__pycache__/__init__.cpython-36.opt-1.pyc000064400000000212147204716050014101 0ustar003 ]b@s ddlTdS))*N)Znftablesrr/usr/lib/python3.6/__init__.pys__pycache__/__init__.cpython-36.pyc000064400000000212147204716050013142 0ustar003 ]b@s ddlTdS))*N)Znftablesrr/usr/lib/python3.6/__init__.pys__pycache__/nftables.cpython-36.opt-1.pyc000064400000032430147204716050014147 0ustar003 M f]8@sDddlZddlTddlZddlZdZGdddZGdddZdS)N)*z0.1c@s eZdZdZddZddZdS)SchemaValidatorz+Libnftables JSON validator using jsonschemac CsJtjjtjjtd}t|d}tj||_WdQRXddl }||_ dS)Nz schema.jsonrr) ospathjoindirname__file__openjsonloadschema jsonschema)selfZ schema_pathZ schema_filerr/usr/lib/python3.6/nftables.py__init__s  zSchemaValidator.__init__cCs|jj||jddS)N)instancer )rvalidater )rr rrrr"szSchemaValidator.validateN)__name__ __module__ __qualname____doc__rrrrrrrsrc @sPeZdZdZdddddddd ZdWdXdYdZd[d\d]d^d_d`dadbd ZdZdcddZddZddZ ddZ ddZ dd Z d!d"Z d#d$Zd%d&Zd'd(Zd)d*Zd+d,Zd-d.Zd/d0Zd1d2Zd3d4Zd5d6Zd7d8Zd9d:Zd;d<Zd=d>Zd?d@ZdAdBZdCdDZdEdFZdGdHZ dIdJZ!dKdLZ"dMdNZ#dOdPZ$dQdRZ%dSdTZ&dUdVZ'dS)dNftablesz*A class representing libnftables interface @)scannerparserevalZnetlinkZmnlz proto-ctxZsegtreer ) reversednsservice statelesshandler echoguid numeric_proto numeric_prionumeric_symbol numeric_timeterseNlibnftables.so.1.1.0cCs>tj|}|j|_t|j_tg|j_|j|_t|j_tg|j_|j |_ ttg|j _|j |_ t|j _tg|j _|j |_ ttg|j _|j |_ t|j _tg|j _|j |_ t|j _tg|j _|j|_t|j_tg|j_|j|_t|j_tg|j_|j|_t|j_ttg|j_|j|_tg|j_|jd|_|j |j|j|jdS)alInstantiate a new Nftables class object. Accepts a shared object file to open, by default standard search path is searched for a file named 'libnftables.so'. After loading the library using ctypes module, a new nftables context is requested from the library and buffering of output and error streams is turned on. rN)ZcdllZ LoadLibraryZ nft_ctx_newZc_void_pZrestypeZc_intZargtypesnft_ctx_output_get_flagsZc_uintnft_ctx_output_set_flagsnft_ctx_output_get_debugnft_ctx_output_set_debugZnft_ctx_buffer_outputnft_ctx_get_output_bufferZc_char_pZnft_ctx_buffer_errornft_ctx_get_error_buffernft_run_cmd_from_buffer nft_ctx_free_Nftables__ctx)rZsofilelibrrrrCsD              zNftables.__init__cCs|j|jdS)N)r>r?)rrrr__del__szNftables.__del__cCs|j|}|j|j|@S)N) output_flagsr7r?)rnameflagrrrZ__get_output_flags zNftables.__get_output_flagcCsD|j|}|j|j}|r$||B}n ||@}|j|j|||@S)N)rBr7r?r8)rrCvalrDflagsZ new_flagsrrrZ__set_output_flags    zNftables.__set_output_flagcCs |jdS)zGet the current state of reverse DNS output. Returns a boolean indicating whether reverse DNS lookups are performed for IP addresses in output. r+)_Nftables__get_output_flag)rrrrget_reversedns_outputszNftables.get_reversedns_outputcCs |jd|S)zEnable or disable reverse DNS output. Accepts a boolean turning reverse DNS lookups in output on or off. Returns the previous value. r+)_Nftables__set_output_flag)rrErrrset_reversedns_outputszNftables.set_reversedns_outputcCs |jdS)zGet the current state of service name output. Returns a boolean indicating whether service names are used for port numbers in output or not. r,)rG)rrrrget_service_outputszNftables.get_service_outputcCs |jd|S)zEnable or disable service name output. Accepts a boolean turning service names for port numbers in output on or off. Returns the previous value. r,)rI)rrErrrset_service_outputszNftables.set_service_outputcCs |jdS)zGet the current state of stateless output. Returns a boolean indicating whether stateless output is active or not. r-)rG)rrrrget_stateless_outputszNftables.get_stateless_outputcCs |jd|S)zEnable or disable stateless output. Accepts a boolean turning stateless output either on or off. Returns the previous value. r-)rI)rrErrrset_stateless_outputszNftables.set_stateless_outputcCs |jdS)z~Get the