Expand description
Safe abstraction for userspace access to the in-kernel nf_tables subsystem. Can be used to create and remove tables, chains, sets and rules from the nftables firewall, the successor to iptables.
This library currently has quite rough edges and does not make adding and removing netfilter entries super easy and elegant. That is partly because the library needs more work, but also partly because nftables is super low level and extremely customizable, making it hard, and probably wrong, to try and create a too simple/limited wrapper. See examples for inspiration.
Understanding how to use the netlink subsystem and implementing this crate has mostly been done by
reading the source code for the nftables
userspace program and its corresponding kernel code,
as well as attaching debuggers to the nft
binary.
Since the implementation is mostly based on trial and error, there might of course be
a number of places where the forged netlink messages are used in an invalid or not intended way.
Contributions are welcome!
Re-exports§
pub use set::Set;
Modules§
- data_
type - error
- expr
- A module with all the nftables expressions that can be added to
Rule
s to build up how they match against packets. - query
- set
- sys
Structs§
- Batch
- A batch of netfilter messages to be performed in one atomic operation.
- Chain
- Abstraction over an nftable chain. Chains reside inside
Table
s and they holdRule
s. - Hook
- Rule
- A nftables firewall rule.
- Table
- Abstraction of a
nftnl_table
, the top level container in netfilter. A table has a protocol family and containsChain
s that in turn hold the rules.
Enums§
- Chain
Policy - A chain policy. Decides what to do with a packet that was processed by the chain but did not match any rules.
- Chain
Type - Base chain type.
- Hook
Class - The netfilter event hooks a chain can register for.
- MsgType
- The type of the message as it’s sent to netfilter. A message consists of an object, such as a
Table
,Chain
orRule
for example, and aMsgType
to describe what to do with that object. If aTable
object is sent withMsgType::Add
then that table will be added to netfilter, if sent withMsgType::Del
it will be removed. - Protocol
- Simple protocol description. Note that it does not implement other layer 4 protocols as
IGMP et al. See
Rule::igmp
for a workaround. - Protocol
Family - Denotes a protocol. Used to specify which protocol a table or set belongs to.
Functions§
- default_
batch_ page_ size - Selected batch page is 256 Kbytes long to load ruleset of half a million rules without hitting -EMSGSIZE due to large iovec.
- iface_
index - Looks up the interface index for a given interface name.
- list_
chains_ for_ table - list_
rules_ for_ chain - list_
tables