Problem when reading and writing goto targets

[jllorente]

Hi,
I wanted to create a goto target but I couldn't figure out how, so I created the rule directly in iptables first:

# iptables -t nat -A PREROUTING -g test

Then I read it with iptc, but I couldn't see any differences with the normal target jump, so I inserted it again to see what that did. To my surprise, it generates a faulty rule :/ To my surprise, it adds an output field to the rule and transforms the goto in jump.

-A PREROUTING -g test #inserted manually as mentioned above
-A PREROUTING -o  -j test #inserted as a rule cloned with iptc from above

I'm running Ubuntu 16, if that helps :)

[pepoluan]

A glance at the source code seems to indicate that at the moment python-iptables does not yet support -g.

I'll try adding that feature.

Anyways, how do you get the faulty rule list? Did you use iptables-save?

Because such faulty rule is certainly a bug if reproducible, and while I'm at it, I want to squash that as well.

[pepoluan]

Okay I'm still trying to grasp how python-iptables retrieved the struct for Target.

But a simple glance, it seems python-iptables do not properly decode the flags field, and thus missing the IPT_F_GOTO flag. And neither does it set/modify the flags field within the Target class.

I'll try fixing this, because I myself need the -g target...

[pepoluan]

Just an update:

If I do an experiment as such:

Before:

# iptables-save
... output omitted ...
-A jumphere -g gotohere
... output omitted ...

Clone a rule

This uses the example code https://github.com/ldx/python-iptables/#chains-and-tables , except that I appended the following code:

if rule.target.name == 'gotohere':
    r2 = iptc.Rule()
    m2 = r2.create_match("comment")
    m2.comment = 'cloned'
    t2 = iptc.Target(r2, target=rule.target.target)
    r2.target = t2
    chain.append_rule(r2)

After

# iptables-save
... output omitted ...
-A jumphere -g gotohere
-A jumphere -m comment --comment cloned -j gotohere
... output omitted ...

Conclusion

I did not see the behavior as you indicated, that is, adding of a malformed -o matching.

However, cloning indeed converted -g to -j. And this is, as I posted above, was because the flags field (to be precise, rule.entry.ip.flags) is ignored during auto-creation of the Target object.

[pepoluan]

Aaanyways, I might have found a way to create -g (goto) targets.

I'll double-check my work, and submit a pull request afterwards. Luckily, it turns out to be a simple-ish patch.

[jllorente]

Hi,
I forgot to mention that I was running the version from pip, maybe that's why you didn't see the wrong "-o" field. I also saw the IPT_F_GOTO in the code, but didn't go to deep into it...

Thanks pepoluan!

[pepoluan]

#199 is pull request / patch that allows python-iptables to recognize "-g" targets, and vice versa, to enable creation of "-g" targets.

Usage

To create "goto" targets, specify goto=True kwarg when calling rule.create_target or when instantiating Target object.

EDIT: Apparently, my changes b0rked the ip6tc part of the module. I'll see what I can do. In the meantime, if you use exclusively IP4, #199 should be enough for you.

[pepoluan]

Yup! #200 finally nailed it, and it passed all tests.

Now it's safe to use for IPv4 and IPv6.

Whew!

[ldx]

Merged the PR, thanks again!