Skip to main content

Crate nf_tables

Crate nf_tables 

Source
Expand description

Access to Linux’ nf_tables subsystem in pure Rust.

This crate direclty communicates with the kernel using netlink and avoids shelling out to nftables or calling C libraries.

In addtion to the expression based system used by nf_tables, this crate provides RuleBuilder for simpler rule creation, similar to the nftables tool.

§Basic Usage

let mut conn = Connection::new().unwrap();

// Prepare a list of commands.
let mut batch = Batch::new();

// Create a new table.
// Equivalent to "nft add table inet MyLittleFirewall"
batch.push(AddTable {
    name: c"MyLittleFirewall".into(),
    proto: ProtoFamily::Inet,
    flags: 0,
});

// Create a new chain in the table capturing packets that are being forwarded.
// Equivalent to "nft add chain inet MyLittleFirewall FORWARD { type filter hook forward priority 0; policy drop; }"
batch.push(AddChain {
    table: c"MyLittleFirewall".into(),
    proto: ProtoFamily::Inet,
    name: c"FORWARD".into(),
    hook: Some(ChainHook {
        hook: Hook::Forward,
        priority: 0,
        policy: Policy::Drop,
    }),
});

// Add a new rule allowing all traffic coming from 10.0.0.0/8.
// Equivalent to "nft add rule inet MyLittleFirewall FORWARD ip saddr 10.0.0.0/8 accept"
batch.push(AddRule {
    table: c"MyLittleFirewall".into(),
    proto: ProtoFamily::Inet,
    chain: c"FORWARD".into(),
    position: None,
    exprs: RuleBuilder::new().with_ip_saddr_prefix(IpAddr::V4(Ipv4Addr::new(10, 0, 0, 0)), 8).with_verdict(Verdict::Accept).build(),
});

let results = conn.execute(&batch).unwrap();

for result in results {
    match result.index {
        1 => println!("New chain has handle {:?}", result.handle),
        2 => println!("New rule has handle {:?}", result.handle),
        _ => {}
    }
}

Note that modifying network configuration typically requires root privileges or the CAP_NET_ADMIN capability. If the current process does not have permission to do so, it is possible that Connection::new will connect without errors, but Connection::execute will always return with EPERM.

§Syscalls

Since processes accessing nftable rules typically need to run with elevated privileges, this crate limits the amount of syscalls it makes, making it possible to use together with seccomp.

This crate makes the following syscalls:

Modules§

commands
rule

Structs§

Batch
A series of Commands.
CommandResult
Connection
A connection to the nf_tables subsystem.
Error
Handle
An opaque handle to a nf_tables object.

Enums§

Command
Hook
Policy
ProtoFamily