nft

package module
v0.0.0-...-68332f0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 22, 2025 License: Apache-2.0 Imports: 9 Imported by: 0

README

go-nft (WIP)

PkgGoDev GitHub Go Report Card

Inspired by github.com/google/nftables, this is a higher-level package for interacting with nftables in pure Go.

This repository also includes a lower-level package, nftnl, for working with netfilter netlink messages directly, giving more control over the details of the communication with the kernel without abstracting them away.

Note: This library is under development. The API might change as I tinker with the design. 🚧

Installation

go get github.com/nickgarlis/go-nft

Example Usage

package main

import (
	"github.com/nickgarlis/go-nft"
)

func main() {
	conn, err := nft.Open(&nft.Config{})
	if err != nil {
		panic(err)
	}
  defer conn.Close()

  batch := nft.NewBatch()

	tableId, err := batch.AddTable(&nft.Table{
    Family: nft.TableFamilyINet,
    Name:   "my-table",
  })
  if err != nil {
    panic(err)
  }

  chainId, err := batch.AddChain(&nft.Chain{
    TableID: tableId,
    Name:    "my-chain",
    Type:    nft.ChainTypeFilter,
    Hook:    nft.ChainHookInput,
    Priority: 0,
    Policy:  nft.ChainPolicyAccept,
  })
  if err != nil {
    panic(err)
  }

  _, err = batch.AddRule(&nft.Rule{
    TableID: tableId,
    ChainID: chainId,
    SrcIPv4: &nft.IPMatch{
      Prefix: netip.MustParsePrefix("10.0.0.0/24"),
    },
    Action: &nft.RuleAction{
      Verdict: nft.VerdictCodeAccept,
    }
  })
	if err != nil {
		panic(err)
	}

  err := conn.SendBatch(batch)
  if err != nil {
    panic(err)
  }
}

License

This project is licensed under the Apache-2.0 License. See the LICENSE file for details.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Action 

type Action struct {
	Verdict *Verdict
}

type Batch 

type Batch struct {
	// contains filtered or unexported fields
}

func NewBatch 

func NewBatch() *Batch

func (*Batch) Add 

func (b *Batch) Add(msg nftnl.Msg)

func (*Batch) AddSetElements 

func (b *Batch) AddSetElements(setElemL *nftnl.SetElemListAttrs) error

func (*Batch) Clear 

func (b *Batch) Clear()

func (*Batch) DelChain 

func (b *Batch) DelChain(chain *Chain) error

func (*Batch) DelRule 

func (b *Batch) DelRule(rule *Rule) error

func (*Batch) DelTable 

func (b *Batch) DelTable(table *Table) error

func (*Batch) FlushRuleset 

func (b *Batch) FlushRuleset()

func (*Batch) FlushTable 

func (b *Batch) FlushTable(table *Table) error

func (*Batch) NewChain 

func (b *Batch) NewChain(chain *Chain) error

func (*Batch) NewID 

func (b *Batch) NewID() uint32

NewID generates a new unique ID for use in batch operations.

func (*Batch) NewRule 

func (b *Batch) NewRule(rule *Rule) error

func (*Batch) NewTable 

func (b *Batch) NewTable(table *Table) error

type Chain 

type Chain struct {
	Family uint8
	Table  string
	Name   string
	ID     uint32
}

type ChainPolicy 

type ChainPolicy uint8
const (
	ChainPolicyAccept   ChainPolicy = 0x1
	ChainPolicyDrop     ChainPolicy = 0x2
	ChainPolicyContinue ChainPolicy = 0x3
)

type ChainType 

type ChainType uint8
const (
	ChainTypeFilter ChainType = 0x1
	ChainTypeRoute  ChainType = 0x2
	ChainTypeNAT    ChainType = 0x3
)

type Config 

type Config struct {
	// NetNS is the network namespace to operate in. If 0, the current
	// network namespace is used.
	NetNS int
}

type Conn 

type Conn struct {
	// contains filtered or unexported fields
}

func Open 

func Open(config *Config) (*Conn, error)

func (*Conn) Close 

func (c *Conn) Close() error

func (*Conn) GetChain 

func (c *Conn) GetChain(chain *Chain) (*Chain, error)

func (*Conn) GetChains 

func (c *Conn) GetChains(table *Table) ([]*Chain, error)

func (*Conn) GetRule 

func (c *Conn) GetRule(rule *Rule) (*Rule, error)

func (*Conn) GetRules 

func (c *Conn) GetRules(chain *Chain) ([]*Rule, error)

func (*Conn) GetTable 

func (c *Conn) GetTable(table *Table) (*Table, error)

func (*Conn) GetTables 

func (c *Conn) GetTables(family uint8) ([]*Table, error)

