#json-api #firewall #ruleset #netfilter #json-parser #linux #abstraction

bin+lib nftables

Safe abstraction for nftables JSON API. It can be used to create nftables rulesets in Rust and parse existing nftables rulesets from JSON.

9 unstable releases (3 breaking)

0.5.0 Oct 25, 2024
0.4.1 Jun 1, 2024
0.4.0 Mar 16, 2024
0.2.4 Aug 12, 2023
0.2.0 Oct 4, 2022

#49 in Network programming

Download history 4751/week @ 2024-08-19 3797/week @ 2024-08-26 4043/week @ 2024-09-02 3985/week @ 2024-09-09 3274/week @ 2024-09-16 4009/week @ 2024-09-23 4488/week @ 2024-09-30 4314/week @ 2024-10-07 4373/week @ 2024-10-14 4121/week @ 2024-10-21 4823/week @ 2024-10-28 4549/week @ 2024-11-04 4107/week @ 2024-11-11 4260/week @ 2024-11-18 4161/week @ 2024-11-25 3901/week @ 2024-12-02

16,602 downloads per month
Used in 7 crates (4 directly)

MIT/Apache

84KB
1.5K SLoC

Logo
nftables-rs

Automate modern Linux firewalls with nftables through its declarative and imperative JSON API in Rust.

Crates.io Total Downloads rs Actions Workflow Status License


Features 🌟

  • 🛡️ Safe and Easy-to-Use Abstraction: Provides a high-level, safe abstraction over the nftables JSON API, making it easier and safer to work with nftables in Rust.

  • 🛠️ Comprehensive Functions: Includes a wide range of functions to create, read, and apply nftables rulesets directly from Rust, streamlining the management of firewall rules.

  • 📄 JSON Parsing and Generation: Offers detailed parsing and generation capabilities for nftables rulesets in JSON format, enabling seamless integration and manipulation of rulesets.

  • 💡 Inspired by nftnl-rs: While taking inspiration from nftnl-rs, nftables-rs focuses on utilizing the JSON API for broader accessibility and catering to diverse use cases.

Motivation

nftables-rs is a Rust library designed to provide a safe and easy-to-use abstraction over the nftables JSON API, known as libnftables-json.

This library is engineered for developers who need to interact with nftables, the Linux kernel's next-generation firewalling tool, directly from Rust applications. By abstracting the underlying JSON API, nftables-rs facilitates the creation, manipulation, and application of firewall rulesets without requiring deep knowledge of nftables' internal workings.

Installation

[dependencies]
nftables = "0.5"

Linux nftables v0.9.3 or newer is required at runtime: nft --version

Example

Here are some examples that show use cases of this library. Check out the tests/ directory for more usage examples.

Apply ruleset to nftables

This example applies a ruleset that creates and deletes a table to nftables.

use nft::{batch::Batch, helper, schema, types};

/// Applies a ruleset to nftables.
fn test_apply_ruleset() {
    let ruleset = example_ruleset();
    nft::helper::apply_ruleset(&ruleset, None, None).unwrap();
}

fn example_ruleset() -> schema::Nftables {
    let mut batch = Batch::new();
    batch.add(schema::NfListObject::Table(schema::Table::new(
        types::NfFamily::IP,
        "test-table-01".to_string(),
    )));
    batch.delete(schema::NfListObject::Table(schema::Table::new(
        types::NfFamily::IP,
        "test-table-01".to_string(),
    )));
    batch.to_nftables()
}

Parse/Generate nftables ruleset in JSON format

This example compares nftables' native JSON out to the JSON payload generated by this library.

fn test_chain_table_rule_inet() {
    // nft add table inet some_inet_table
    // nft add chain inet some_inet_table some_inet_chain '{ type filter hook forward priority 0; policy accept; }'
    let expected: Nftables = Nftables {
        objects: vec![
            NfObject::CmdObject(NfCmd::Add(NfListObject::Table(Table {
                family: NfFamily::INet,
                name: "some_inet_table".to_string(),
                handle: None,
            }))),
            NfObject::CmdObject(NfCmd::Add(NfListObject::Chain(Chain {
                family: NfFamily::INet,
                table: "some_inet_table".to_string(),
                name: "some_inet_chain".to_string(),
                newname: None,
                handle: None,
                _type: Some(NfChainType::Filter),
                hook: Some(NfHook::Forward),
                prio: None,
                dev: None,
                policy: Some(NfChainPolicy::Accept),
            }))),
        ],
    };
    let json = json!({"nftables":[{"add":{"table":{"family":"inet","name":"some_inet_table"}}},{"add":{"chain":{"family":"inet","table":"some_inet_table","name":"some_inet_chain","type":"filter","hook":"forward","policy":"accept"}}}]});
    println!("{}", &json);
    let parsed: Nftables = serde_json::from_value(json).unwrap();
    assert_eq!(expected, parsed);
}

License

Licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

Maintainers

This project is currently maintained by the following developers:

Name Email Address GitHub Username
Jasper Wiegratz wiegratz@uni-bremen.de @jwhb
Jan Romann jan.romann@uni-bremen.de @JKRhb

Write access to the main branch and to crates.io is exclusively granted to the maintainers listed above.

Dependencies

~0.8–1.8MB
~38K SLoC