current state of handle output. Returns a boolean indicating whether handle output is active or not. r.)rG)rrrrget_handle_outputszNftables.get_handle_outputcCs |jd|S)zEnable or disable handle output. Accepts a boolean turning handle output on or off. Returns the previous value. r.)rI)rrErrrset_handle_outputszNftables.set_handle_outputcCs |jdS)zzGet the current state of JSON output. Returns a boolean indicating whether JSON output is active or not. r )rG)rrrrget_json_outputszNftables.get_json_outputcCs |jd|S)zEnable or disable JSON output. Accepts a boolean turning JSON output either on or off. Returns the previous value. r )rI)rrErrrset_json_outputszNftables.set_json_outputcCs |jdS)zzGet the current state of echo output. Returns a boolean indicating whether echo output is active or not. r/)rG)rrrrget_echo_outputszNftables.get_echo_outputcCs |jd|S)zEnable or disable echo output. Accepts a boolean turning echo output on or off. Returns the previous value. r/)rI)rrErrrset_echo_outputszNftables.set_echo_outputcCs |jdS)zGet the current state of GID/UID output. Returns a boolean indicating whether names for group/user IDs are used in output or not. r0)rG)rrrrget_guid_outputszNftables.get_guid_outputcCs |jd|S)zEnable or disable GID/UID output. Accepts a boolean turning names for group/user IDs on or off. Returns the previous value. r0)rI)rrErrrset_guid_outputszNftables.set_guid_outputcCs |jdS)ztGet current status of numeric protocol output flag. Returns a boolean value indicating the status. r1)rG)rrrrget_numeric_proto_outputsz!Nftables.get_numeric_proto_outputcCs |jd|S)zSet numeric protocol output flag. Accepts a boolean turning numeric protocol output either on or off. Returns the previous value. r1)rI)rrErrrset_numeric_proto_output sz!Nftables.set_numeric_proto_outputcCs |jdS)zzGet current status of numeric chain priority output flag. Returns a boolean value indicating the status. r2)rG)rrrrget_numeric_prio_outputsz Nftables.get_numeric_prio_outputcCs |jd|S)zSet numeric chain priority output flag. Accepts a boolean turning numeric chain priority output either on or off. Returns the previous value. r2)rI)rrErrrset_numeric_prio_outputsz Nftables.set_numeric_prio_outputcCs |jdS)zsGet current status of numeric symbols output flag. Returns a boolean value indicating the status. r3)rG)rrrrget_numeric_symbol_output%sz"Nftables.get_numeric_symbol_outputcCs |jd|S)zSet numeric symbols output flag. Accepts a boolean turning numeric representation of symbolic constants in output either on or off. Returns the previous value. r3)rI)rrErrrset_numeric_symbol_output,sz"Nftables.set_numeric_symbol_outputcCs |jdS)zqGet current status of numeric times output flag. Returns a boolean value indicating the status. r4)rG)rrrrget_numeric_time_output6sz Nftables.get_numeric_time_outputcCs |jd|S)zSet numeric times output flag. Accepts a boolean turning numeric representation of time values in output either on or off. Returns the previous value. r4)rI)rrErrrset_numeric_time_output=sz Nftables.set_numeric_time_outputcCs |jdS)z|Get the current state of terse output. Returns a boolean indicating whether terse output is active or not. r5)rG)rrrrget_terse_outputGszNftables.get_terse_outputcCs |jd|S)zEnable or disable terse output. Accepts a boolean turning terse output either on or off. Returns the previous value. r5)rI)rrErrrset_terse_outputNszNftables.set_terse_outputcCsV|j|j}g}x2|jjD]$\}}||@r|j|||M}qW|rR|j||S)zmGet currently active debug flags. Returns a set of flag names. See set_debug() for details. )r9r? debug_flagsitemsappend)rrEnamesnvrrr get_debugWs   zNftables.get_debugcCs`|j}t|ttgkr|g}d}x*|D]"}t|tkrB|j|}||O}q(W|j|j||S)aSet debug output flags. Accepts either a single flag or a set