1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
// Copyryght (c) 2021-2022 GPL lafleur@boum.org and Simon Thoby
//
// This file is free software: you may copy, redistribute and/or modify it
// under the terms of the GNU General Public License as published by the
// Free Software Foundation, either version 3 of the License, or (at your
// option) any later version.
//
// This file is distributed in the hope that it will be useful, but
// WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
// General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program. If not, see the LICENSE file.
//
// This file incorporates work covered by the following copyright and
// permission notice:
//
// Copyright 2018 Amagicom AB.
//
// Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
// http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your
// option. This file may not be copied, modified, or distributed
// except according to those terms.
//! Safe abstraction for userspace access to the in-kernel nf_tables subsystem.
//! Can be used to create and remove tables, chains, sets and rules from the nftables
//! firewall, the successor to iptables.
//!
//! This library currently has quite rough edges and does not make adding and removing netfilter
//! entries super easy and elegant. That is partly because the library needs more work, but also
//! partly because nftables is super low level and extremely customizable, making it hard, and
//! probably wrong, to try and create a too simple/limited wrapper. See examples for inspiration.
//!
//! Understanding how to use the netlink subsystem and implementing this crate has mostly been done by
//! reading the source code for the [`nftables`] userspace program and its corresponding kernel code,
//! as well as attaching debuggers to the `nft` binary.
//! Since the implementation is mostly based on trial and error, there might of course be
//! a number of places where the forged netlink messages are used in an invalid or not intended way.
//! Contributions are welcome!
//!
//! [`nftables`]: https://netfilter.org/projects/nftables/
#[macro_use]
extern crate log;
use libc;
use rustables_macros::nfnetlink_enum;
use std::convert::TryFrom;
mod batch;
pub use batch::{default_batch_page_size, Batch};
mod data_type;
mod table;
pub use table::list_tables;
pub use table::Table;
mod chain;
pub use chain::list_chains_for_table;
pub use chain::{Chain, ChainPolicy, ChainPriority, ChainType, Hook, HookClass};
pub mod error;
//mod chain_methods;
//pub use chain_methods::ChainMethods;
pub mod query;
pub(crate) mod nlmsg;
pub(crate) mod parser;
pub(crate) mod parser_impls;
mod rule;
pub use rule::list_rules_for_chain;
pub use rule::Rule;
pub mod expr;
//mod rule_methods;
//pub use rule_methods::{iface_index, Error as MatchError, Protocol, RuleMethods};
pub mod set;
pub use set::Set;
pub mod sys;
#[cfg(test)]
mod tests;
/// The type of the message as it's sent to netfilter. A message consists of an object, such as a
/// [`Table`], [`Chain`] or [`Rule`] for example, and a [`MsgType`] to describe what to do with
/// that object. If a [`Table`] object is sent with `MsgType::Add` then that table will be added
/// to netfilter, if sent with `MsgType::Del` it will be removed.
///
/// [`Table`]: struct.Table.html
/// [`Chain`]: struct.Chain.html
/// [`Rule`]: struct.Rule.html
/// [`MsgType`]: enum.MsgType.html
#[derive(Debug, Copy, Clone, Eq, PartialEq)]
pub enum MsgType {
/// Add the object to netfilter.
Add,
/// Remove the object from netfilter.
Del,
}
/// Denotes a protocol. Used to specify which protocol a table or set belongs to.
#[derive(Debug, Copy, Clone, PartialEq, Eq)]
#[nfnetlink_enum(i32)]
pub enum ProtocolFamily {
Unspec = libc::NFPROTO_UNSPEC,
/// Inet - Means both IPv4 and IPv6
Inet = libc::NFPROTO_INET,
Ipv4 = libc::NFPROTO_IPV4,
Arp = libc::NFPROTO_ARP,
NetDev = libc::NFPROTO_NETDEV,
Bridge = libc::NFPROTO_BRIDGE,
Ipv6 = libc::NFPROTO_IPV6,
DecNet = libc::NFPROTO_DECNET,
}
impl Default for ProtocolFamily {
fn default() -> Self {
ProtocolFamily::Unspec
}
}
|
