Key Pages: [ Rope Home Page | Basics (tutorial) | Language Reference | Download ]

IpTables Rope - Language Reference

ROPE is a stack-based ReversePolish language. The stack can contain integer, string, block, register and anchor items. This page lists the ActionWords understood by ROPE, and provides links to the manual page for each.

ROPE modules can be run in KernelLand to do real testing of real IP packets, or in UserLand to test and debug the modules outside the kernel.

Refer to Basics for a tutorial-style page describing how to write ROPE modules and use then to match IP packets in an IpTables-based firewall configuration.

General Topics

  • Basics - An introductory tutorial - start here.
  • Building - Building Rope support into the linux kernel, iptables and Patch-o-matic.
  • Compiling - How to compile a Rope module.
  • register - storing and retrieving user and packet data.
  • ErrorTags - explanations of error messages
  • IpAddress - How IP addresses are handled.
  • MacAddress - How MAC addresses are handled
  • TimeAndDate - How to use the system clock in Rope modules
  • PassingArguments - How to pass command-line arguments to a Rope module.
  • IpSet - Integration with the IpTables "ipset" module

Action Words

Action words pop zero or more values off the stack, process them and possibly push back a result. The number of values popped off by some actions can be varied using Rope's AnchorBrackets syntax.

Action NamesDescription
get, put, reg, gregregister (variable) handling.
do, eval, if, unless, ifelse, while, until, repeataction block handling / calling.
and, not, or, xorBoolean operations
abs, add, div, mod, mult, neg, subInterger arithmetic
inc, deceasy increment / decrement
lshift, rshiftbit shifting
gt, lt, ge, le, eq, eqi, ne, neiComparisons (greater, less, equal - etc)
tolower, toupperletter case conversion
strcat, strlen, left, right, substrsimple string handling
dup, drop, swapbasic explicit stack manipulation
isupper, islower, isalpha, isdigit, isalnum, isspace, iseoln, iscntrl, isgraph, isprint, ispunct, isxdigit, isascii, isuri, matchcharacter classification
lift, lift_to, lifti_to, lift_whilelifting portions of the IP packet for inspection.
move, $offsetmoving the current offset within the IP packet
expect, expect_str, expecti_str, expect_while, expect_to, expecti_to, expect_one, assertverifying IP packet contents.
atoi, ord, chr, ipv4_ntoa, mac_ntoadata format conversions
be16_to_int, be16_to_uint, be32_to_int, be32_to_uint, le16_to_int, le16_to_uint, le32_to_int, le32_to_uint, char_to_int, char_to_uintConversion of big-endian and little-endian integers in string buffers to integers.
localtime, gmtime, tm_sec, tm_min, tm_hour, tm_mday, tm_mon, tm_year, tm_wdayTime localisation and break-down.
print, println, dump, dumpregs, hexdump, sysexec, time_executionoutput and debug tools.
ipset_test, ipset_add, ipset_delworking with IPSets
yes, no, hotdroppassing the verdict back to NetFilter.

Internal Registers

Register NameDescription
$max_while_loops, $max_repeat_loops, $max_actionsRegisters to control and limit execution times.
$packet, $packet_lenEntire packet being checked (including headers and data payload)
$data, $data_start, $data_lenData payload of the packet
$offset, $at_endCurrent possition in the packet
$markPacket mark value
$indev_hwaddr, $indev_ifindex, $indev_mtu, $indev_name, $indev_typeAttributes of the interface on which the packet arrived.
$outdev_hwaddr, $outdev_ifindex, $outdev_mtu, $outdev_name, $outdev_typeAttributes of the interface on which the packet is to be transmitted.
$srcmac, $dstmacSource and destination MAC addresses (when known)
$ip_check, $ip_daddr, $ip_frag_off, $ip_reserved_frag, $ip_dont_frag, $ip_more_frags, $ip_id, $ip_ihl, $ip_protocol, $ip_saddr, $ip_tos, $ip_tot_len, $ip_ttl, $ip_versionRegisters that aid interpretation of the IP headers for IPv4 as detailed in RFC_791.
$icmp_type, $icmp_code, $icmp_checksum, $icmp_echo_id, $icmp_echo_sequence, $icmp_gateway, $icmp_frag_mtuICMP packet header fields. See RFC792 for in-depth details.
$tcp_ack, $tcp_ack_seq, $tcp_check, $tcp_cwr, $tcp_dest, $tcp_doff, $tcp_ece, $tcp_fin, $tcp_psh, $tcp_res1, $tcp_rst, $tcp_seq, $tcp_source, $tcp_syn, $tcp_urg, $tcp_urg_ptr, $tcp_windowTCP/IP packet header fields - see RFC_793 and RFC_3168 for the "official" description of their meanings.
$udp_check, $udp_dest, $udp_len, $udp_sourceUDP packet header fields - see RFC_768.
$ct_mark, $ct_bytes, $ct_related, $ct_established, $ct_new, $ct_is_reply, $ct_is_snat, $ct_is_dnat, $ct_proto, $ct_expires, $ct_origsrc, $ct_origdst, $ct_rplysrc, $ct_rplydstConntrack integration registers.
$kernel_time, $packet_timeTime registers
$owner_uid, $owner_gidAttributes of the process associated with the packet.

Scroll to Top