FLAGS", cadt_flags],
["IPSET_ATTR_MAXELEM", maxelem]]}
if hashsize is not None:
data['attrs'] += [["IPSET_ATTR_HASHSIZE", hashsize]]
if timeout is not None:
data['attrs'] += [["IPSET_ATTR_TIMEOUT", timeout]]
if self._attr_revision is None:
# Get the last revision supported by kernel
revision = self.get_supported_revisions(stype)[1]
else:
revision = self._attr_revision
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', name],
['IPSET_ATTR_TYPENAME', stype],
['IPSET_ATTR_FAMILY', family],
['IPSET_ATTR_REVISION', revision],
["IPSET_ATTR_DATA", data]]
return self.request(msg, IPSET_CMD_CREATE,
msg_flags=NLM_F_REQUEST | NLM_F_ACK | excl_flag,
terminate=_nlmsg_error)
def create(self, name, stype='hash:ip', family=socket.AF_INET,
exclusive=True):
'''
Create an ipset `name` of type `stype`, by default
`hash:ip`.
Very simple and stupid method, should be extended
to support ipset options.
'''
excl_flag = NLM_F_EXCL if exclusive else 0
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', name],
['IPSET_ATTR_TYPENAME', stype],
['IPSET_ATTR_FAMILY', family],
['IPSET_ATTR_REVISION', self._attr_revision]]
return self.request(msg, IPSET_CMD_CREATE,
msg_flags=NLM_F_REQUEST | NLM_F_ACK | excl_flag,
terminate=_nlmsg_error)
def create(self,
name,
stype='hash:ip',
family=socket.AF_INET,
exclusive=True):
'''
Create an ipset `name` of type `stype`, by default
`hash:ip`.
Very simple and stupid method, should be extended
to support ipset options.
'''
excl_flag = NLM_F_EXCL if exclusive else 0
msg = ipset_msg()
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', name],
['IPSET_ATTR_TYPENAME', stype],
['IPSET_ATTR_FAMILY', family],
['IPSET_ATTR_REVISION', self._attr_revision]]
return self.request(msg,
IPSET_CMD_CREATE,
msg_flags=NLM_F_REQUEST | NLM_F_ACK | excl_flag,
terminate=_nlmsg_error)
def create(self,
name,
stype='hash:ip',
family=socket.AF_INET,
exclusive=True,
counters=False,
comment=False,
maxelem=IPSET_DEFAULT_MAXELEM,
forceadd=False,
hashsize=None,
timeout=None,
bitmap_ports_range=None,
size=None,
skbinfo=False):
'''
Create an ipset `name` of type `stype`, by default
`hash:ip`.
Common ipset options are supported:
* exclusive -- if set, raise an error if the ipset exists
* counters -- enable data/packets counters
* comment -- enable comments capability
* maxelem -- max size of the ipset
* forceadd -- you should refer to the ipset manpage
* hashsize -- size of the hashtable (if any)
* timeout -- enable and set a default value for entries (if not None)
* bitmap_ports_range -- set the specified inclusive portrange for
the bitmap ipset structure (0, 65536)
* size -- Size of the list:set, the default is 8
* skbinfo -- enable skbinfo capability
'''
excl_flag = NLM_F_EXCL if exclusive else 0
msg = ipset_msg()
cadt_flags = 0
if counters:
cadt_flags |= IPSET_FLAG_WITH_COUNTERS
if comment:
cadt_flags |= IPSET_FLAG_WITH_COMMENT
if forceadd:
cadt_flags |= IPSET_FLAG_WITH_FORCEADD
if skbinfo:
cadt_flags |= IPSET_FLAG_WITH_SKBINFO
if stype == 'bitmap:port' and bitmap_ports_range is None:
raise ValueError('Missing value bitmap_ports_range')
data = {
"attrs": [["IPSET_ATTR_CADT_FLAGS", cadt_flags],
["IPSET_ATTR_MAXELEM", maxelem]]
}
if hashsize is not None:
data['attrs'] += [["IPSET_ATTR_HASHSIZE", hashsize]]
elif size is not None and stype == 'list:set':
data['attrs'] += [['IPSET_ATTR_SIZE', size]]
if timeout is not None:
data['attrs'] += [["IPSET_ATTR_TIMEOUT", timeout]]
if bitmap_ports_range is not None and stype == 'bitmap:port':
