Update documentation.

ldx · ldx · commit add95fc52346 · 2013-11-10T02:57:44.000+01:00
diff --git a/doc/examples.rst b/doc/examples.rst
@@ -1,12 +1,12 @@
 Examples
 ========
 
-Introduction
-------------
+Rules
+-----
 
 In ``python-iptables``, you usually first create a rule, and set any
 source/destination address, in/out interface and protocol specifiers, for
-example:
+example::
 
     >>> import iptc
     >>> rule = iptc.Rule()
@@ -20,7 +20,7 @@ source IP address of 192.168.1.0/255.255.255.0.
 A rule may contain matches and a target. A match is like a filter matching
 certain packet attributes, while a target tells what to do with the packet
 (drop it, accept it, transform it somehow, etc). One can create a match or
-target via a Rule:
+target via a Rule::
 
     >>> rule = iptc.Rule()
     >>> m = rule.create_match("tcp")
@@ -29,7 +29,7 @@ target via a Rule:
 Match and target parameters can be changed after creating them. It is also
 perfectly valid to create a match or target via instantiating them with
 their constructor, but you still need a rule and you have to add the matches
-and the target to their rule manually:
+and the target to their rule manually::
 
     >>> rule = iptc.Rule()
     >>> match = iptc.Match(rule, "tcp")
@@ -38,14 +38,14 @@ and the target to their rule manually:
     >>> rule.target = target
 
 Any parameters a match or target might take can be set via the attributes of
-the object. To set the destination port for a TCP match:
+the object. To set the destination port for a TCP match::
 
     >>> rule = iptc.Rule()
     >>> rule.protocol = "tcp"
     >>> match = rule.create_match("tcp")
     >>> match.dport = "80"
 
-To set up a rule that matches packets marked with 0xff:
+To set up a rule that matches packets marked with 0xff::
 
     >>> rule = iptc.Rule()
     >>> rule.protocol = "tcp"
@@ -55,18 +55,84 @@ To set up a rule that matches packets marked with 0xff:
 Parameters are always strings.
 
 When you are ready constructing your rule, add them to the chain you want it
-to show up in:
+to show up in::
 
     >>> chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
     >>> chain.insert_rule(rule)
 
 This will put your rule into the INPUT chain in the filter table.
 
-Simple rule with standard target
---------------------------------
+Chains and tables
+-----------------
 
-Reject packets with source address ``127.0.0.1/255.0.0.0`` coming in on any of
-the eth interfaces:
+You can of course also check what a rule's source/destination address,
+in/out inteface etc is. To print out all rules in the FILTER table::
+
+    >>> import iptc
+    >>> table = iptc.Table(iptc.Table.FILTER)
+    >>> for chain in table.chains:
+    >>>     print "======================="
+    >>>     print "Chain ", chain.name
+    >>>     for rule in chain.rules:
+    >>>         print "Rule", "proto:", rule.protocol, "src:", rule.src, "dst:", \
+    >>>               rule.dst, "in:", rule.in_interface, "out:", rule.out_interface,
+    >>>         print "Matches:",
+    >>>         for match in rule.matches:
+    >>>             print match.name,
+    >>>         print "Target:",
+    >>>         print rule.target.name
+    >>> print "======================="
+
+As you see in the code snippet above, rules are organized into chains, and
+chains are in tables. You have a fixed set of tables; for IPv4::
+
+* FILTER,
+* NAT,
+* MANGLE and
+* RAW.
+
+For IPv6 the tables are::
+
+* FILTER,
+* MANGLE,
+* RAW and
+* SECURITY.
+
+To access a table::
+
+    >>> import iptc
+    >>> table = iptc.Table(iptc.Table.FILTER)
+    >>> print table.name
+    filter
+
+To create a new chain in the FILTER table::
+
+    >>> import iptc
+    >>> table = iptc.Table(iptc.Table.FILTER)
+    >>> chain = table.create_chain("testchain")
+
+    $ sudo iptables -L -n
+    [...]
+    Chain testchain (0 references)
+    target     prot opt source               destination
+
+To access an existing chain::
+
+    >>> import iptc
+    >>> table = iptc.Table(iptc.Table.FILTER)
+    >>> chain = iptc.Chain(table, "INPUT")
+    >>> chain.name
+    'INPUT'
+    >>> len(chain.rules)
+    10
+    >>>
+
+More about matches and targets
+------------------------------
+
+There are basic targets, such as ``DROP`` and ``ACCEPT``. E.g. to reject
+packets with source address ``127.0.0.1/255.0.0.0`` coming in on any of the
+``eth`` interfaces::
 
     >>> import iptc
     >>> chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
@@ -77,25 +143,22 @@ the eth interfaces:
     >>> rule.target = target
     >>> chain.insert_rule(rule)
 
