NAME
IPTables::IPv6 - Perl module for manipulating iptables rules for the IPv6 protocol
SYNOPSIS
use IPTables::IPv6;
$table = IPTables::IPv6::init('tablename');
%IPTables::IPv6 = (
filter => {
INPUT => {
rules => [
{
source => '2001::/16',
jump => 'ACCEPT'
}
],
pcnt => 50000,
bcnt => 1000000,
policy => 'DROP'
}
}
);
DESCRIPTION
This package provides a nice interface to the IP Tables control API that fairly closely parallels the C API exported in libiptc for manipulating firewalling and forwarding rules for IPv6 packets. Also, a tied multilayer data structure has been built, allowing the tables, chains, rules and fields to be manipulated in a more natural fashion.
The module will be built with a default library path built into it. That can be overridden using the IPT_MODPATH environment variable. If your script is being called suid root, you may want to do delete $ENV{IPT_MODPATH};
to ensure that someone isn't subverting your script. Make sure you do this before you use IPTables::IPv6;
to ensure that it never loads from an unapproved path.
METHODS
Most methods will return 1 for success, or 0 for failure (and on failure, set $! to a string describing the reason for the failure). Unless otherwise noted, you can assume that all methods will use this convention.
Initialization
- $table = IPTables::IPv6::init('tablename')
-
This sets up the connection to the kernel-level netfilter subsystem.
tablename
corresponds to the name of a table (filter
,nat
,mangle
, ordropped
) to manipulate. The call returns an object of type IPTables::IPv6::Table, which all the other methods are to be called against, if the named table exists. If it does not exist,undef
will be returned.
Chain Operations
- $is_builtin = $table->builtin('chainname')
-
This checks if the chain
chainname
is built into the current table. The method will return 1 ifchainname
is a built-in chain, or 0 if it is not. - $success = $table->create_chain('chainname')
-
This attempts to create the chain
chainname
. - $success = $table->delete_chain('chainname')
-
This attempts to delete the chain
chainname
. - ($policy, $pcnt, $bcnt) = $table->get_policy('chainname')
-
This returns an array containing the default policy, and the number of packets and bytes which have reached the default policy, in the chain
chainname
. Ifchainname
does not exist, or if it is not a built-in chain, an empty array will be returned, and $! will be set to a string containing the reason. - $refcnt = $table->get_references('chainname')
-
This returns the reference count for the chain
chainname
if it exists and is a user-defined chain. Ifchainname
does not exist, or is a built-in chain, -1 will be returned, and $! will be set to a string containing the reason. - $is_chain = $table->is_chain('chainname')
-
This checks to verify that the chain
chainname
exists in the current table. The method will return 1 ifchainname
is a chain, 0 if not. - @chains = $table->list_chains()
-
In array context, this method returns an array containing names of all existing chains in the table that
$table
points to. In scalar context, returns the number of chains in the table. - $success = $table->rename_chain('oldname', 'newname')
-
This attempts to rename the chain
oldname
tonewname
. - $success = $table->set_policy('chainname', 'target')
- $success = $table->set_policy('chainname', 'target', {pcnt => count, bcnt => count})
-
This attempts to set the default target for the chain
chainname
totarget
. It also allows the packet and byte counters on a chain to be set using the (optional) third argument. Those values must be passed as a hash ref, as shown.
Rule Operations
- $success = $table->append_entry('chainname', $hashref)
-
This attempts to append the rule described in the hash referenced by
$hashref
to the chainchainname
. - $success = $table->delete_entry('chainname', $hashref)
-
This attempts to delete a rule matching that described in the hash referenced by
$hashref
from the chainchainname
. - $success = $table->delete_num_entry('chainname', $rulenum)
-
This attempts to delete the rule
$rulenum
from the chainchainname
. - $success = $table->flush_entries('chainname')
-
This deletes all rules from the chain
chainname
. - $success = $table->insert_entry('chainname', $hashref, $rulenum)
-
This attempts to insert the rule described in the hash referenced by
$hashref
at index$rulenum
in the chainchainname
. - @rules = $table->list_rules('chainname')
-
When called in array context, this method returns an array of hash references, which contain descriptions of each rule in the chain
chainname
. In scalar context, returns the number of rules in the chain.Note that if the chain
chainname
does not exist, an empty list will be returned, as will listing an empty chain. Be sure to verify that the chain exists before you try to list the rules. - $success = $table->replace_entry('chainname', $hashref, $rulenum)
-
This attempts to replace the rule at index
$rulenum
in the chainchainname
with the rule described in the hash referenced by$hashref
. - $success = $table->zero_entries('chainname')
-
This zeroes all packet counters in the chain
chainname
.
Cleanup
- $success = $table->commit()
-
This attempts to commit all changes made to the IP chains in the table that
$table
points to, and closes the connection to the kernel-level netfilter subsystem. If you wish to apply your changes back to the kernel, you must call this.
RULE STRUCTURE
The rules in the libiptc interface are expressed as struct ipt_entry
s. However, I have decided to express the rules as hashes. The rules are passed around as hash references, and may contain the following fields:
- source
-
The source address of a packet. This will appear in one of the following forms:
ip:v6:add::re:ss ip:v6:add::rs:ss/maskwidth ip:v6:add::re:ss/ip:v6:ne::tma:sk
It may be prefixed with a '!', to indicate the inverse sense of the address (i.e., match anything EXCEPT the address or address range specified).
- destination
-
The destination address of a packet. It will appear in one of the same forms as
source
(see above). - in-interface
-
The network device which received the packet. Some chains cannot accept a rule with
in-interface
set (such as thePREROUTING
chain). This may show up as a full interface name (such aseth0
), or as a wildcarded interface name (such aseth+
, where+
is the wildcard character, which can only be used at the end of a wildcarded interface string). It may be prefixed with a '!', to indicate the inverse sense of the interface (i.e., match anything EXCEPT the interface specified). - out-interface
-
The network device that a packet will be sent out via. Some chains cannot accept a rule with
out-interface
set (such as theINPUT
chain). The format is the same as that forin-interface
(see above). - protocol
-
The name of the protocol of an incoming packet. It may be prefixed with a '!', to indicate the inverse sense of the protocol (i.e., match anything EXCEPT this protocol).
- jump
-
The target or chain to jump to if the rule matches.
- pcnt/bcnt
-
The number of packets and bytes that have matched this rule since the rule was put in place, or since its counters were last zeroed.
- matches
-
An array reference, containing a list of all the match modules which are to be used as part of the rule. Any match qualifier other than a protocol match module - i.e.,
tos
,mport
,state
, etc., must be specified with this option, or any fields that belong to them will not be honored. - [target]-target-raw
-
This contains, as a string, the raw target data for a rule, if the needed module can't be found. [target] should be the name of the target. There will, of course, only be one of these per rule (as each rule can only have one target).
- [match]-match-raw
-
This contains, as a string, the raw match data for a rule, if the needed module can't be found. [match] should be the name of the match. There can be more than one of these in one rule. If a match is specified in
matches
, and no match module is available, raw data must be provided.
MODULE-SPECIFIC RULE OPTIONS
Each module, for protocols, non-protocol matches, and non-standard targets, has specific keys associated with specific options.
This material will be added later on, once I'm sure everything is working as it should be.
AUTHOR
Derrik Pates, dpates@dsdk12.net