Categorygithub.com/google/nftables
modulepackage
0.3.0
Repository: https://github.com/google/nftables.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
17
Dependents
129
Files
3k SLOC

# README

Build Status GoDoc

This is not the correct repository for issues with the Linux nftables project! This repository contains a third-party Go package to programmatically interact with nftables. Find the official nftables website at https://wiki.nftables.org/

This package manipulates Linux nftables (the iptables successor). It is implemented in pure Go, i.e. does not wrap libnftnl.

This is not an official Google product.

Breaking changes

This package is in very early stages, and only contains enough data types and functions to install very basic nftables rules. It is likely that mistakes with the data types/API will be identified as more functionality is added.

Contributions

Contributions are very welcome!

# Packages

Package alignedbuff implements encoding and decoding aligned data elements to/from buffers in native endianess.
Package binaryutil contains convenience wrappers around encoding/binary.
Package expr provides nftables rule expressions.
No description provided by the author
Package userdata implements a TLV parser/serializer for libnftables-compatible comments.
Package xt implements dedicated types for (some) of the "Info" payload in Match and Target expressions that bridge between the nftables and xtables worlds.

# Functions

AsLasting creates the new netlink connection as a lasting connection that is reused across multiple netlink operations, instead of opening and closing the underlying netlink connection only for the duration of a single netlink operation.
ChainHookRef returns a pointer to a ChainHookRef value.
ChainPriorityRef returns a pointer to a ChainPriority value.
ConcatSetType constructs a new SetDatatype which consists of a concatenation of the passed types.
ConcatSetTypeElements uses the ConcatSetType name to calculate and return a list of base types which were used to construct the concatenated type.
No description provided by the author
No description provided by the author
MustConcatSetType does the same as ConcatSetType, but panics instead of an error.
NetFirstAndLastIP takes the beginning address of an entire network in CIDR notation (e.g.
New returns a netlink connection for querying and modifying nftables.
NewMonitor returns a Monitor with options to be started.
WithMonitorAction to set monitor actions like new, del or any.
No description provided by the author
WithMonitorObject to set monitor objects.
WithNetNSFd sets the network namespace to create a new netlink connection to: the fd must reference a network namespace.
WithSockOptions sets the specified socket options when creating a new netlink connection.
WithTestDial sets the specified nltest.Func when creating a new netlink connection.