-Simple rule not using any match extensions
-------------------------------------------
+To instantiate a target or match, we can either create an object like above,
+or use the ``rule.create_target(target_name)`` and
+``rule.create_match(match_name)`` methods. For example, in the code above
+target could have been created as::
 
-Inserting a rule to NAT TCP packets going out via ``eth0``:
+    >>> target = rule.create_target("DROP")
 
-    >>> import iptc
-    >>> chain = iptc.Chain(iptc.Table(iptc.Table.NAT), "POSTROUTING")
-    >>> rule = iptc.Rule()
-    >>> rule.protocol = "tcp"
-    >>> rule.out_interface = "eth0"
-    >>> target = iptc.Target(rule, "MASQUERADE")
-    >>> target.to_ports = "1234"
+instead of::
+
+    >>> target = iptc.Target(rule, "DROP")
     >>> rule.target = target
-    >>> chain.insert_rule(rule)
 
-Rule using the udp match extension
-----------------------------------
+The former also adds the match or target to the rule, saving a call.
 
-Mark packets going to ``192.168.1.2`` UDP port ``1234`` with ``0xffff``:
+Another example, using a target which takes parameters. Let's mark packets
+going to ``192.168.1.2`` UDP port ``1234`` with ``0xffff``::
 
     >>> import iptc
     >>> chain = iptc.Chain(iptc.Table(iptc.Table.MANGLE), "PREROUTING")
@@ -110,13 +173,25 @@ Mark packets going to ``192.168.1.2`` UDP port ``1234`` with ``0xffff``:
     >>> rule.target = target
     >>> chain.insert_rule(rule)
 
-Multiple matches with iprange
------------------------------
+Matches are optional (specifying a target is mandatory). E.g. to insert a rule
+to NAT TCP packets going out via ``eth0``::
 
-Now we will add multiple matches to a rule. This one is the
-``python-iptables`` equivalent of the following iptables command:
+    >>> import iptc
+    >>> chain = iptc.Chain(iptc.Table(iptc.Table.NAT), "POSTROUTING")
+    >>> rule = iptc.Rule()
+    >>> rule.protocol = "tcp"
+    >>> rule.out_interface = "eth0"
+    >>> target = iptc.Target(rule, "MASQUERADE")
+    >>> target.to_ports = "1234"
+    >>> rule.target = target
+    >>> chain.insert_rule(rule)
+
+Here only the properties of the rule decide whether the rule will be applied
+to a packet.
 
-# iptables -A INPUT -p tcp –destination-port 22 -m iprange –src-range 192.168.1.100-192.168.1.200 –dst-range 172.22.33.106 -j DROP
+Matches are optional, but we can add multiple matches to a rule. In the
+following example we will do that, using the ``iprange`` and the ``tcp``
+matches::
 
     >>> import iptc
     >>> rule = iptc.Rule()
@@ -131,3 +206,7 @@ Now we will add multiple matches to a rule. This one is the
     >>> rule.target = iptc.Target(rule, "DROP")
     >>> chain = iptc.Chain(iptc.Table.(iptc.Table.FILTER), "INPUT")
     >>> chain.insert_rule(rule)
+
+This is the ``python-iptables`` equivalent of the following iptables command::
+
+    # iptables -A INPUT -p tcp –destination-port 22 -m iprange –src-range 192.168.1.100-192.168.1.200 –dst-range 172.22.33.106 -j DROP
diff --git a/doc/intro.rst b/doc/intro.rst
@@ -19,10 +19,17 @@ manpage puts it:
     rule specifies what to do with a packet that matches.  This is called a
     `target`, which may be a jump to a user-defined chain in the same table.
 
-``Python-iptables`` provides python bindings to iptables under Linux.
-Interoperability with iptables is achieved via using the iptables C libraries
-(``libiptc``, ``libxtables``, and the iptables extensions), not calling the
-iptables binary and parsing its output.
+``Python-iptables`` provides a pythonesque wrapper via python bindings to
+iptables under Linux.  Interoperability with iptables is achieved via using
+the iptables C libraries (``libiptc``, ``libxtables``, and the iptables
+extensions), not calling the iptables binary and parsing its output. It is
+meant primarily for dynamic and/or complex routers and firewalls, where rules
+are often updated or changed, or Python programs wish to interface with the
+Linux iptables framework..
+
+|buildstatus|
+
+.. |buildstatus| image:: https://travis-ci.org/ldx/python-iptables.png?branch=master
 
