Lib.rs

Network programming | Operating systems
#json-api #firewall #ruleset #netfilter #json-parser #abstraction #create

bin+lib nftables

Safe abstraction for nftables JSON API. It can be used to create nftables rulesets in Rust and parse existing nftables rulesets from JSON.

Owned by Jasper, Jan Romann.

7 releases

0.4.0 Mar 16, 2024
0.3.0 Jan 22, 2024
0.2.4 Aug 12, 2023
0.2.3 Jul 10, 2023
0.2.0 Oct 4, 2022

#76 in Network programming

Download history 314/week @ 2024-01-03 302/week @ 2024-01-10 46/week @ 2024-01-17 714/week @ 2024-01-24 771/week @ 2024-01-31 463/week @ 2024-02-07 574/week @ 2024-02-14 395/week @ 2024-02-21 805/week @ 2024-02-28 287/week @ 2024-03-06 699/week @ 2024-03-13 628/week @ 2024-03-20 1338/week @ 2024-03-27 591/week @ 2024-04-03 992/week @ 2024-04-10 222/week @ 2024-04-17

3,231 downloads per month
Used in netavark

MIT/Apache

59KB
1K SLoC

Logo
nftables-rs

Automate modern Linux firewalls with nftables through its declarative and imperative JSON API in Rust.

Crates.io Total Downloads rs Actions Workflow Status License


Features 🌟

  • 🛡️ Safe and Easy-to-Use Abstraction: Provides a high-level, safe abstraction over the nftables JSON API, making it easier and safer to work with nftables in Rust.

  • 🛠️ Comprehensive Functions: Includes a wide range of functions to create, read, and apply nftables rulesets directly from Rust, streamlining the management of firewall rules.

  • 📄 JSON Parsing and Generation: Offers detailed parsing and generation capabilities for nftables rulesets in JSON format, enabling seamless integration and manipulation of rulesets.

  • 💡 Inspired by nftnl-rs: While taking inspiration from nftnl-rs, nftables-rs focuses on utilizing the JSON API for broader accessibility and catering to diverse use cases.

Motivation

nftables-rs is a Rust library designed to provide a safe and easy-to-use abstraction over the nftables JSON API, known as libnftables-json.

This library is engineered for developers who need to interact with nftables, the Linux kernel's next-generation firewalling tool, directly from Rust applications. By abstracting the underlying JSON API, nftables-rs facilitates the creation, manipulation, and application of firewall rulesets without requiring deep knowledge of nftables' internal workings.

Installation

[dependencies]
nftables = "0.3.0"

Linux nftables v0.9.3 or newer is required at runtime: nft --version

Example

Here are some examples that show use cases of this library. Check out the tests/ directory for more usage examples.

Apply ruleset to nftables

This example applies a ruleset that creates and deletes a table to nftables.

use nft::{batch::Batch, helper, schema, types};

/// Applies a ruleset to nftables.
fn test_apply_ruleset() {
    let ruleset = example_ruleset();
    nft::helper::apply_ruleset(&ruleset, None, None).unwrap();
}

fn example_ruleset() -> schema::Nftables {
    let mut batch = Batch::new();
    batch.add(schema::NfListObject::Table(schema::Table::new(
        types::NfFamily::IP,
        "test-table-01".to_string(),
    )));
    batch.delete(schema::NfListObject::Table(schema::Table::new(
        types::NfFamily::IP,
        "test-table-01".to_string(),
    )));
    batch.to_nftables()
}

Parse/Generate nftables ruleset in JSON format

This example compares nftables' native JSON out to the JSON payload generated by this library.

fn test_chain_table_rule_inet() {
    // nft add table inet some_inet_table
    // nft add chain inet some_inet_table some_inet_chain '{ type filter hook forward priority 0; policy accept; }'
    let expected: Nftables = Nftables {
        objects: vec![
            NfObject::CmdObject(NfCmd::Add(NfListObject::Table(Table {
                family: NfFamily::INet,
                name: "some_inet_table".to_string(),
                handle: None,
            }))),
            NfObject::CmdObject(NfCmd::Add(NfListObject::Chain(Chain {
                family: NfFamily::INet,
                table: "some_inet_table".to_string(),
                name: "some_inet_chain".to_string(),
                newname: None,
                handle: None,
                _type: Some(NfChainType::Filter),
                hook: Some(NfHook::Forward),
                prio: None,
                dev: None,
                policy: Some(NfChainPolicy::Accept),
            }))),
        ],
    };
    let json = json!({"nftables":[{"add":{"table":{"family":"inet","name":"some_inet_table"}}},{"add":{"chain":{"family":"inet","table":"some_inet_table","name":"some_inet_chain","type":"filter","hook":"forward","policy":"accept"}}}]});
    println!("{}", &json);
    let parsed: Nftables = serde_json::from_value(json).unwrap();
    assert_eq!(expected, parsed);
}

License

Licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

Maintainers

This project is currently maintained by the following developers:

Name Email Address GitHub Username
Jasper Wiegratz wiegratz@uni-bremen.de @jwhb

Dependencies

~0.8–1.6MB
~36K SLoC