nftables_async/
lib.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
use std::process::Stdio;

use nftables::{helper::NftablesError, schema::Nftables};
use tokio::{io::AsyncWriteExt, process::Command};

const NFT_DEFAULT_PROGRAM: &str = "nft";

pub async fn apply_ruleset(
    nftables: impl AsRef<Nftables>,
    program: Option<&str>,
    args: Option<Vec<&str>>,
) -> Result<(), NftablesError> {
    let payload =
        serde_json::to_string(nftables.as_ref()).map_err(NftablesError::NftInvalidJson)?;
    apply_ruleset_raw(payload, program, args).await
}

pub async fn apply_ruleset_raw(
    payload: String,
    program: Option<&str>,
    args: Option<Vec<&str>>,
) -> Result<(), NftablesError> {
    let program = program.unwrap_or(NFT_DEFAULT_PROGRAM);
    let mut command = Command::new(program);
    command.arg("-j").arg("-f").arg("-");

    if let Some(args) = args {
        command.args(args);
    }

    command
        .stdin(Stdio::piped())
        .stdout(Stdio::piped())
        .stderr(Stdio::piped());

    let mut child = command.spawn().map_err(|err| NftablesError::NftExecution {
        program: program.to_owned(),
        inner: err,
    })?;

    let mut stdin = child
        .stdin
        .take()
        .expect("Stdin was piped to Tokio but could not be retrieved");
    stdin
        .write_all(payload.as_bytes())
        .await
        .map_err(|err| NftablesError::NftExecution {
            program: program.to_owned(),
            inner: err,
        })?;
    drop(stdin);

    match child.wait_with_output().await {
        Ok(output) if output.status.success() => Ok(()),
        Ok(output) => {
            let stdout = read(program, output.stdout)?;
            let stderr = read(program, output.stderr)?;

            Err(NftablesError::NftFailed {
                program: program.to_owned(),
                hint: "applying ruleset".to_string(),
                stdout,
                stderr,
            })
        }
        Err(err) => Err(NftablesError::NftExecution {
            program: program.to_owned(),
            inner: err,
        }),
    }
}

pub async fn get_current_ruleset(
    program: Option<&str>,
    args: Option<Vec<&str>>,
) -> Result<Nftables, NftablesError> {
    let output = get_current_ruleset_raw(program, args).await?;
    serde_json::from_str(&output).map_err(NftablesError::NftInvalidJson)
}

pub async fn get_current_ruleset_raw(
    program: Option<&str>,
    args: Option<Vec<&str>>,
) -> Result<String, NftablesError> {
    let program = program.unwrap_or(NFT_DEFAULT_PROGRAM);
    let mut command = Command::new(program);
    command.arg("-j").arg("list").arg("ruleset");
    if let Some(args) = args {
        command.args(args);
    }

    let output = command
        .output()
        .await
        .map_err(|err| NftablesError::NftExecution {
            program: program.to_owned(),
            inner: err,
        })?;

    let stdout = read(program, output.stdout)?;

    if !output.status.success() {
        let stderr = read(program, output.stderr)?;

        return Err(NftablesError::NftFailed {
            program: program.to_owned(),
            hint: "getting the current ruleset".to_string(),
            stdout,
            stderr,
        });
    }

    Ok(stdout)
}

#[inline]
fn read(program: &str, stream: Vec<u8>) -> Result<String, NftablesError> {
    String::from_utf8(stream).map_err(|err| NftablesError::NftOutputEncoding {
        program: program.to_owned(),
        inner: err,
    })
}