Crate nftnl 

Safe abstraction for libnftnl. Provides low-level userspace access to the in-kernel nf_tables subsystem. See nftnl-sys for the low level FFI bindings to the C library.

Can be used to create and remove tables, chains, sets and rules from the nftables firewall, the successor to iptables.

This library currently has quite rough edges and does not make adding and removing netfilter entries super easy and elegant. That is partly because the library needs more work, but also partly because nftables is super low level and extremely customizable, making it hard, and probably wrong, to try and create a too simple/limited wrapper. See examples for inspiration. One can also look at how the original project this crate was developed to support uses it: Mullvad VPN app

Understanding how to use libnftnl and implementing this crate has mostly been done by reading the source code for the nftables program and attaching debuggers to the nft binary. Since the implementation is mostly based on trial and error, there might of course be a number of places where the underlying library is used in an invalid or not intended way. Large portions of libnftnl are also not covered yet. Contributions are welcome!

Selecting version of libnftnl

See the documentation for the corresponding sys crate for details: nftnl-sys This crate has the same features as the sys crate, and selecting version works the same.

Re-exports

pub use table::Table;

pub use nftnl_sys;

Modules

expr

A module with all the nftables expressions that can be added to Rules to build up how they match against packets.

set

table

Macros

nft_expr

nft_expr_bitwise

nft_expr_cmp

nft_expr_ct

nft_expr_immediate

nft_expr_lookup

nft_expr_meta

nft_expr_payload

nft_expr_socket

nft_expr_verdict

nft_set

Structs

Batch

A batch of netfilter messages to be performed in one atomic operation. Corresponds to nftnl_batch in libnftnl.

Chain

Abstraction of a nftnl_chain. Chains reside inside Tables and they hold Rules.

FinalizedBatch

A wrapper over Batch, guaranteed to start with a proper batch begin and end with a proper batch end message. Created from Batch::finalize.

NetlinkError

Error while communicating with netlink

Rule

A nftables firewall rule.

Enums

ChainType

Base chain type.

Hook

The netfilter event hooks a chain can register for.

MsgType

The type of the message as it’s sent to netfilter. A message consists of an object, such as a Table, Chain or Rule for example, and a MsgType to describe what to do with that object. If a Table object is sent with MsgType::Add then that table will be added to netfilter, if sent with MsgType::Del it will be removed.

Policy

A chain policy. Decides what to do with a packet that was processed by the chain but did not match any rules.

ProtoFamily

Denotes a protocol. Used to specify which protocol a table or set belongs to.

Traits

NlMsg

Trait for all types in this crate that can serialize to a Netlink message.

Functions

batch_is_supported

Check if the kernel supports batched netlink messages to netfilter.

default_batch_page_size

selected batch page is 256 Kbytes long to load ruleset of half a million rules without hitting -EMSGSIZE due to large iovec.

nft_nlmsg_maxsize

The largest nf_tables netlink message is the set element message, which contains the NFTA_SET_ELEM_LIST_ELEMENTS attribute. This attribute is a nest that describes the set elements. Given that the netlink attribute length (nla_len) is 16 bits, the largest message is a bit larger than 64 KBytes.

Type Aliases

Priority