of flags. Each flag might be given either as string or integer value as shown in the following table: Name | Value (hex) ----------------------- scanner | 0x1 parser | 0x2 eval | 0x4 netlink | 0x8 mnl | 0x10 proto-ctx | 0x20 segtree | 0x40 Returns a set of previously active debug flags, as returned by get_debug() method. r)rgtypestrintrar:r?)rvaluesoldrErfrrr set_debughs    zNftables.set_debugcCsdd}t|tsd}|jd}|j|j|}|j|j}|j|j}|rZ|jd}|jd}|||fS)aRun a simple nftables command via libnftables. Accepts a string containing an nftables command just like what one would enter into an interactive nftables (nft -i) session. Returns a tuple (rc, output, error): rc -- return code as returned by nft_run_cmd_from_buffer() fuction output -- a string containing output written to stdout error -- a string containing output written to stderr FTzutf-8) isinstancebytesencoder=r?r;r<decode)rZcmdlineZcmdline_is_unicodercoutputerrorrrrcmds       z Nftables.cmdcCsJ|jd}|jtj|\}}}|s.|j|t|r@tj|}|||fS)aiRun an nftables command in JSON syntax via libnftables. Accepts a hash object as input. Returns a tuple (rc, output, error): rc -- return code as returned by nft_run_cmd_from_buffer() function output -- a hash object containing library standard output error -- a string containing output written to stderr T)rRrur dumpslenloads)r json_rootZ json_out_oldrrrsrtrrrjson_cmds   zNftables.json_cmdcCs|jst|_|jj|dS)zValidate JSON object against libnftables schema. Accepts a hash object as input. Returns True if JSON is valid, raises an exception otherwise. T) validatorrr)rryrrr json_validates zNftables.json_validaterrrrrrr iii)r6)(rrrrrarBr{rrArGrIrHrJrKrLrMrNrOrPrQrRrSrTrUrVrWrXrYrZr[r\r]r^r_r`rgrmrurzr|rrrrr%sl <             #r)r ZctypessysrZNFTABLES_VERSIONrrrrrrs  __pycache__/nftables.cpython-36.pyc000064400000032430147204716050013210 0ustar003 M f]8@sDddlZddlTddlZddlZdZGdddZGdddZdS)N)*z0.1c@s eZdZdZddZddZdS)SchemaValidatorz+Libnftables JSON validator using jsonschemac CsJtjjtjjtd}t|d}tj||_WdQRXddl }||_ dS)Nz schema.jsonrr) ospathjoindirname__file__openjsonloadschema jsonschema)selfZ schema_pathZ schema_filerr/usr/lib/python3.6/nftables.py__init__s  zSchemaValidator.__init__cCs|jj||jddS)N)instancer )rvalidater )rr rrrr"szSchemaValidator.validateN)__name__ __module__ __qualname____doc__rrrrrrrsrc @sPeZdZdZdddddddd ZdWdXdYdZd[d\d]d^d_d`dadbd ZdZdcddZddZddZ ddZ ddZ dd Z d!d"Z d#d$Zd%d&Zd'd(Zd)d*Zd+d,Zd-d.Zd/d0Zd1d2Zd3d4Zd5d6Zd7d8Zd9d:Zd;d<Zd=d>Zd?d@ZdAdBZdCdDZdEdFZdGdHZ dIdJZ!dKdLZ"dMdNZ#dOdPZ$dQdRZ%dSdTZ&dUdVZ'dS)dNftablesz*A class representing libnftables interface @)scannerparserevalZnetlinkZmnlz proto-ctxZsegtreer ) reversednsservice statelesshandler echoguid numeric_proto numeric_prionumeric_symbol numeric_timeterseNlibnftables.so.1.1.0cCs>tj|}|j|_t|j_tg|j_|j|_t|j_tg|j_|j |_ ttg|j _|j |_ t|j _tg|j _|j |_ ttg|j _|j |_ t|j _tg|j _|j |_ t|j _tg|j _|j|_t|j_tg|j_|j|_t|j_tg|j_|j|_t|j_ttg|j_|j|_tg|j_|jd|_|j |j|j|jdS)alInstantiate a new Nftables class object. Accepts a shared object file to open, by default standard search path is searched for a file named 'libnftables.so'. After loading the library using ctypes module, a new nftables context is requested from the library and buffering of output and error streams is turned on. rN)ZcdllZ LoadLibraryZ nft_ctx_newZc_void_pZrestypeZc_intZargtypesnft_ctx_output_get_flagsZc_uintnft_ctx_output_set_flagsnft_ctx_output_get_debugnft_ctx_output_set_debugZnft_ctx_buffer_outputnft_ctx_get_output_bufferZc_char_pZnft_ctx_buffer_errornft_ctx_get_error_buffernft_run_cmd_from_buffer nft_ctx_free_Nftables__ctx)rZsofilelibrrrrCsD              zNftables.__init__cCs|j|jdS)N)r>r?)rrrr__del__szNftables.__del__cCs|j|}|j|j|@S)N) output_flagsr7r?)rnameflagrrrZ__get_output_flags zNftables.