Closed M1chael closed 1 year ago
I believe you need to use "match-set" and then give it the match as below. Note this is a dictionary representation of a rule with iptc.easy module.
{
"table":"raw",
"chain":"PREROUTING",
"rule":{
"set":{
"match-set":[
"IPS_FILTER_BLACKLIST",
"src"
]
},
"comment":{
"comment":"Early drop blacklisted sources"
},
"target":"DROP"
}
}
You can find many more examples over here.
How can I use match-set and give it the match? I use examples from this documentation.
In the documentation you linked there is this example:
However, when a match or a target takes multiple parameter values, that needs to be passed in as a list. Let’s assume you have created and set up an ipset called blacklist via the ipset command. To create a rule with a match for this set:
>>> rule = iptc.Rule()
>>> m = rule.create_match("set")
>>> m.match_set = ['blacklist', 'src']
Note how this time a list was used for the parameter value, since the set match match_set parameter expects two values. See the iptables manpages to find out what the extensions you use expect. See ipset for more information.
Which corresponds exactly to my code, isn't it? Sorry, but I still don't see my mistake and don't understand how you suggest fixing it.
Does your ipset exist before you try to add the rule?
Bingo! That was the reason. Thanks a lot @jllorente! As a small wish for the developer: it would be great to get a more clear error message in that case.
Great to hear! I believe that's more of an iptables core behaviour than this library itself. What error do you get if you try to add the rule via terminal?
# iptables -A ...
It says something I would like to hear from python-iptables too in this situation:
iptables v1.8.7 (nf_tables): Set ipset_name doesn't exist.
Should I downgrade Python to 3.4 or is it a python-iptables bug that could be fixed?