Merge branch 'master' of https://github.com/ldx/python-iptables into issue230

Author: jllorente

README.md

@@ -141,7 +141,7 @@ High level abstractions
 ``python-iptables`` implements a low-level interface that tries to closely
 match the underlying C libraries. The module ``iptc.easy`` improves the
 usability of the library by providing a rich set of high-level functions
-designed to simplify the interaction with the library, for example::
+designed to simplify the interaction with the library, for example:
 
     >>> import iptc
     >>> iptc.easy.dump_table('nat', ipv6=False)
@@ -160,6 +160,11 @@ designed to simplify the interaction with the library, for example::
     [{'protocol': 'tcp', 'target': 'ACCEPT', 'tcp': {'dport': '22'}}]
     >>> iptc.easy.delete_chain('filter', 'TestChain', flush=True)
 
+    >>> # Example of goto rule // iptables -A FORWARD -p gre -g TestChainGoto
+    >>> iptc.easy.add_chain('filter', 'TestChainGoto')
+    >>> rule_goto_d = {'protocol': 'gre', 'target': {'goto': 'TestChainGoto'}}
+    >>> iptc.easy.insert_rule('filter', 'FORWARD', rule_goto_d)
+
 Rules
 -----
 

doc/examples.rst

@@ -7,7 +7,7 @@ High level abstractions
 ``python-iptables`` implements a low-level interface that tries to closely
 match the underlying C libraries. The module ``iptc.easy`` improves the
 usability of the library by providing a rich set of high-level functions
-designed to simplify the interaction with the library, for example::
+designed to simplify the interaction with the library, for example:
 
     >>> import iptc
     >>> iptc.easy.dump_table('nat', ipv6=False)
@@ -26,6 +26,11 @@ designed to simplify the interaction with the library, for example::
     [{'protocol': 'tcp', 'target': 'ACCEPT', 'tcp': {'dport': '22'}}]
     >>> iptc.easy.delete_chain('filter', 'TestChain', flush=True)
 
+    >>> # Example of goto rule // iptables -A FORWARD -p gre -g TestChainGoto
+    >>> iptc.easy.add_chain('filter', 'TestChainGoto')
+    >>> rule_goto_d = {'protocol': 'gre', 'target': {'goto': 'TestChainGoto'}}
+    >>> iptc.easy.insert_rule('filter', 'FORWARD', rule_goto_d)
+
 Rules
 -----
 

iptc/easy.py

@@ -295,6 +295,8 @@ def encode_iptc_rule(rule_d, ipv6=False):
     # Basic rule attributes
     rule_attr = ('src', 'dst', 'protocol', 'in-interface', 'out-interface', 'fragment')
     iptc_rule = Rule6() if ipv6 else Rule()
+    # Set default target
+    rule_d.setdefault('target', '')
     # Avoid issues with matches that require basic parameters to be configured first
     for name in rule_attr:
         if name in rule_d:
@@ -347,7 +349,10 @@ def decode_iptc_rule(iptc_rule, ipv6=False):
         name = iptc_rule.target.name.replace('-', '_')
         d['target'] = {name:iptc_rule.target.get_all_parameters()}
     elif iptc_rule.target and iptc_rule.target.name:
-        d['target'] = iptc_rule.target.name
+        if iptc_rule.target.goto:
+            d['target'] = {'goto':iptc_rule.target.name}
+        else:
+            d['target'] = iptc_rule.target.name
     # Return a filtered dictionary
     return _filter_empty_field(d)
 
@@ -412,10 +417,12 @@ def _iptc_setmatch(iptc_rule, name, value):
 def _iptc_settarget(iptc_rule, value):
     # Target is dictionary - Use only 1 pair key/value
     if isinstance(value, dict):
-        for k, v in value.items():
-            iptc_target = iptc_rule.create_target(k)
-            _iptc_setattr_d(iptc_target, v)
-            return
+        t_name, t_value = next(iter(value.items()))
+        if t_name == 'goto':
+            iptc_target = iptc_rule.create_target(t_value, goto=True)
+        else:
+            iptc_target = iptc_rule.create_target(t_name)
+            _iptc_setattr_d(iptc_target, t_value)
     # Simple target
     else:
         iptc_target = iptc_rule.create_target(value)

iptc/ip4tc.py

@@ -1062,9 +1062,6 @@ def set_src(self, src):
             saddr = _a_to_i(socket.inet_pton(socket.AF_INET, addr))
         except socket.error:
             raise ValueError("invalid address %s" % (addr))
-        ina = in_addr()
-        ina.s_addr = ct.c_uint32(saddr)
-        self.entry.ip.src = ina
 
         if not netm.isdigit():
             try:
@@ -1078,8 +1075,11 @@ def set_src(self, src):
             nmask = socket.htonl((2 ** imask - 1) << (32 - imask))
         neta = in_addr()
         neta.s_addr = ct.c_uint32(nmask)
-
         self.entry.ip.smsk = neta
+        # Apply subnet mask to IP address
+        ina = in_addr()
+        ina.s_addr = ct.c_uint32(saddr & nmask)
+        self.entry.ip.src = ina
 
     src = property(get_src, set_src)
     """This is the source network address with an optional network mask in
@@ -1123,9 +1123,6 @@ def set_dst(self, dst):
             daddr = _a_to_i(socket.inet_pton(socket.AF_INET, addr))
         except socket.error:
             raise ValueError("invalid address %s" % (addr))
-        ina = in_addr()
-        ina.s_addr = ct.c_uint32(daddr)
-        self.entry.ip.dst = ina
 
         if not netm.isdigit():
             try:
@@ -1140,6 +1137,10 @@ def set_dst(self, dst):
         neta = in_addr()
         neta.s_addr = ct.c_uint32(nmask)
         self.entry.ip.dmsk = neta
+        # Apply subnet mask to IP address
+        ina = in_addr()
+        ina.s_addr = ct.c_uint32(daddr & nmask)
+        self.entry.ip.dst = ina
 
     dst = property(get_dst, set_dst)
     """This is the destination network address with an optional network mask

tests/test_iptc.py

@@ -620,13 +620,13 @@ def tearDown(self):
     def test_rule_address(self):
         # valid addresses
         rule = iptc.Rule()
-        for addr in [("127.0.0.1/255.255.255.0", "127.0.0.1/255.255.255.0"),
-                     ("!127.0.0.1/255.255.255.0", "!127.0.0.1/255.255.255.0"),
-                     ("127.0.0.1/255.255.128.0", "127.0.0.1/255.255.128.0"),
-                     ("127.0.0.1/16", "127.0.0.1/255.255.0.0"),
-                     ("127.0.0.1/24", "127.0.0.1/255.255.255.0"),
-                     ("127.0.0.1/17", "127.0.0.1/255.255.128.0"),
-                     ("!127.0.0.1/17", "!127.0.0.1/255.255.128.0")]:
+        for addr in [("127.0.0.1/255.255.255.0", "127.0.0.0/255.255.255.0"),
+                     ("!127.0.0.1/255.255.255.0", "!127.0.0.0/255.255.255.0"),
+                     ("127.0.0.1/255.255.128.0", "127.0.0.0/255.255.128.0"),
+                     ("127.0.0.1/16", "127.0.0.0/255.255.0.0"),
+                     ("127.0.0.1/24", "127.0.0.0/255.255.255.0"),
+                     ("127.0.0.1/17", "127.0.0.0/255.255.128.0"),
+                     ("!127.0.0.1/17", "!127.0.0.0/255.255.128.0")]:
             rule.src = addr[0]
             self.assertEquals(rule.src, addr[1])
             rule.dst = addr[0]