__get_output_flagcCsD|j|}|j|j}|r$||B}n ||@}|j|j|||@S)N)rBr7r?r8)rrCvalrDflagsZ new_flagsrrrZ__set_output_flags    zNftables.__set_output_flagcCs |jdS)zGet the current state of reverse DNS output. Returns a boolean indicating whether reverse DNS lookups are performed for IP addresses in output. r+)_Nftables__get_output_flag)rrrrget_reversedns_outputszNftables.get_reversedns_outputcCs |jd|S)zEnable or disable reverse DNS output. Accepts a boolean turning reverse DNS lookups in output on or off. Returns the previous value. r+)_Nftables__set_output_flag)rrErrrset_reversedns_outputszNftables.set_reversedns_outputcCs |jdS)zGet the current state of service name output. Returns a boolean indicating whether service names are used for port numbers in output or not. r,)rG)rrrrget_service_outputszNftables.get_service_outputcCs |jd|S)zEnable or disable service name output. Accepts a boolean turning service names for port numbers in output on or off. Returns the previous value. r,)rI)rrErrrset_service_outputszNftables.set_service_outputcCs |jdS)zGet the current state of stateless output. Returns a boolean indicating whether stateless output is active or not. r-)rG)rrrrget_stateless_outputszNftables.get_stateless_outputcCs |jd|S)zEnable or disable stateless output. Accepts a boolean turning stateless output either on or off. Returns the previous value. r-)rI)rrErrrset_stateless_outputszNftables.set_stateless_outputcCs |jdS)z~Get the current state of handle output. Returns a boolean indicating whether handle output is active or not. r.)rG)rrrrget_handle_outputszNftables.get_handle_outputcCs |jd|S)zEnable or disable handle output. Accepts a boolean turning handle output on or off. Returns the previous value. r.)rI)rrErrrset_handle_outputszNftables.set_handle_outputcCs |jdS)zzGet the current state of JSON output. Returns a boolean indicating whether JSON output is active or not. r )rG)rrrrget_json_outputszNftables.get_json_outputcCs |jd|S)zEnable or disable JSON output. Accepts a boolean turning JSON output either on or off. Returns the previous value. r )rI)rrErrrset_json_outputszNftables.set_json_outputcCs |jdS)zzGet the current state of echo output. Returns a boolean indicating whether echo output is active or not. r/)rG)rrrrget_echo_outputszNftables.get_echo_outputcCs |jd|S)zEnable or disable echo output. Accepts a boolean turning echo output on or off. Returns the previous value. r/)rI)rrErrrset_echo_outputszNftables.set_echo_outputcCs |jdS)zGet the current state of GID/UID output. Returns a boolean indicating whether names for group/user IDs are used in output or not. r0)rG)rrrrget_guid_outputszNftables.get_guid_outputcCs |jd|S)zEnable or disable GID/UID output. Accepts a boolean turning names for group/user IDs on or off. Returns the previous value. r0)rI)rrErrrset_guid_outputszNftables.set_guid_outputcCs |jdS)ztGet current status of numeric protocol output flag. Returns a boolean value indicating the status. r1)rG)rrrrget_numeric_proto_outputsz!Nftables.get_numeric_proto_outputcCs |jd|S)zSet numeric protocol output flag. Accepts a boolean turning numeric protocol output either on or off. Returns the previous value. r1)rI)rrErrrset_numeric_proto_output sz!Nftables.set_numeric_proto_outputcCs |jdS)zzGet current status of numeric chain priority output flag. Returns a boolean value indicating the status. r2)rG)rrrrget_numeric_prio_outputsz Nftables.get_numeric_prio_outputcCs |jd|S)zSet numeric chain priority output flag. Accepts a boolean turning numeric chain priority output either on or off. Returns the previous value. r2)rI)rrErrrset_numeric_prio_outputsz Nftables.set_numeric_prio_outputcCs |jdS)zsGet current status of numeric symbols output