Key Pages: [ Rope Home Page | Basics (tutorial) | Language Reference | Download ]

IpTables Rope - Scripting Language Reference

ROPE is a stack-based ReversePolish language. The stack can contain integer, string, block, register and anchor items. This page lists the ActionWords understood by ROPE, and provides links to the manual page for each.

ROPE scripts can be run in KernelLand to do real testing of real IP packets, or in UserLand to test and debug the scripts outside the kernel.

Refer to Basics for a tutorial-style page describing how to write ROPE scripts and use then to match IP packets in an IpTables-based firewall configuration.

General Topics

Basics - An introductory tutorial - start here.
Building - Building Rope support into the linux kernel, iptables and Patch-o-matic.
Compiling - How to compile a Rope script.
register - storing and retrieving user and packet data.
ErrorTags - explanations of error messages
IpAddress - How IP addresses are handled.
MacAddress - How MAC addresses are handled
TimeAndDate - How to use the system clock in Rope scripts
PassingArguments - How to pass command-line arguments to a Rope script.
IpSet - Integration with the IpTables "ipset" module

Action Words

Action words pop zero or more values off the stack, process them and possibly push back a result. The number of values popped off by some actions can be varied using Rope's AnchorBrackets syntax.

Action Names	Description
get, put, reg, greg	register (variable) handling.
do, eval, if, unless, ifelse, while, until, repeat	action block handling / calling.
and, not, or, xor	Boolean operations
abs, add, div, mod, mult, neg, sub	Interger arithmetic
inc, dec	easy increment / decrement
lshift, rshift	bit shifting
gt, lt, ge, le, eq, eqi, ne, nei	Comparisons (greater, less, equal - etc)
tolower, toupper	letter case conversion
strcat, strlen, left, right, substr	simple string handling
dup, drop, swap	basic explicit stack manipulation
isupper, islower, isalpha, isdigit, isalnum, isspace, iseoln, iscntrl, isgraph, isprint, ispunct, isxdigit, isascii, isuri, match	character classification
lift, lift_to, lifti_to, lift_while	lifting portions of the IP packet for inspection.
move, $offset	moving the current offset within the IP packet
expect, expect_str, expecti_str, expect_while, expect_to, expecti_to, expect_one, assert	verifying IP packet contents.
atoi, ord, chr, ipv4_ntoa, mac_ntoa	data format conversions
be16_to_int, be16_to_uint, be32_to_int, be32_to_uint, le16_to_int, le16_to_uint, le32_to_int, le32_to_uint, char_to_int, char_to_uint	Conversion of big-endian and little-endian integers in string buffers to integers.
localtime, gmtime, tm_sec, tm_min, tm_hour, tm_mday, tm_mon, tm_year, tm_wday	Time localisation and break-down.
print, println, dump, dumpregs, hexdump, sysexec, time_execution	output and debug tools.
ipset_test, ipset_add, ipset_del	working with IPSets
yes, no, hotdrop	passing the verdict back to NetFilter.

Internal Registers

Register Name	Description
$max_while_loops, $max_repeat_loops, $max_actions	Registers to control and limit execution times.
$packet, $packet_len	Entire packet being checked (including headers and data payload)
$data, $data_start, $data_len	Data payload of the packet
$offset, $at_end	Current possition in the packet
$mark	Packet mark value
$indev_hwaddr, $indev_ifindex, $indev_mtu, $indev_name, $indev_type	Attributes of the interface on which the packet arrived.
$outdev_hwaddr, $outdev_ifindex, $outdev_mtu, $outdev_name, $outdev_type	Attributes of the interface on which the packet is to be transmitted.
$srcmac, $dstmac	Source and destination MAC addresses (when known)
$ip_check, $ip_daddr, $ip_frag_off, $ip_reserved_frag, $ip_dont_frag, $ip_more_frags, $ip_id, $ip_ihl, $ip_protocol, $ip_saddr, $ip_tos, $ip_tot_len, $ip_ttl, $ip_version	Registers that aid interpretation of the IP headers for IPv4 as detailed in RFC_791.
$icmp_type, $icmp_code, $icmp_checksum, $icmp_echo_id, $icmp_echo_sequence, $icmp_gateway, $icmp_frag_mtu	ICMP packet header fields. See RFC792 for in-depth details.
$tcp_ack, $tcp_ack_seq, $tcp_check, $tcp_cwr, $tcp_dest, $tcp_doff, $tcp_ece, $tcp_fin, $tcp_psh, $tcp_res1, $tcp_rst, $tcp_seq, $tcp_source, $tcp_syn, $tcp_urg, $tcp_urg_ptr, $tcp_window	TCP/IP packet header fields - see RFC_793 and RFC_3168 for the "official" description of their meanings.
$udp_check, $udp_dest, $udp_len, $udp_source	UDP packet header fields - see RFC_768.
$ct_mark, $ct_bytes, $ct_related, $ct_established, $ct_new, $ct_is_reply, $ct_is_snat, $ct_is_dnat, $ct_proto, $ct_expires, $ct_origsrc, $ct_origdst, $ct_rplysrc, $ct_rplydst	Conntrack integration registers.
$kernel_time, $packet_time	Time registers
$owner_uid, $owner_gid	Attributes of the process associated with the packet.