1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
// Copyryght (c) 2021-2022 GPL lafleur@boum.org and Simon Thoby
//
// This file is free software: you may copy, redistribute and/or modify it
// under the terms of the GNU General Public License as published by the
// Free Software Foundation, either version 3 of the License, or (at your
// option) any later version.
//
// This file is distributed in the hope that it will be useful, but
// WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
// General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program. If not, see the LICENSE file.
//
// This file incorporates work covered by the following copyright and
// permission notice:
//
// Copyright 2018 Amagicom AB.
//
// Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
// http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your
// option. This file may not be copied, modified, or distributed
// except according to those terms.
//! Safe abstraction for userspace access to the in-kernel nf_tables subsystem.
//! Can be used to create and remove tables, chains, sets and rules from the nftables
//! firewall, the successor to iptables.
//!
//! This library currently has quite rough edges and does not make adding and removing netfilter
//! entries super easy and elegant. That is partly because the library needs more work, but also
//! partly because nftables is super low level and extremely customizable, making it hard, and
//! probably wrong, to try and create a too simple/limited wrapper. See examples for inspiration.
//!
//! Understanding how to use the netlink subsystem and implementing this crate has mostly been done by
//! reading the source code for the [`nftables`] userspace program and its corresponding kernel code,
//! as well as attaching debuggers to the `nft` binary.
//! Since the implementation is mostly based on trial and error, there might of course be
//! a number of places where the forged netlink messages are used in an invalid or not intended way.
//! Contributions are welcome!
//!
//! [`nftables`]: https://netfilter.org/projects/nftables/
#[macro_use]
extern crate log;
use libc;
use rustables_macros::nfnetlink_enum;
use std::convert::TryFrom;
mod batch;
pub use batch::{default_batch_page_size, Batch};
pub mod data_type;
mod table;
pub use table::list_tables;
pub use table::Table;
mod chain;
pub use chain::list_chains_for_table;
pub use chain::{Chain, ChainPolicy, ChainPriority, ChainType, Hook, HookClass};
pub mod error;
pub mod query;
pub(crate) mod nlmsg;
pub(crate) mod parser;
pub(crate) mod parser_impls;
mod rule;
pub use rule::list_rules_for_chain;
pub use rule::Rule;
pub mod expr;
mod rule_methods;
pub use rule_methods::{iface_index, Protocol};
pub mod set;
pub use set::Set;
pub mod sys;
#[cfg(test)]
mod tests;
/// The type of the message as it's sent to netfilter. A message consists of an object, such as a
/// [`Table`], [`Chain`] or [`Rule`] for example, and a [`MsgType`] to describe what to do with
/// that object. If a [`Table`] object is sent with `MsgType::Add` then that table will be added
/// to netfilter, if sent with `MsgType::Del` it will be removed.
///
/// [`Table`]: struct.Table.html
/// [`Chain`]: struct.Chain.html
/// [`Rule`]: struct.Rule.html
/// [`MsgType`]: enum.MsgType.html
#[derive(Debug, Copy, Clone, Eq, PartialEq)]
pub enum MsgType {
/// Add the object to netfilter.
Add,
/// Remove the object from netfilter.
Del,
}
/// Denotes a protocol. Used to specify which protocol a table or set belongs to.
#[derive(Debug, Copy, Clone, PartialEq, Eq)]
#[nfnetlink_enum(i32)]
pub enum ProtocolFamily {
Unspec = libc::NFPROTO_UNSPEC,
/// Inet - Means both IPv4 and IPv6
Inet = libc::NFPROTO_INET,
Ipv4 = libc::NFPROTO_IPV4,
Arp = libc::NFPROTO_ARP,
NetDev = libc::NFPROTO_NETDEV,
Bridge = libc::NFPROTO_BRIDGE,
Ipv6 = libc::NFPROTO_IPV6,
DecNet = libc::NFPROTO_DECNET,
}
impl Default for ProtocolFamily {
fn default() -> Self {
ProtocolFamily::Unspec
}
}
|