flag. Returns a boolean value indicating the status. r3)rG)rrrrget_numeric_symbol_output%sz"Nftables.get_numeric_symbol_outputcCs |jd|S)zSet numeric symbols output flag. Accepts a boolean turning numeric representation of symbolic constants in output either on or off. Returns the previous value. r3)rI)rrErrrset_numeric_symbol_output,sz"Nftables.set_numeric_symbol_outputcCs |jdS)zqGet current status of numeric times output flag. Returns a boolean value indicating the status. r4)rG)rrrrget_numeric_time_output6sz Nftables.get_numeric_time_outputcCs |jd|S)zSet numeric times output flag. Accepts a boolean turning numeric representation of time values in output either on or off. Returns the previous value. r4)rI)rrErrrset_numeric_time_output=sz Nftables.set_numeric_time_outputcCs |jdS)z|Get the current state of terse output. Returns a boolean indicating whether terse output is active or not. r5)rG)rrrrget_terse_outputGszNftables.get_terse_outputcCs |jd|S)zEnable or disable terse output. Accepts a boolean turning terse output either on or off. Returns the previous value. r5)rI)rrErrrset_terse_outputNszNftables.set_terse_outputcCsV|j|j}g}x2|jjD]$\}}||@r|j|||M}qW|rR|j||S)zmGet currently active debug flags. Returns a set of flag names. See set_debug() for details. )r9r? debug_flagsitemsappend)rrEnamesnvrrr get_debugWs   zNftables.get_debugcCs`|j}t|ttgkr|g}d}x*|D]"}t|tkrB|j|}||O}q(W|j|j||S)aSet debug output flags. Accepts either a single flag or a set of flags. Each flag might be given either as string or integer value as shown in the following table: Name | Value (hex) ----------------------- scanner | 0x1 parser | 0x2 eval | 0x4 netlink | 0x8 mnl | 0x10 proto-ctx | 0x20 segtree | 0x40 Returns a set of previously active debug flags, as returned by get_debug() method. r)rgtypestrintrar:r?)rvaluesoldrErfrrr set_debughs    zNftables.set_debugcCsdd}t|tsd}|jd}|j|j|}|j|j}|j|j}|rZ|jd}|jd}|||fS)aRun a simple nftables command via libnftables. Accepts a string containing an nftables command just like what one would enter into an interactive nftables (nft -i) session. Returns a tuple (rc, output, error): rc -- return code as returned by nft_run_cmd_from_buffer() fuction output -- a string containing output written to stdout error -- a string containing output written to stderr FTzutf-8) isinstancebytesencoder=r?r;r<decode)rZcmdlineZcmdline_is_unicodercoutputerrorrrrcmds       z Nftables.cmdcCsJ|jd}|jtj|\}}}|s.|j|t|r@tj|}|||fS)aiRun an nftables command in JSON syntax via libnftables. Accepts a hash object as input. Returns a tuple (rc, output, error): rc -- return code as returned by nft_run_cmd_from_buffer() function output -- a hash object containing library standard output error -- a string containing output written to stderr T)rRrur dumpslenloads)r json_rootZ json_out_oldrrrsrtrrrjson_cmds   zNftables.json_cmdcCs|jst|_|jj|dS)zValidate JSON object against libnftables schema. Accepts a hash object as input. Returns True if JSON is valid, raises an exception otherwise. T) validatorrr)rryrrr json_validates zNftables.json_validaterrrrrrr iii)r6)(rrrrrarBr{rrArGrIrHrJrKrLrMrNrOrPrQrRrSrTrUrVrWrXrYrZr[r\r]r^r_r`rgrmrurzr|rrrrr%sl <             #r)r ZctypessysrZNFTABLES_VERSIONrrrrrrs  __init__.py000064400000000030147204716050006654 0ustar00from .nftables import * nftables.py000064400000034135147204716050006730 0ustar00#!/usr/bin/python # Copyright(C) 2018 Phil Sutter # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, version 2 of the License. