Crate rustables

Safe abstraction for userspace access to the in-kernel nf_tables subsystem. Can be used to create and remove tables, chains, sets and rules from the nftables firewall, the successor to iptables.

This library currently has quite rough edges and does not make adding and removing netfilter entries super easy and elegant. That is partly because the library needs more work, but also partly because nftables is super low level and extremely customizable, making it hard, and probably wrong, to try and create a too simple/limited wrapper. See examples for inspiration.

Understanding how to use the netlink subsystem and implementing this crate has mostly been done by reading the source code for the nftables userspace program and its corresponding kernel code, as well as attaching debuggers to the nft binary. Since the implementation is mostly based on trial and error, there might of course be a number of places where the forged netlink messages are used in an invalid or not intended way. Contributions are welcome!

Re-exports

• pub use set::Set;

Modules

• data_type
• error
• expr
  A module with all the nftables expressions that can be added to Rules to build up how they match against packets.
• query
• set
• sys

Structs

• Batch
  A batch of netfilter messages to be performed in one atomic operation.
• Chain
  Abstraction over an nftable chain. Chains reside inside Tables and they hold Rules.
• Hook
• Rule
  A nftables firewall rule.
• Table
  Abstraction of a nftnl_table, the top level container in netfilter. A table has a protocol family and contains Chains that in turn hold the rules.

Enums

• ChainPolicy
  A chain policy. Decides what to do with a packet that was processed by the chain but did not match any rules.
• ChainType
  Base chain type.
• HookClass
  The netfilter event hooks a chain can register for.
• MsgType
  The type of the message as it’s sent to netfilter. A message consists of an object, such as a Table, Chain or Rule for example, and a MsgType to describe what to do with that object. If a Table object is sent with MsgType::Add then that table will be added to netfilter, if sent with MsgType::Del it will be removed.
• Protocol
  Simple protocol description. Note that it does not implement other layer 4 protocols as IGMP et al. See Rule::igmp for a workaround.
• ProtocolFamily
  Denotes a protocol. Used to specify which protocol a table or set belongs to.

Functions

• default_batch_page_size
  Selected batch page is 256 Kbytes long to load ruleset of half a million rules without hitting -EMSGSIZE due to large iovec.
• iface_index
  Looks up the interface index for a given interface name.
• list_chains_for_table
• list_rules_for_chain
• list_tables

Type Aliases

• ChainPriority