Struct NftablesDiff 

#[non_exhaustive]
pub struct NftablesDiff {
    pub tables_to_add: Vec<DeclaredTable>,
    pub tables_to_delete: Vec<(Family, String)>,
    pub chains_to_add: Vec<(String, Family, DeclaredChain)>,
    pub chains_to_delete: Vec<(String, Family, String)>,
    pub rules_to_add: Vec<DeclaredRule>,
    pub rules_to_delete: Vec<(String, Family, String, RuleHandle)>,
    pub rules_to_replace: Vec<(String, Family, String, RuleHandle, DeclaredRule)>,
    pub flowtables_to_add: Vec<DeclaredFlowtable>,
    pub flowtables_to_delete: Vec<(Family, String, String)>,
}

The result of comparing a declared NftablesConfig against the kernel’s current state. Apply via Self::apply.

is_empty() returns true when declared and current already agree (idempotent reapply).

Fields (Non-exhaustive)

Non-exhaustive structs could have additional fields added in future. Therefore, non-exhaustive structs cannot be constructed in external crates using the traditional Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.

tables_to_add: Vec<DeclaredTable>

Tables to create.

tables_to_delete: Vec<(Family, String)>

Tables to delete (family, name).

chains_to_add: Vec<(String, Family, DeclaredChain)>

Chains to create — (owning table, owning family, chain).

chains_to_delete: Vec<(String, Family, String)>

Chains to delete — (table, family, name).

rules_to_add: Vec<DeclaredRule>

Rules to add — paired with owning table/chain/family.

rules_to_delete: Vec<(String, Family, String, RuleHandle)>

Rules to delete — (table, family, chain, kernel_handle). Chain is carried explicitly because the kernel rejects a NFT_MSG_DELRULE with an empty NFTA_RULE_CHAIN even when NFTA_RULE_HANDLE is supplied (returns ENOENT); the earlier (table, family, handle) shape relied on a kernel behavior that doesn’t actually hold. Plan 178 closeout.

rules_to_replace: Vec<(String, Family, String, RuleHandle, DeclaredRule)>

Rules to replace in-place. Each entry is (table, family, chain, kernel_handle, replacement) — emits NFT_MSG_NEWRULE | NLM_F_REPLACE | NFTA_RULE_HANDLE so the kernel atomically swaps the rule body at that handle (preserves position, no flush).

Populated by NftablesConfig::diff when a declared keyed rule matches a kernel rule by NFTA_RULE_USERDATA comment but the expression bytes differ. Plan 157b v2.

flowtables_to_add: Vec<DeclaredFlowtable>

Flowtables to add.

flowtables_to_delete: Vec<(Family, String, String)>

Flowtables to delete — (family, table, name).

Implementations

impl NftablesDiff

pub async fn apply(&self, conn: &Connection<Nftables>) -> Result<usize>

Apply the diff to the kernel atomically.

Builds a single Transaction covering every change in the diff and commits it in one NFNL_MSG_BATCH_BEGIN ... BATCH_END round-trip. The kernel either accepts the whole batch (full diff visible to other readers in one step) or rejects the whole batch (kernel rolls back; no intermediate state observable).

Returns the diff’s change_count on success — a caller-visible “we did N things” signal useful for tracing::info!-style post-apply logging.

pub async fn apply_reconcile( &self, conn: &Connection<Nftables>, opts: ReconcileOptions, ) -> Result<ReconcileReport>

Apply with bounded retry on transient kernel-busy errors (EBUSY / EAGAIN). Useful when another process may be mutating the same ruleset concurrently — e.g. systemd-resolved

• a node firewall tool both calling nft simultaneously.

On EBUSY / EAGAIN, sleeps opts.backoff × 2^attempt and retries up to opts.max_retries times. Non-transient errors surface immediately (caller’s responsibility to handle).

Returns a ReconcileReport with the attempt count + the diff that was finally applied. Total wall time is bounded by Σ(opts.backoff × 2^i) for i in 0..max_retries.

Example

use nlink::netlink::nftables::config::{NftablesConfig, ReconcileOptions};
use std::time::Duration;

let cfg = NftablesConfig::new() /* ... */;
let diff = cfg.diff(&conn).await?;
let report = diff
    .apply_reconcile(&conn, ReconcileOptions::default())
    .await?;
if report.attempts > 1 {
    tracing::warn!(retries = report.attempts - 1, "transient conflict");
}

impl NftablesDiff

pub fn is_empty(&self) -> bool

true if declared state already matches kernel state.

pub fn change_count(&self) -> usize

Total number of changes (sum of all add/delete counts).

pub fn summary(&self) -> String

👎Deprecated since 0.19.0:

use Display via format!("{}") or diff.to_string() instead — Plan 188 §2.6

Render a one-line-per-change human summary. Useful for tracing::info! or CLI output.

Equivalent to format!("{self}") — Plan 183 (0.18) made the std::fmt::Display impl share the same renderer. Prefer the Display form (diff.to_string() / format!("{diff}")) for new code.

Trait Implementations

impl Clone for NftablesDiff

fn clone(&self) -> NftablesDiff

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for NftablesDiff

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for NftablesDiff

fn default() -> NftablesDiff

Returns the “default value” for a type.

impl Display for NftablesDiff

Display mirrors NftablesDiff::summary so callers can println!("{diff}") directly. Plan 183.

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Serialize for NftablesDiff

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.