func (*Conn) SendBatch 

func (c *Conn) SendBatch(b *Batch) error

type Counter 

type Counter struct {
	Bytes   uint64
	Packets uint64
}

type CtMatch 

type CtMatch struct {
	SrcIPv4 *IPMatch
	DstIPv4 *IPMatch
	SrcIPv6 *IPMatch
	DstIPv6 *IPMatch
	SrcPort *PortMatch
	DstPort *PortMatch
	States  []CtState
}

type CtState 

type CtState uint32
var (
	CtStateInvalid     CtState = unixext.NF_CT_STATE_INVALID_BIT
	CtStateEstablished CtState = CtState(unixext.NfCtStateBit(unixext.IP_CT_ESTABLISHED))
	CtStateRelated     CtState = CtState(unixext.NfCtStateBit(unixext.IP_CT_RELATED))
	CtStateNew         CtState = CtState(unixext.NfCtStateBit(unixext.IP_CT_NEW))
	CtStateUntracked   CtState = unixext.NF_CT_STATE_UNTRACKED_BIT
)

type Family 

type Family uint8
const (
	FamilyUnspec Family = unix.NFPROTO_UNSPEC
	FamilyIPv4   Family = unix.NFPROTO_IPV4
	FamilyIPv6   Family = unix.NFPROTO_IPV6
	FamilyInet   Family = unix.NFPROTO_INET
	FamilyARP    Family = unix.NFPROTO_ARP
	FamilyNetdev Family = unix.NFPROTO_NETDEV
	FamilyBridge Family = unix.NFPROTO_BRIDGE
)

type Hook 

type Hook uint8
const (
	HookPrerouting  Hook = unix.NF_INET_PRE_ROUTING
	HookInput       Hook = unix.NF_INET_LOCAL_IN
	HookForward     Hook = unix.NF_INET_FORWARD
	HookOutput      Hook = unix.NF_INET_LOCAL_OUT
	HookPostrouting Hook = unix.NF_INET_POST_ROUTING
	HookNumhooks    Hook = unix.NF_INET_NUMHOOKS
	HookIngress     Hook = unix.NF_INET_NUMHOOKS
)

type IPMatch 

type IPMatch struct {
	Addr   *netip.Addr
	Prefix *netip.Prefix
	Set    string
	SetID  uint32
}

type PortMatch 

type PortMatch struct {
	Port  uint16
	Set   string
	SetID uint32
}

type Quota 

type Quota struct {
	Bytes uint64
}

type Rule 

type Rule struct {
	Family  uint8
	ID      uint32
	Table   string
	Chain   string
	ChainID uint32
	Handle  uint64
	L3Proto uint8
	L4Proto uint8
	IIface  string
	OIface  string
	SrcIPv4 *IPMatch
	DstIPv4 *IPMatch
	SrcIPv6 *IPMatch
	DstIPv6 *IPMatch
	SrcPort *PortMatch
	DstPort *PortMatch
	Ct      *CtMatch
	Counter *Counter
	Quota   *Quota
	Action  *Action
}

type Set 

type Set struct {
	Family uint8
	Set    string
	SetID  uint32
}

type SetElem 

type SetElem struct {
	Prefix *netip.Prefix
	Addr   *netip.Addr
	Port   uint16

	Timeout uint64
}

type Table 

type Table struct {
	Family uint8
	Name   string
}

type TableFlags 

type TableFlags uint32
const (
	TableFlagDormant TableFlags = unix.NFT_TABLE_F_DORMANT
	TableFlagOwner   TableFlags = unixext.NFT_TABLE_F_OWNER
	TableFlagPersist TableFlags = unixext.NFT_TABLE_F_PERSIST
)

type Verdict 

type Verdict struct {
	Code    VerdictCode
	Chain   string
	ChainID uint32
}

type VerdictCode 

type VerdictCode int32
const (
	VerdictCodeContinue VerdictCode = unix.NFT_CONTINUE
	VerdictCodeBreak    VerdictCode = unix.NFT_BREAK
	VerdictCodeJump     VerdictCode = unix.NFT_JUMP
	VerdictCodeGoto     VerdictCode = unix.NFT_GOTO
	VerdictCodeReturn   VerdictCode = unix.NFT_RETURN
	VerdictCodeDrop     VerdictCode = unixext.NF_DROP
	VerdictCodeAccept   VerdictCode = unixext.NF_ACCEPT
	VerdictCodeQueue    VerdictCode = unixext.NF_QUEUE
	VerdictCodeRepeat   VerdictCode = unixext.NF_REPEAT
)

Source Files

View all Source files

Directories

Path Synopsis
Package nftnl provices a low-level API for interacting with nftables via netlink messages in pure Go.
 Package nftnl provices a low-level API for interacting with nftables via netlink messages in pure Go.
Package uniext provides Linux-specific extensions to the unix package which are not available in the standard library but are relevant for nftables operations.
 Package uniext provides Linux-specific extensions to the unix package which are not available in the standard library but are relevant for nftables operations.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.