#netfilter #firewall

bin+lib nftables

Safe abstraction for nftables JSON API. It can be used to create nftables rulesets in Rust and parse existing nftables rulesets from JSON.

5 releases

0.2.4 Aug 12, 2023
0.2.3 Jul 10, 2023
0.2.2 Mar 19, 2023
0.2.1 Dec 16, 2022
0.2.0 Oct 4, 2022

#97 in Operating systems

Download history 23/week @ 2023-08-13 4/week @ 2023-08-20 13/week @ 2023-08-27 19/week @ 2023-09-03 29/week @ 2023-09-10 12/week @ 2023-09-17 18/week @ 2023-09-24 21/week @ 2023-10-01 11/week @ 2023-10-08 23/week @ 2023-10-15 24/week @ 2023-10-22 26/week @ 2023-10-29 17/week @ 2023-11-05 21/week @ 2023-11-12 15/week @ 2023-11-19 31/week @ 2023-11-26

84 downloads per month



nftables-rs   Latest Version docs.io Badge Actions Badge license Badge

Safe abstraction for nftables JSON API (libnftables-json). It can be used to create nftables rulesets in Rust and parse existing nftables rulesets from JSON. This library can also interact with local nftables system with helper functions for reading and applying rulesets.

nftables-rs is inspired by nftnl-rs, which directly accesses the nf_tables kernel subsystem to work with nftables. The goal of this library is to provide access to the complete expressiveness of the nftables schema.

nftables = "0.2.0"


Here are some examples that show use cases of this library. Check out the tests/ directory for more usage examples.

Apply ruleset to nftables

This example applies a ruleset that creates and deletes a table to nftables.

use nft::{batch::Batch, helper, schema, types};

/// Applies a ruleset to nftables.
fn test_apply_ruleset() {
    let ruleset = example_ruleset();
    nft::helper::apply_ruleset(&ruleset, None, None).unwrap();

fn example_ruleset() -> schema::Nftables {
    let mut batch = Batch::new();

Parse/Generate nftables ruleset in JSON format

This example compares nftables' native JSON out to the JSON payload generated by this library.

fn test_chain_table_rule_inet() {
    // nft add table inet some_inet_table
    // nft add chain inet some_inet_table some_inet_chain '{ type filter hook forward priority 0; policy accept; }'
    let expected: Nftables = Nftables {
        objects: vec![
            NfObject::CmdObject(NfCmd::Add(NfListObject::Table(Table {
                family: NfFamily::INet,
                name: "some_inet_table".to_string(),
                handle: None,
            NfObject::CmdObject(NfCmd::Add(NfListObject::Chain(Chain {
                family: NfFamily::INet,
                table: "some_inet_table".to_string(),
                name: "some_inet_chain".to_string(),
                newname: None,
                handle: None,
                _type: Some(NfChainType::Filter),
                hook: Some(NfHook::Forward),
                prio: None,
                dev: None,
                policy: Some(NfChainPolicy::Accept),
    let json = json!({"nftables":[{"add":{"table":{"family":"inet","name":"some_inet_table"}}},{"add":{"chain":{"family":"inet","table":"some_inet_table","name":"some_inet_chain","type":"filter","hook":"forward","policy":"accept"}}}]});
    println!("{}", &json);
    let parsed: Nftables = serde_json::from_value(json).unwrap();
    assert_eq!(expected, parsed);


Licensed under either of

at your option.


Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.


This project is currently maintained by the following developers:

Name Email Address GitHub Username
Jasper Wiegratz wiegratz@uni-bremen.de @jwhb


~37K SLoC