def test_port_range_with_proto(self):
require_user('root')
name = str(uuid4())[:16]
ipset_type = "hash:net,port"
etype = "net,port"
port_range = PortRange(1000, 2000, protocol=socket.IPPROTO_UDP)
port_entry = PortEntry(1001, protocol=socket.IPPROTO_UDP)
self.ip.create(name, stype=ipset_type)
self.ip.add(name, ("192.0.2.0/24", port_range), etype=etype)
assert self.ip.test(name, ("192.0.2.0/24", port_range), etype=etype)
assert self.ip.test(name, ("192.0.2.2/32", port_entry), etype=etype)
# change protocol, that should not be in
port_range.protocol = socket.IPPROTO_TCP
assert not self.ip.test(name, ("192.0.2.0/24", port_range),
etype="net,port")
port_entry.port = 2
assert not self.ip.test(name, ("192.0.2.0/24", port_entry),
etype="net,port")
# same example than in ipset man pages
proto = socket.getprotobyname("vrrp")
port_entry.port = 0
port_entry.protocol = proto
self.ip.add(name, ("192.0.2.0/24", port_entry), etype=etype)
self.ip.test(name, ("192.0.2.0/24", port_entry), etype=etype)
self.ip.destroy(name)
def test_port_range_with_proto(self):
name = str(uuid4())[:16]
ipset_type = "hash:net,port"
etype = "net,port"
port_range = PortRange(1000, 2000, protocol=socket.IPPROTO_UDP)
port_entry = PortEntry(1001, protocol=socket.IPPROTO_UDP)
self.ip.create(name, stype=ipset_type)
self.ip.add(name, ("192.0.2.0/24", port_range), etype=etype)
assert self.ip.test(name, ("192.0.2.0/24", port_range), etype=etype)
assert self.ip.test(name, ("192.0.2.2/32", port_entry), etype=etype)
# change protocol, that should not be in
port_range.protocol = socket.IPPROTO_TCP
assert not self.ip.test(name, ("192.0.2.0/24", port_range),
etype="net,port")
port_entry.port = 2
assert not self.ip.test(name, ("192.0.2.0/24", port_entry),
etype="net,port")
# same example than in ipset man pages
proto = socket.getprotobyname("vrrp")
port_entry.port = 0
port_entry.protocol = proto
self.ip.add(name, ("192.0.2.0/24", port_entry), etype=etype)
self.ip.test(name, ("192.0.2.0/24", port_entry), etype=etype)
self.ip.destroy(name)
def test_bitmap_port(self):
require_user('root')
name = str(uuid4())[:16]
ipset_type = "bitmap:port"
etype = "port"
port_range = (1000, 6000)
self.ip.create(name, stype=ipset_type, bitmap_ports_range=port_range)
self.ip.add(name, 1002, etype=etype)
assert self.ip.test(name, 1002, etype=etype)
add_range = PortRange(2000, 3000, protocol=None)
self.ip.add(name, add_range, etype=etype)
assert self.ip.test(name, 2001, etype=etype)
assert self.ip.test(name, 3000, etype=etype)
assert not self.ip.test(name, 4000, etype=etype)
# Check that delete is working as well
self.ip.delete(name, add_range, etype=etype)
assert not self.ip.test(name, 2001, etype=etype)
# Test PortEntry without protocol set
port_entry = PortEntry(2001)
self.ip.add(name, port_entry, etype=etype)
try:
self.ip.add(name, 18, etype=etype)
assert False
except NetlinkError as e:
assert e.code == IPSET_ERR_TYPE_SPECIFIC
self.ip.destroy(name)
print(ipset.test("foo", "198.51.100.1")) # True
print(ipset.test("foo", "198.51.100.10")) # False
msg_list = ipset.list("foo")
for msg in msg_list:
for attr_data in (
msg.get_attr('IPSET_ATTR_ADT').get_attrs('IPSET_ATTR_DATA')):
for attr_ip_from in attr_data.get_attrs('IPSET_ATTR_IP_FROM'):
for ipv4 in attr_ip_from.get_attrs('IPSET_ATTR_IPADDR_IPV4'):
print("- " + ipv4)
ipset.destroy("foo")
ipset.close()
ipset = IPSet()
ipset.create("bar", stype="bitmap:port", bitmap_ports_range=(1000, 2000))
ipset.add("bar", 1001, etype="port")
ipset.add("bar", PortRange(1500, 2000), etype="port")
print(ipset.test("bar", 1600, etype="port")) # True
print(ipset.test("bar", 2600, etype="port")) # False
ipset.destroy("bar")
ipset.close()
ipset = IPSet()
protocol_tcp = socket.getprotobyname("tcp")
ipset.create("foobar", stype="hash:net,port")
port_entry_http = PortEntry(80, protocol=protocol_tcp)
ipset.add("foobar", ("198.51.100.0/24", port_entry_http), etype="net,port")
print(ipset.test("foobar", ("198.51.100.1", port_entry_http),
etype="ip,port")) # True
port_entry_https = PortEntry(443, protocol=protocol_tcp)
print(ipset.test("foobar", ("198.51.100.1", port_entry_https),
etype="ip,port")) # False