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. import json from ctypes import * import sys import os NFTABLES_VERSION = "0.1" class SchemaValidator: """Libnftables JSON validator using jsonschema""" def __init__(self): schema_path = os.path.join(os.path.dirname(__file__), "schema.json") with open(schema_path, 'r') as schema_file: self.schema = json.load(schema_file) import jsonschema self.jsonschema = jsonschema def validate(self, json): self.jsonschema.validate(instance=json, schema=self.schema) class Nftables: """A class representing libnftables interface""" debug_flags = { "scanner": 0x1, "parser": 0x2, "eval": 0x4, "netlink": 0x8, "mnl": 0x10, "proto-ctx": 0x20, "segtree": 0x40, } output_flags = { "reversedns": (1 << 0), "service": (1 << 1), "stateless": (1 << 2), "handle": (1 << 3), "json": (1 << 4), "echo": (1 << 5), "guid": (1 << 6), "numeric_proto": (1 << 7), "numeric_prio": (1 << 8), "numeric_symbol": (1 << 9), "numeric_time": (1 << 10), "terse": (1 << 11), } validator = None def __init__(self, sofile="libnftables.so.1.1.0"): """Instantiate a new Nftables class object. Accepts a shared object file to open, by default standard search path is searched for a file named 'libnftables.so'. After loading the library using ctypes module, a new nftables context is requested from the library and buffering of output and error streams is turned on. """ lib = cdll.LoadLibrary(sofile) ### API function definitions self.nft_ctx_new = lib.nft_ctx_new self.nft_ctx_new.restype = c_void_p self.nft_ctx_new.argtypes = [c_int] self.nft_ctx_output_get_flags = lib.nft_ctx_output_get_flags self.nft_ctx_output_get_flags.restype = c_uint self.nft_ctx_output_get_flags.argtypes = [c_void_p] self.nft_ctx_output_set_flags = lib.nft_ctx_output_set_flags self.nft_ctx_output_set_flags.argtypes = [c_void_p, c_uint] self.nft_ctx_output_get_debug = lib.nft_ctx_output_get_debug self.nft_ctx_output_get_debug.restype = c_int self.nft_ctx_output_get_debug.argtypes = [c_void_p] self.nft_ctx_output_set_debug = lib.nft_ctx_output_set_debug self.nft_ctx_output_set_debug.argtypes = [c_void_p, c_int] self.nft_ctx_buffer_output = lib.nft_ctx_buffer_output self.nft_ctx_buffer_output.restype = c_int self.nft_ctx_buffer_output.argtypes = [c_void_p] self.nft_ctx_get_output_buffer = lib.nft_ctx_get_output_buffer self.nft_ctx_get_output_buffer.restype = c_char_p self.nft_ctx_get_output_buffer.argtypes = [c_void_p] self.nft_ctx_buffer_error = lib.nft_ctx_buffer_error self.nft_ctx_buffer_error.restype = c_int self.nft_ctx_buffer_error.argtypes = [c_void_p] self.nft_ctx_get_error_buffer = lib.nft_ctx_get_error_buffer self.nft_ctx_get_error_buffer.restype = c_char_p self.nft_ctx_get_error_buffer.argtypes = [c_void_p] self.nft_run_cmd_from_buffer = lib.nft_run_cmd_from_buffer self.nft_run_cmd_from_buffer.restype = c_int self.nft_run_cmd_from_buffer.argtypes = [c_void_p, c_char_p] self.nft_ctx_free = lib.nft_ctx_free lib.nft_ctx_free.argtypes = [c_void_p] # initialize libnftables context self.__ctx = self.nft_ctx_new(0) self.nft_ctx_buffer_output(self.__ctx) self.nft_ctx_buffer_error(self.__ctx) def __del__(self): self.nft_ctx_free(self.__ctx) def __get_output_flag(self, name): flag = self.output_flags[name] return self.nft_ctx_output_get_flags(self.__ctx) & flag def __set_output_flag(self, name, val): flag = self.output_flags[name] flags = self.nft_ctx_output_get_flags(self.__ctx) if val: new_flags = flags | flag else: new_flags = flags & ~flag self.nft_ctx_output_set_flags(self.__ctx, new_flags) return flags & flag def get_reversedns_output(self): """Get the current state of reverse DNS output. Returns a boolean indicating whether reverse DNS lookups are performed for IP addresses in output. """ return self.__get_output_flag("reversedns") def set_reversedns_output(self, val): """Enable or disable reverse DNS output. Accepts a boolean turning reverse DNS lookups in output on or off. Returns the previous value. """ return self.