rustables/lib.rs
1// Copyryght (c) 2021-2022 GPL lafleur@boum.org and Simon Thoby
2//
3// This file is free software: you may copy, redistribute and/or modify it
4// under the terms of the GNU General Public License as published by the
5// Free Software Foundation, either version 3 of the License, or (at your
6// option) any later version.
7//
8// This file is distributed in the hope that it will be useful, but
9// WITHOUT ANY WARRANTY; without even the implied warranty of
10// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
11// General Public License for more details.
12//
13// You should have received a copy of the GNU General Public License
14// along with this program. If not, see the LICENSE file.
15//
16// This file incorporates work covered by the following copyright and
17// permission notice:
18//
19// Copyright 2018 Amagicom AB.
20//
21// Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
22// http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
23// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your
24// option. This file may not be copied, modified, or distributed
25// except according to those terms.
26
27//! Safe abstraction for userspace access to the in-kernel nf_tables subsystem.
28//! Can be used to create and remove tables, chains, sets and rules from the nftables
29//! firewall, the successor to iptables.
30//!
31//! This library currently has quite rough edges and does not make adding and removing netfilter
32//! entries super easy and elegant. That is partly because the library needs more work, but also
33//! partly because nftables is super low level and extremely customizable, making it hard, and
34//! probably wrong, to try and create a too simple/limited wrapper. See examples for inspiration.
35//!
36//! Understanding how to use the netlink subsystem and implementing this crate has mostly been done by
37//! reading the source code for the [`nftables`] userspace program and its corresponding kernel code,
38//! as well as attaching debuggers to the `nft` binary.
39//! Since the implementation is mostly based on trial and error, there might of course be
40//! a number of places where the forged netlink messages are used in an invalid or not intended way.
41//! Contributions are welcome!
42//!
43//! [`nftables`]: https://netfilter.org/projects/nftables/
44
45#[macro_use]
46extern crate log;
47
48use libc;
49
50use rustables_macros::nfnetlink_enum;
51use std::convert::TryFrom;
52
53mod batch;
54pub use batch::{default_batch_page_size, Batch};
55
56pub mod data_type;
57
58mod table;
59pub use table::list_tables;
60pub use table::Table;
61
62mod chain;
63pub use chain::list_chains_for_table;
64pub use chain::{Chain, ChainPolicy, ChainPriority, ChainType, Hook, HookClass};
65
66pub mod error;
67
68pub mod query;
69
70pub(crate) mod nlmsg;
71pub(crate) mod parser;
72pub(crate) mod parser_impls;
73
74mod rule;
75pub use rule::list_rules_for_chain;
76pub use rule::Rule;
77
78pub mod expr;
79
80mod rule_methods;
81pub use rule_methods::{iface_index, Protocol};
82
83pub mod set;
84pub use set::Set;
85
86pub mod sys;
87
88#[cfg(test)]
89mod tests;
90
91/// The type of the message as it's sent to netfilter. A message consists of an object, such as a
92/// [`Table`], [`Chain`] or [`Rule`] for example, and a [`MsgType`] to describe what to do with
93/// that object. If a [`Table`] object is sent with `MsgType::Add` then that table will be added
94/// to netfilter, if sent with `MsgType::Del` it will be removed.
95///
96/// [`Table`]: struct.Table.html
97/// [`Chain`]: struct.Chain.html
98/// [`Rule`]: struct.Rule.html
99/// [`MsgType`]: enum.MsgType.html
100#[derive(Debug, Copy, Clone, Eq, PartialEq)]
101pub enum MsgType {
102 /// Add the object to netfilter.
103 Add,
104 /// Remove the object from netfilter.
105 Del,
106}
107
108/// Denotes a protocol. Used to specify which protocol a table or set belongs to.
109#[derive(Debug, Copy, Clone, PartialEq, Eq)]
110#[nfnetlink_enum(i32)]
111pub enum ProtocolFamily {
112 Unspec = libc::NFPROTO_UNSPEC,
113 /// Inet - Means both IPv4 and IPv6
114 Inet = libc::NFPROTO_INET,
115 Ipv4 = libc::NFPROTO_IPV4,
116 Arp = libc::NFPROTO_ARP,
117 NetDev = libc::NFPROTO_NETDEV,
118 Bridge = libc::NFPROTO_BRIDGE,
119 Ipv6 = libc::NFPROTO_IPV6,
120 DecNet = libc::NFPROTO_DECNET,
121}
122
123impl Default for ProtocolFamily {
124 fn default() -> Self {
125 ProtocolFamily::Unspec
126 }
127}