 Compiling and installing
 ------------------------
@@ -54,67 +61,7 @@ Now you can run the tests::
     WARNING: this test will manipulate iptables rules.
     Don't do this on a production machine.
     Would you like to continue? y/n y
-    test_table6 (iptc.test.test_iptc.TestTable6) ... ok
-    test_refresh (iptc.test.test_iptc.TestTable) ... ok
-    test_table (iptc.test.test_iptc.TestTable) ... ok
-    test_builtin_chain (iptc.test.test_iptc.TestChain) ... ok
-    test_chain (iptc.test.test_iptc.TestChain) ... ok
-    test_chain_counters (iptc.test.test_iptc.TestChain) ... ok
-    test_chain_policy (iptc.test.test_iptc.TestChain) ... ok
-    test_chains (iptc.test.test_iptc.TestChain) ... ok
-    test_create_chain (iptc.test.test_iptc.TestChain) ... ok
-    test_is_chain (iptc.test.test_iptc.TestChain) ... ok
-    test_rule_address (iptc.test.test_iptc.TestRule6) ... ok
-    test_rule_compare (iptc.test.test_iptc.TestRule6) ... ok
-    test_rule_interface (iptc.test.test_iptc.TestRule6) ... ok
-    test_rule_iterate (iptc.test.test_iptc.TestRule6) ... ok
-    test_rule_protocol (iptc.test.test_iptc.TestRule6) ... ok
-    test_rule_standard_target (iptc.test.test_iptc.TestRule6) ... ok
-    test_rule_address (iptc.test.test_iptc.TestRule) ... ok
-    test_rule_compare (iptc.test.test_iptc.TestRule) ... ok
-    test_rule_fragment (iptc.test.test_iptc.TestRule) ... ok
-    test_rule_interface (iptc.test.test_iptc.TestRule) ... ok
-    test_rule_iterate (iptc.test.test_iptc.TestRule) ... ok
-    test_rule_protocol (iptc.test.test_iptc.TestRule) ... ok
-    test_rule_standard_target (iptc.test.test_iptc.TestRule) ... ok
-
-    ----------------------------------------------------------------------
-    Ran 23 tests in 0.013s
-
-    OK
-    test_match_compare (iptc.test.test_matches.TestMatch) ... ok
-    test_match_create (iptc.test.test_matches.TestMatch) ... ok
-    test_match_parameters (iptc.test.test_matches.TestMatch) ... ok
-    test_udp_insert (iptc.test.test_matches.TestXTUdpMatch) ... ok
-    test_udp_port (iptc.test.test_matches.TestXTUdpMatch) ... ok
-    test_mark (iptc.test.test_matches.TestXTMarkMatch) ... ok
-    test_mark_insert (iptc.test.test_matches.TestXTMarkMatch) ... ok
-    test_limit (iptc.test.test_matches.TestXTLimitMatch) ... ok
-    test_limit_insert (iptc.test.test_matches.TestXTLimitMatch) ... ok
-    test_comment (iptc.test.test_matches.TestCommentMatch) ... ok
-    test_iprange (iptc.test.test_matches.TestIprangeMatch) ... ok
-    test_iprange_tcpdport (iptc.test.test_matches.TestIprangeMatch) ... ok
-
-    ----------------------------------------------------------------------
-    Ran 12 tests in 0.024s
-
-    OK
-    test_target_compare (iptc.test.test_targets.TestTarget) ... ok
-    test_target_create (iptc.test.test_targets.TestTarget) ... ok
-    test_target_parameters (iptc.test.test_targets.TestTarget) ... ok
-    test_insert (iptc.test.test_targets.TestXTClusteripTarget) ... ok
-    test_mode (iptc.test.test_targets.TestXTClusteripTarget) ... ok
-    test_insert (iptc.test.test_targets.TestIPTRedirectTarget) ... ok
-    test_mode (iptc.test.test_targets.TestIPTRedirectTarget) ... ok
-    test_insert (iptc.test.test_targets.TestXTTosTarget) ... ok
-    test_mode (iptc.test.test_targets.TestXTTosTarget) ... ok
-    test_insert (iptc.test.test_targets.TestIPTMasqueradeTarget) ... ok
-    test_mode (iptc.test.test_targets.TestIPTMasqueradeTarget) ... ok
-
-    ----------------------------------------------------------------------
-    Ran 11 tests in 0.015s
-
-    OK
+    [...]
 
 The ``PATH=$PATH`` part is necessary after ``sudo`` if you have installed into
 a ``virtualenv``, since ``sudo`` will reset your environment to a system
@@ -136,9 +83,6 @@ The basic iptables framework and all the match/target extensions are supported
 by ``python-iptables``, including IPv4 and IPv6 ones. All IPv4 and IPv6 tables
 are supported as well.
 
-Contact
--------
-
-ldx (at) nilvec.com
+Full documentation with API reference is available here_.
 
-http://nilvec.com
+.. _here: http://ldx.github.com/python-iptables/