# Set the bitmap range A bitmap type of set
# can store up to 65536 entries
if isinstance(bitmap_ports_range, PortRange):
data['attrs'] += [[
'IPSET_ATTR_PORT_FROM', bitmap_ports_range.begin
]]
data['attrs'] += [[
'IPSET_ATTR_PORT_TO', bitmap_ports_range.end
]]
else:
data['attrs'] += [[
'IPSET_ATTR_PORT_FROM', bitmap_ports_range[0]
]]
data['attrs'] += [[
'IPSET_ATTR_PORT_TO', bitmap_ports_range[1]
]]
if self._attr_revision is None:
# Get the last revision supported by kernel
revision = self.get_supported_revisions(stype)[1]
else:
revision = self._attr_revision
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', name],
['IPSET_ATTR_TYPENAME', stype],
['IPSET_ATTR_FAMILY', family],
['IPSET_ATTR_REVISION', revision],
["IPSET_ATTR_DATA", data]]
return self.request(msg,
IPSET_CMD_CREATE,
msg_flags=NLM_F_REQUEST | NLM_F_ACK | excl_flag,
terminate=_nlmsg_error)
def create(self, name, stype='hash:ip', family=socket.AF_INET,
exclusive=True, counters=False, comment=False,
maxelem=IPSET_DEFAULT_MAXELEM, forceadd=False,
hashsize=None, timeout=None, bitmap_ports_range=None,
size=None, skbinfo=False):
'''
Create an ipset `name` of type `stype`, by default
`hash:ip`.
Common ipset options are supported:
* exclusive -- if set, raise an error if the ipset exists
* counters -- enable data/packets counters
* comment -- enable comments capability
* maxelem -- max size of the ipset
* forceadd -- you should refer to the ipset manpage
* hashsize -- size of the hashtable (if any)
* timeout -- enable and set a default value for entries (if not None)
* bitmap_ports_range -- set the specified inclusive portrange for
the bitmap ipset structure (0, 65536)
* size -- Size of the list:set, the default is 8
* skbinfo -- enable skbinfo capability
'''
excl_flag = NLM_F_EXCL if exclusive else 0
msg = ipset_msg()
cadt_flags = 0
if counters:
cadt_flags |= IPSET_FLAG_WITH_COUNTERS
if comment:
cadt_flags |= IPSET_FLAG_WITH_COMMENT
if forceadd:
cadt_flags |= IPSET_FLAG_WITH_FORCEADD
if skbinfo:
cadt_flags |= IPSET_FLAG_WITH_SKBINFO
if stype == 'bitmap:port' and bitmap_ports_range is None:
raise ValueError('Missing value bitmap_ports_range')
data = {"attrs": [["IPSET_ATTR_CADT_FLAGS", cadt_flags],
["IPSET_ATTR_MAXELEM", maxelem]]}
if hashsize is not None:
data['attrs'] += [["IPSET_ATTR_HASHSIZE", hashsize]]
elif size is not None and stype == 'list:set':
data['attrs'] += [['IPSET_ATTR_SIZE', size]]
if timeout is not None:
data['attrs'] += [["IPSET_ATTR_TIMEOUT", timeout]]
if bitmap_ports_range is not None and stype == 'bitmap:port':
# Set the bitmap range A bitmap type of set
# can store up to 65536 entries
if isinstance(bitmap_ports_range, PortRange):
data['attrs'] += [['IPSET_ATTR_PORT_FROM',
bitmap_ports_range.begin]]
data['attrs'] += [['IPSET_ATTR_PORT_TO',
bitmap_ports_range.end]]
else:
data['attrs'] += [['IPSET_ATTR_PORT_FROM',
bitmap_ports_range[0]]]
data['attrs'] += [['IPSET_ATTR_PORT_TO',
bitmap_ports_range[1]]]
if self._attr_revision is None:
# Get the last revision supported by kernel
revision = self.get_supported_revisions(stype)[1]
else:
revision = self._attr_revision
msg['attrs'] = [['IPSET_ATTR_PROTOCOL', self._proto_version],
['IPSET_ATTR_SETNAME', name],
['IPSET_ATTR_TYPENAME', stype],
['IPSET_ATTR_FAMILY', family],
['IPSET_ATTR_REVISION', revision],
["IPSET_ATTR_DATA", data]]
return self.request(msg, IPSET_CMD_CREATE,
msg_flags=NLM_F_REQUEST | NLM_F_ACK | excl_flag,
terminate=_nlmsg_error)