__set_output_flag("reversedns", val) def get_service_output(self): """Get the current state of service name output. Returns a boolean indicating whether service names are used for port numbers in output or not. """ return self.__get_output_flag("service") def set_service_output(self, val): """Enable or disable service name output. Accepts a boolean turning service names for port numbers in output on or off. Returns the previous value. """ return self.__set_output_flag("service", val) def get_stateless_output(self): """Get the current state of stateless output. Returns a boolean indicating whether stateless output is active or not. """ return self.__get_output_flag("stateless") def set_stateless_output(self, val): """Enable or disable stateless output. Accepts a boolean turning stateless output either on or off. Returns the previous value. """ return self.__set_output_flag("stateless", val) def get_handle_output(self): """Get the current state of handle output. Returns a boolean indicating whether handle output is active or not. """ return self.__get_output_flag("handle") def set_handle_output(self, val): """Enable or disable handle output. Accepts a boolean turning handle output on or off. Returns the previous value. """ return self.__set_output_flag("handle", val) def get_json_output(self): """Get the current state of JSON output. Returns a boolean indicating whether JSON output is active or not. """ return self.__get_output_flag("json") def set_json_output(self, val): """Enable or disable JSON output. Accepts a boolean turning JSON output either on or off. Returns the previous value. """ return self.__set_output_flag("json", val) def get_echo_output(self): """Get the current state of echo output. Returns a boolean indicating whether echo output is active or not. """ return self.__get_output_flag("echo") def set_echo_output(self, val): """Enable or disable echo output. Accepts a boolean turning echo output on or off. Returns the previous value. """ return self.__set_output_flag("echo", val) def get_guid_output(self): """Get the current state of GID/UID output. Returns a boolean indicating whether names for group/user IDs are used in output or not. """ return self.__get_output_flag("guid") def set_guid_output(self, val): """Enable or disable GID/UID output. Accepts a boolean turning names for group/user IDs on or off. Returns the previous value. """ return self.__set_output_flag("guid", val) def get_numeric_proto_output(self): """Get current status of numeric protocol output flag. Returns a boolean value indicating the status. """ return self.__get_output_flag("numeric_proto") def set_numeric_proto_output(self, val): """Set numeric protocol output flag. Accepts a boolean turning numeric protocol output either on or off. Returns the previous value. """ return self.__set_output_flag("numeric_proto", val) def get_numeric_prio_output(self): """Get current status of numeric chain priority output flag. Returns a boolean value indicating the status. """ return self.__get_output_flag("numeric_prio") def set_numeric_prio_output(self, val): """Set numeric chain priority output flag. Accepts a boolean turning numeric chain priority output either on or off. Returns the previous value. """ return self.__set_output_flag("numeric_prio", val) def get_numeric_symbol_output(self): """Get current status of numeric symbols output flag. Returns a boolean value indicating the status. """ return self.__get_output_flag("numeric_symbol") def set_numeric_symbol_output(self, val): """Set numeric symbols output flag. Accepts a boolean turning numeric representation of symbolic constants in output either on or off. Returns the previous value. """ return self.