# Constants

Possible ChainPolicy values.
Possible ChainPolicy values.
Possible ChainType values.
Possible ChainType values.
Possible ChainType values.
No description provided by the author
No description provided by the author
No description provided by the author
Possible MonitorAction values.
Possible MonitorAction values.
Possible MonitorAction values.
Possible MonitorAction values.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
out of band event.
Possible MonitorObject values.
Possible MonitorObject values.
Possible MonitorObject values.
Possible MonitorObject values.
Possible MonitorObject values.
Possible MonitorObject values.
Possible MonitorObject values.
Possible MonitorObject values.
No description provided by the author
No description provided by the author
not in ztypes_linux.go, added here https://cs.opensource.google/go/x/sys/+/c6bc011c:unix/ztypes_linux.go;l=1870-1892.
below consts added because not found in go unix package https://git.netfilter.org/nftables/tree/include/linux/netfilter/nf_tables.h?id=d1289bff58e1878c3162f574c603da993e29b113#n306.
not in ztypes_linux.go, added here, used for flowtable device name specification https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=84d12cfacf8ddd857a09435f3d982ab6250d250c#n1709.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
https://git.netfilter.org/nftables/tree/include/linux/netfilter/nf_tables.h?id=d1289bff58e1878c3162f574c603da993e29b113#n330.
https://git.netfilter.org/nftables/tree/include/linux/netfilter/nf_tables.h?id=d1289bff58e1878c3162f574c603da993e29b113#n429.
https://git.netfilter.org/nftables/tree/include/linux/netfilter/nf_tables.h?id=d1289bff58e1878c3162f574c603da993e29b113#n428.
https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=be0bae0ad31b0adb506f96de083f52a2bd0d4fbf#n1612.
https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=be0bae0ad31b0adb506f96de083f52a2bd0d4fbf#n1612.
https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=be0bae0ad31b0adb506f96de083f52a2bd0d4fbf#n1612.
https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=be0bae0ad31b0adb506f96de083f52a2bd0d4fbf#n1612.
https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=be0bae0ad31b0adb506f96de083f52a2bd0d4fbf#n1612.
https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=be0bae0ad31b0adb506f96de083f52a2bd0d4fbf#n1612.
https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=be0bae0ad31b0adb506f96de083f52a2bd0d4fbf#n1612.
https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=be0bae0ad31b0adb506f96de083f52a2bd0d4fbf#n1612.
https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=be0bae0ad31b0adb506f96de083f52a2bd0d4fbf#n1612.
https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=be0bae0ad31b0adb506f96de083f52a2bd0d4fbf#n1612.
SetConcatTypeBits defines concatination bits, originally defined in https://git.netfilter.org/iptables/tree/iptables/nft.c?id=26753888720d8e7eb422ae4311348347f5a05cb4#n1002.
SetConcatTypeBits defines concatination bits, originally defined in https://git.netfilter.org/iptables/tree/iptables/nft.c?id=26753888720d8e7eb422ae4311348347f5a05cb4#n1002.
Possible TableFamily values.
Possible TableFamily values.
Possible TableFamily values.
Possible TableFamily values.
Possible TableFamily values.
Possible TableFamily values.
Possible TableFamily values.

# Variables

Possible ChainHook values.
Possible ChainHook values.
Possible ChainHook values.
Possible ChainHook values.
Possible ChainHook values.
Possible ChainHook values.
Possible ChainHook values.
Possible ChainPriority values.
Possible ChainPriority values.
Possible ChainPriority values.
Possible ChainPriority values.
Possible ChainPriority values.
Possible ChainPriority values.
Possible ChainPriority values.
Possible ChainPriority values.
Possible ChainPriority values.
Possible ChainPriority values.
Possible ChainPriority values.
Possible ChainPriority values.
Possible ChainPriority values.
Possible ChainPriority values.
ErrTooManyTypes is the error returned by ConcatSetType, if nftMagic would overflow.
Only ingress is supported https://github.com/torvalds/linux/blob/b72018ab8236c3ae427068adeb94bdd3f20454ec/net/netfilter/nf_tables_api.c#L7378-L7379.
As per man page: The priority can be a signed integer or filter which stands for 0.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.
NFT datatypes.

# Structs

A Chain contains Rules.
A Conn represents a netlink connection of the nftables family.
No description provided by the author
No description provided by the author
No description provided by the author
A Monitor is an event-based nftables monitor that will receive one event per new (or deleted) table, chain, rule, set, etc., depending on the monitor configuration.
A MonitorEvent represents a single change received via a [Monitor].
No description provided by the author
NamedObj represents nftables stateful object attributes Corresponds to netfilter nft_object_attributes as per https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=116e95aa7b6358c917de8c69f6f173874030b46b#n1626.
General form of address family dependent message, see https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nfnetlink.h#29.
No description provided by the author
A Rule does something with a packet.
Set represents an nftables set.
SetDatatype represents a datatype declared by nft.
SetElement represents a data point within a set.
A Table contains Chains.

# Interfaces

Obj represents a netfilter stateful object.

# Type aliases

ChainHook specifies at which step in packet processing the Chain should be executed.
ChainPolicy defines what this chain default policy will be.
ChainPriority orders the chain relative to Netfilter internal operations.
ChainType defines what this chain will be used for.
ConnOption is an option to change the behavior of the nftables Conn returned by Open.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
SockOption is an option to change the behavior of the netlink socket used by the nftables Conn.
TableFamily specifies the address family for this table.