libnftables1-sys 1.0.0

FFI bindings for libnftables1.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151

# Patch Analysis: JSON Output Support

## Email Request Summary

The contributor from the "reaction" project (a fail2ban alternative) requests adding JSON output support. They need to set the `NFT_CTX_OUTPUT_JSON` flag but cannot access it because `ctx` is private to the `Nftables` struct.

## Original Proposed Patch

```rust
pub fn set_json(&mut self) {
    self.set_flags(1 << 4);
}
```

## Recommendation: **ACCEPT** (with improvements)

### Risk Assessment: **VERY LOW**

The patch is safe and follows existing patterns perfectly.

## Improvements Applied

Instead of accepting the patch as-is with hardcoded bit values, I've made the codebase **more maintainable** by using named constants from the libnftables header.

### Changes Made

#### 1. Updated `build.rs` (line 71)
**Added**: `.allowlist_var("NFT_.*")` to bindgen configuration

**Why**: This tells bindgen to generate Rust constants for all C constants starting with `NFT_`, including:
- `NFT_CTX_OUTPUT_HANDLE` (bit 3)
- `NFT_CTX_OUTPUT_JSON` (bit 4)  
- `NFT_CTX_OUTPUT_NUMERIC_TIME` (bit 10)
- All other NFT_CTX_OUTPUT_* flags

These constants are defined in `/usr/include/nftables/libnftables.h` lines 58-75.

#### 2. Updated `src/lib.rs`
**Changed three methods** to use named constants instead of magic numbers:

**Before**:
```rust
pub fn set_output_handle(&mut self) {
    self.set_flags(1 << 3);
}

pub fn set_numeric_time(&mut self) {
    self.set_flags(1 << 10);
}
```

**After**:
```rust
pub fn set_output_handle(&mut self) {
    self.set_flags(NFT_CTX_OUTPUT_HANDLE);
}

pub fn set_numeric_time(&mut self) {
    self.set_flags(NFT_CTX_OUTPUT_NUMERIC_TIME);
}

pub fn set_json(&mut self) {
    self.set_flags(NFT_CTX_OUTPUT_JSON);
}
```

## Benefits

### 1. **Maintainability**
- No more magic numbers (`1 << 3`, `1 << 4`, `1 << 10`)
- Self-documenting code
- If libnftables changes flag values (unlikely but possible), a rebuild picks up the new values automatically

### 2. **Correctness**
- Constants come directly from libnftables header
- No risk of typos in bit positions
- Compiler will error if constant doesn't exist

### 3. **Consistency**
- All three flag setter methods now use the same pattern
- Follows Rust FFI best practices
- Matches approach used by other libnftables-sys implementations (see chifflier/libnftables-sys PR #1)

### 4. **Discoverability**
- Other `NFT_CTX_OUTPUT_*` constants now available for future use:
  - `NFT_CTX_OUTPUT_REVERSEDNS`
  - `NFT_CTX_OUTPUT_SERVICE`
  - `NFT_CTX_OUTPUT_STATELESS`
  - `NFT_CTX_OUTPUT_ECHO`
  - `NFT_CTX_OUTPUT_GUID`
  - `NFT_CTX_OUTPUT_NUMERIC_PROTO`
  - `NFT_CTX_OUTPUT_NUMERIC_PRIO`
  - `NFT_CTX_OUTPUT_NUMERIC_SYMBOL`
  - `NFT_CTX_OUTPUT_NUMERIC_ALL`
  - `NFT_CTX_OUTPUT_TERSE`

## No Breaking Changes

- All changes are **additive** or **internal improvements**
- Existing API unchanged (except now uses constants internally)
- Builds should still work identically
- Tests should still pass

## Historical Context

This fix was previously applied in chifflier/libnftables-sys PR #1 (January 2022) when updating for nftables 1.0.0 compatibility. The PR added:
1. `.allowlist_var("NFT_CTX_.*")` to build.rs
2. Use of `NFT_CTX_OUTPUT_JSON` constant instead of hardcoded values

We're applying the same best practice here.

## Testing

After these changes:
1. Clean build should succeed: `cargo clean && cargo build`
2. Tests should pass (with root): `sudo -E cargo test`
3. Generated bindings will include NFT_CTX_OUTPUT_* constants

## Response to Contributor

**Suggested email response**:

```
Thank you for the patch and for using libnftables1-sys in your project!

I've accepted your request to add JSON support, but made a small improvement:
instead of hardcoding bit values (1 << 4), the code now uses the named
constant NFT_CTX_OUTPUT_JSON from the libnftables header.

I also updated the existing set_output_handle() and set_numeric_time()
methods to use named constants (NFT_CTX_OUTPUT_HANDLE and
NFT_CTX_OUTPUT_NUMERIC_TIME) for consistency.

The new method is:

    pub fn set_json(&mut self) {
        self.set_flags(NFT_CTX_OUTPUT_JSON);
    }

This makes the code more maintainable and self-documenting. The build.rs
now includes `.allowlist_var("NFT_.*")` so all NFT_CTX_OUTPUT_* constants
are available.

The changes are committed and will be in the next release.
```

## References

- libnftables header: `/usr/include/nftables/libnftables.h`
- Original implementation: https://github.com/chifflier/libnftables-sys/pull/1
- NFT_CTX_OUTPUT flags defined at: libnftables.h:58-75