__set_output_flag("numeric_symbol", val) def get_numeric_time_output(self): """Get current status of numeric times output flag. Returns a boolean value indicating the status. """ return self.__get_output_flag("numeric_time") def set_numeric_time_output(self, val): """Set numeric times output flag. Accepts a boolean turning numeric representation of time values in output either on or off. Returns the previous value. """ return self.__set_output_flag("numeric_time", val) def get_terse_output(self): """Get the current state of terse output. Returns a boolean indicating whether terse output is active or not. """ return self.__get_output_flag("terse") def set_terse_output(self, val): """Enable or disable terse output. Accepts a boolean turning terse output either on or off. Returns the previous value. """ return self.__set_output_flag("terse", val) def get_debug(self): """Get currently active debug flags. Returns a set of flag names. See set_debug() for details. """ val = self.nft_ctx_output_get_debug(self.__ctx) names = [] for n,v in self.debug_flags.items(): if val & v: names.append(n) val &= ~v if val: names.append(val) return names def set_debug(self, values): """Set debug output flags. Accepts either a single flag or a set of flags. Each flag might be given either as string or integer value as shown in the following table: Name | Value (hex) ----------------------- scanner | 0x1 parser | 0x2 eval | 0x4 netlink | 0x8 mnl | 0x10 proto-ctx | 0x20 segtree | 0x40 Returns a set of previously active debug flags, as returned by get_debug() method. """ old = self.get_debug() if type(values) in [str, int]: values = [values] val = 0 for v in values: if type(v) is str: v = self.debug_flags[v] val |= v self.nft_ctx_output_set_debug(self.__ctx, val) return old def cmd(self, cmdline): """Run a simple nftables command via libnftables. Accepts a string containing an nftables command just like what one would enter into an interactive nftables (nft -i) session. Returns a tuple (rc, output, error): rc -- return code as returned by nft_run_cmd_from_buffer() fuction output -- a string containing output written to stdout error -- a string containing output written to stderr """ cmdline_is_unicode = False if not isinstance(cmdline, bytes): cmdline_is_unicode = True cmdline = cmdline.encode("utf-8") rc = self.nft_run_cmd_from_buffer(self.__ctx, cmdline) output = self.nft_ctx_get_output_buffer(self.__ctx) error = self.nft_ctx_get_error_buffer(self.__ctx) if cmdline_is_unicode: output = output.decode("utf-8") error = error.decode("utf-8") return (rc, output, error) def json_cmd(self, json_root): """Run an nftables command in JSON syntax via libnftables. Accepts a hash object as input. Returns a tuple (rc, output, error): rc -- return code as returned by nft_run_cmd_from_buffer() function output -- a hash object containing library standard output error -- a string containing output written to stderr """ json_out_old = self.set_json_output(True) rc, output, error = self.cmd(json.dumps(json_root)) if not json_out_old: self.set_json_output(json_out_old) if len(output): output = json.loads(output) return (rc, output, error) def json_validate(self, json_root): """Validate JSON object against libnftables schema. Accepts a hash object as input. Returns True if JSON is valid, raises an exception otherwise. """ if not self.validator: self.validator = SchemaValidator() self.validator.validate(json_root) return True schema.json000064400000000417147204716050006707 0ustar00{ "$schema": "http://json-schema.org/schema#", "description": "libnftables JSON API schema", "type": "object", "properties": { "nftables": { "type": "array", "minitems": 0, "items": { "type": "object" } } }, "required": [ "nftables" ] }