nftnl 0.9.2

Safe abstraction for libnftnl. Provides low-level userspace access to the in-kernel nf_tables subsystem
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189

use super::{Expression, Rule};
use crate::ProtoFamily;
use nftnl_sys::{self as sys, libc};
use std::{
    ffi::{CStr, CString},
    ptr,
};

/// A verdict expression. In the background, this is usually an "Immediate" expression in nftnl
/// terms, but here it is simplified to only represent a verdict.
#[derive(Debug, Clone, Eq, PartialEq, Hash)]
pub enum Verdict {
    /// Silently drop the packet.
    Drop,
    /// Accept the packet and let it pass.
    Accept,
    /// Reject the packet and return a message.
    Reject(RejectionType),
    Queue,
    Continue,
    Break,
    Jump {
        chain: CString,
    },
    Goto {
        chain: CString,
    },
    Return,
}

/// The type of rejection message sent by the Reject verdict.
#[derive(Debug, Clone, Copy, Eq, PartialEq, Hash)]
pub enum RejectionType {
    /// Return an ICMP unreachable packet
    Icmp(IcmpCode),
    /// Reject by sending a TCP RST packet
    TcpRst,
}

impl RejectionType {
    fn to_raw(self, family: ProtoFamily) -> u32 {
        use libc::*;
        let value = match self {
            RejectionType::Icmp(..) => match family {
                ProtoFamily::Bridge | ProtoFamily::Inet => NFT_REJECT_ICMPX_UNREACH,
                _ => NFT_REJECT_ICMP_UNREACH,
            },
            RejectionType::TcpRst => NFT_REJECT_TCP_RST,
        };
        value as u32
    }
}

/// An ICMP reject code.
#[derive(Debug, Clone, Copy, Eq, PartialEq, Hash)]
#[repr(u8)]
pub enum IcmpCode {
    NoRoute = libc::NFT_REJECT_ICMPX_NO_ROUTE as u8,
    PortUnreach = libc::NFT_REJECT_ICMPX_PORT_UNREACH as u8,
    HostUnreach = libc::NFT_REJECT_ICMPX_HOST_UNREACH as u8,
    AdminProhibited = libc::NFT_REJECT_ICMPX_ADMIN_PROHIBITED as u8,
}

impl Verdict {
    unsafe fn to_immediate_expr(&self, immediate_const: i32) -> ptr::NonNull<sys::nftnl_expr> {
        let expr = try_alloc!(unsafe { sys::nftnl_expr_alloc(c"immediate".as_ptr()) });

        unsafe {
            sys::nftnl_expr_set_u32(
                expr.as_ptr(),
                sys::NFTNL_EXPR_IMM_DREG as u16,
                libc::NFT_REG_VERDICT as u32,
            )
        };

        if let Some(chain) = self.chain() {
            unsafe {
                sys::nftnl_expr_set_str(
                    expr.as_ptr(),
                    sys::NFTNL_EXPR_IMM_CHAIN as u16,
                    chain.as_ptr(),
                )
            };
        }
        unsafe {
            sys::nftnl_expr_set_u32(
                expr.as_ptr(),
                sys::NFTNL_EXPR_IMM_VERDICT as u16,
                immediate_const as u32,
            )
        };

        expr
    }

    unsafe fn to_reject_expr(
        &self,
        reject_type: RejectionType,
        family: ProtoFamily,
    ) -> ptr::NonNull<sys::nftnl_expr> {
        let expr = try_alloc!(unsafe { sys::nftnl_expr_alloc(c"reject".as_ptr()) });

        unsafe {
            sys::nftnl_expr_set_u32(
                expr.as_ptr(),
                sys::NFTNL_EXPR_REJECT_TYPE as u16,
                reject_type.to_raw(family),
            )
        };

        let reject_code = match reject_type {
            RejectionType::Icmp(code) => code as u8,
            RejectionType::TcpRst => 0,
        };

        unsafe {
            sys::nftnl_expr_set_u8(
                expr.as_ptr(),
                sys::NFTNL_EXPR_REJECT_CODE as u16,
                reject_code,
            )
        };

        expr
    }

    fn chain(&self) -> Option<&CStr> {
        match *self {
            Verdict::Jump { ref chain } => Some(chain.as_c_str()),
            Verdict::Goto { ref chain } => Some(chain.as_c_str()),
            _ => None,
        }
    }
}

impl Expression for Verdict {
    fn to_expr(&self, rule: &Rule) -> ptr::NonNull<sys::nftnl_expr> {
        let immediate_const = match *self {
            Verdict::Drop => libc::NF_DROP,
            Verdict::Accept => libc::NF_ACCEPT,
            Verdict::Queue => libc::NF_QUEUE,
            Verdict::Continue => libc::NFT_CONTINUE,
            Verdict::Break => libc::NFT_BREAK,
            Verdict::Jump { .. } => libc::NFT_JUMP,
            Verdict::Goto { .. } => libc::NFT_GOTO,
            Verdict::Return => libc::NFT_RETURN,
            Verdict::Reject(reject_type) => {
                return unsafe {
                    self.to_reject_expr(reject_type, rule.get_chain().get_table().get_family())
                };
            }
        };
        unsafe { self.to_immediate_expr(immediate_const) }
    }
}

#[macro_export]
macro_rules! nft_expr_verdict {
    (drop) => {
        $crate::expr::Verdict::Drop
    };
    (accept) => {
        $crate::expr::Verdict::Accept
    };
    (reject icmp $code:expr) => {
        $crate::expr::Verdict::Reject(RejectionType::Icmp($code))
    };
    (reject tcp-rst) => {
        $crate::expr::Verdict::Reject(RejectionType::TcpRst)
    };
    (queue) => {
        $crate::expr::Verdict::Queue
    };
    (continue) => {
        $crate::expr::Verdict::Continue
    };
    (break) => {
        $crate::expr::Verdict::Break
    };
    (jump $chain:expr) => {
        $crate::expr::Verdict::Jump { chain: $chain }
    };
    (goto $chain:expr) => {
        $crate::expr::Verdict::Goto { chain: $chain }
    };
    (return) => {
        $crate::expr::Verdict::Return
    };
}