5.13.6.1. Rule methods

Method	Description
__init__(self, **kw)	Initializes a rule

Table 5.98. Method summary

Method init(self, **kw)

Initializes a rule

Arguments of init

dst_iface (interface)
Default: n/a
Permit traffic only for connections that target a configured IP address of the listed interfaces. This parameter can be used to provide nontransparent service on an interface that received its IP address dynamically. For example, `dst_iface='eth0',` or `dst_iface=('eth0', 'tun1'),`.

dst_ifgroup (integer)
Default: n/a
Permit traffic only for connections that target a configured IP address of the listed interface group. This parameter can be used to provide nontransparent service on an interface that received its IP address dynamically. For example, `dst_ifgroup=1`.

dst_port (integer)
Default: n/a
Permit traffic only if the client targets the listed port. For example, `dst_port=80`, or `dst_port=(80, 443)`. To specify port ranges, use the PortRange class, for example, `dst_port=PortRange(2000, 2100)`.

dst_subnet (subnet)

Default: n/a

dst_subnet (subnet)
Default: n/a
Permit traffic only for connections targeting a listed IP address, or an address belonging to the listed subnet. The subnet can be IPv4 or IPv6 subnet. When listing multiple subnets, you can list both IPv4 and IPv6 subnets. IP addresses are treated as subnets with a /32 (IPv4) or /128 (IPv6) netmask. If no netmask is set for a subnet, it is treated as a specific IP address. For example, `dst_subnet='192.168.10.16'` or `dst_subnet=('192.168.0.0/16', '2001:db8:c001:ba80::/58')`.

Permit traffic only for connections targeting a listed IP address, or an address belonging to the listed subnet. The subnet can be IPv4 or IPv6 subnet. When listing multiple subnets, you can list both IPv4 and IPv6 subnets. IP addresses are treated as subnets with a /32 (IPv4) or /128 (IPv6) netmask. If no netmask is set for a subnet, it is treated as a specific IP address. For example, dst_subnet='192.168.10.16' or dst_subnet=('192.168.0.0/16', '2001:db8:c001:ba80::/58').

dst_zone (zone)
Default: n/a
Permit traffic only for connections targeting an address belonging to the listed zones. For example, `dst_zone='office'` or `dst_zone=('office', 'finance')`. Note that this applies to destination address of the client-side connection request: the actual address of the server-side connection can be different (for example, if a DirectedRouter is used in the service).

proto (integer)

Default: n/a

proto (integer)
Default: n/a
Permit only connections using the specified transport protocol. This is the transport layer (Layer 4) protocol of the OSI model, for example, TCP, UDP, ICMP, and so on. The protocol must be specified using a number: the decimal value of the "protocol" field of the IP header. This value is 6 for the TCP and 17 for the UDP protocol. For a list of protocol numbers, see the Assigned Internet Protocol Numbers page of IANA. For example: `proto=(6,17)`. To permit any protocol, do not add the `proto` parameter to the rule.

Permit only connections using the specified transport protocol. This is the transport layer (Layer 4) protocol of the OSI model, for example, TCP, UDP, ICMP, and so on. The protocol must be specified using a number: the decimal value of the "protocol" field of the IP header. This value is 6 for the TCP and 17 for the UDP protocol. For a list of protocol numbers, see the Assigned Internet Protocol Numbers page of IANA. For example: proto=(6,17).

To permit any protocol, do not add the proto parameter to the rule.

rule_id (integer)
Default: n/a
A unique ID number for the rule. This parameter is optional, an ID number is automatically generated for the rule during startup.

service (service)
Default: n/a
The name of the service to start for matching connections. This is the only required parameter for the rule, everything else is optional. For example, `service='MyService'`

src_iface (interface)
Default: n/a
Permit traffic only for connections received on the listed interface. For example, `src_iface='eth0',` or `src_iface=('eth0', 'tun1'),`.

src_ifgroup (integer)
Default: n/a
Permit traffic only for connections received on the listed interfacegroup. For example, `src_iface=1`. Interface groups can be defined in the `/etc/network/interfaces` file, for example: iface eth0 inet dhcp group 1 iface eth1 inet dhcp group 1

src_port (integer)
Default: n/a
Permit traffic only if the client sends the connection request from the listed port. For example, `src_port=4455`. To specify port ranges, use the PortRange class, for example, `src_port=PortRange(2000, 2100)`.

src_subnet (subnet)

Default: n/a

src_subnet (subnet)
Default: n/a
Permit traffic only for the clients of the listed subnet or IP addresses. The subnet can be IPv4 or IPv6 subnet. When listing multiple subnets, you can list both IPv4 and IPv6 subnets. IP addresses are treated as subnets with a /32 (IPv4) or /128 (IPv6) netmask. If no netmask is set for a subnet, it is treated as a specific IP address. For example, `src_subnet='192.168.10.16'` or `src_subnet=('192.168.0.0/16', '2001:db8:c001:ba80::/58')`.

Permit traffic only for the clients of the listed subnet or IP addresses. The subnet can be IPv4 or IPv6 subnet. When listing multiple subnets, you can list both IPv4 and IPv6 subnets. IP addresses are treated as subnets with a /32 (IPv4) or /128 (IPv6) netmask. If no netmask is set for a subnet, it is treated as a specific IP address. For example, src_subnet='192.168.10.16' or src_subnet=('192.168.0.0/16', '2001:db8:c001:ba80::/58').

src_zone (zone)
Default: n/a
Permit traffic only for the clients of the listed zones. For example, `src_zone='office'` or `src_zone=('office', 'finance')`.

Previous	Up	Next
	Home

Zorp GPL 7 Reference Guide

5.13.6. Class Rule

5.13.6.1. Rule methods

Method __init__(self, **kw)

Arguments of __init__

Method init(self, **kw)

Arguments of init