Documentation ¶
Overview ¶
Package nft provides a GO API to nftables. Together with the schema package, it allows to build, read and apply nftables configuration on a supporting system.
The schema structures are based on libnftables-json (https://www.mankier.com/5/libnftables-json) and implement a subset of them.
To create a new configuration, use `NewConfig` followed by methods which populates the configuration with tables, chains and rules, accompanied to specific actions (add, delete, flush).
config := nft.NewConfig() table := nft.NewTable("mytable", nft.FamilyIP) config.AddTable(table) chain := nft.NewRegularChain(table, "mychain") config.AddChain(chain) rule := nft.NewRule(table, chain, statements, nil, nil, "mycomment")
To apply a configuration on the system, use the `ApplyConfig` function.
err := nft.ApplyConfig(config)
To read the configuration from the system, use the `ReadConfig` function.
config, err := nft.ReadConfig()
For full setup example, see the integration test: tests/config_test.go
The nft package is dependent on the `nft` binary and the kernel nftables support.
Index ¶
- func ApplyConfig(c *Config) error
- func NewChain(table *schema.Table, name string, ctype *ChainType, hook *ChainHook, prio *int, ...) *schema.Chain
- func NewConfig() *nftconfig.Config
- func NewRegularChain(table *schema.Table, name string) *schema.Chain
- func NewRule(table *schema.Table, chain *schema.Chain, expr []schema.Statement, handle *int, ...) *schema.Rule
- func NewTable(name string, family AddressFamily) *schema.Table
- type AddressFamily
- type ChainHook
- type ChainPolicy
- type ChainType
- type Config
- type RuleIndex
- type TableAction
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ApplyConfig ¶
ApplyConfig applies the given nftables config on the system. The system is expected to have the `nft` executable deployed and nftables enabled in the kernel.
func NewChain ¶
func NewChain(table *schema.Table, name string, ctype *ChainType, hook *ChainHook, prio *int, policy *ChainPolicy) *schema.Chain
NewChain returns a new schema chain structure for a base chain. For base chains, all arguments are required except the policy. Missing arguments will cause an error once the config is applied.
func NewRegularChain ¶
NewRegularChain returns a new schema chain structure for a regular chain.
Types ¶
type AddressFamily ¶
type AddressFamily string
const ( FamilyIP AddressFamily = schema.FamilyIP FamilyIP6 AddressFamily = schema.FamilyIP6 FamilyINET AddressFamily = schema.FamilyINET FamilyARP AddressFamily = schema.FamilyARP FamilyBridge AddressFamily = schema.FamilyBridge FamilyNETDEV AddressFamily = schema.FamilyNETDEV )
Address Families
type ChainHook ¶
type ChainHook string
const ( HookPreRouting ChainHook = schema.HookPreRouting HookInput ChainHook = schema.HookInput HookOutput ChainHook = schema.HookOutput HookForward ChainHook = schema.HookForward HookPostRouting ChainHook = schema.HookPostRouting HookIngress ChainHook = schema.HookIngress )
Chain Hooks
type ChainPolicy ¶
type ChainPolicy string
const ( PolicyAccept ChainPolicy = schema.PolicyAccept PolicyDrop ChainPolicy = schema.PolicyDrop )
Chain Policies
type Config ¶
func ReadConfig ¶
ReadConfig loads the nftables configuration from the system and returns it as a nftables config structure. The system is expected to have the `nft` executable deployed and nftables enabled in the kernel.
type RuleIndex ¶
type RuleIndex int
func NewRuleIndex ¶
func NewRuleIndex() *RuleIndex
NewRuleIndex returns a rule index object which acts as an iterator. When multiple rules are added to a chain, index allows to define an order between them. The first rule which is added to a chain should have no index (it is assigned index 0), following rules should have the index set, referencing after/before which rule the new one is to be added/inserted.
type TableAction ¶
type TableAction string
const ( TableADD TableAction = "add" TableDELETE TableAction = "delete" TableFLUSH TableAction = "flush" )
Table Actions
Directories ¶
Path | Synopsis |
---|---|
* This file is part of the go-nft project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License.
|
* This file is part of the go-nft project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. |