nftnl-rs

Crates.ionftnl-rs
lib.rsnftnl-rs
version0.4.0
sourcesrc
created_at2024-03-18 00:01:57.86097
updated_at2024-03-31 21:28:24.038916
descriptionA Rust crate for Linux Netlink Nftables client for direct control on the netfilter via netlink socket.
homepage
repositoryhttps://repo.4neko.org/4NEKO/nftnl-rs
max_upload_size
id1176903
size203,217
Aleksandr Morozov (eesekaj)

documentation

README

nftnl-rs (A Nftables manipulation library)

This is a crate (currently in development) which implements a netlink protocol to communicate with the Linux Nftables firewall.

This crate is in its early development state. It is not planned to extend its functionality! Use at your own risk.

This crate was developed only for the tables/sets manipulations i.e add/del/get!!!

At the moment this crate allows to:

  • perform operations on the sets i.e add IP, remove IP, get IP from the list.

For examples, see /examples/ directory.

Get IP from the table's set. i.e performing the following command:

$ sudo nft list set ip table-test table-set

use nftnl_rs::{netlink::{netlink::{NetlinkCb, NetlinkResponseReader, Nlmsghdr, MnlNlmsgBatch, NlmFFlags, NetlinkResponse, NetlinkRespRes, NetlinkCbArr, Nlmsgerr}, MNL_SOCKET_BUFFER_SIZE, linux::Nfproto, socket::mnl_socket}, boxed::Boxed, error::NtflRes, set::{nftnl_set, NftnlSetFlags}, nf_tables::NfTablesMsgTypes};
use rand::Rng;

fn main()
{

    let seq = Sequence::new();

    let mut nl_set = NftnlSet::new();

    nl_set.nftnl_set_set_val(NftnlSetFlagData::SetTable("table-test"));
	nl_set.nftnl_set_set_val(NftnlSetFlagData::SetName("table-set"));
    nl_set.nftnl_set_set_val(NftnlSetFlagData::SetId(1));


    let mut batch = MnlNlmsgBatch::mnl_nlmsg_batch_start(*MNL_SOCKET_BUFFER_SIZE);

    // root
    let _nlh = 
        Nlmsghdr::nftnl_nlmsg_build_hdr(
            &mut batch, 
            NfTablesMsgTypes::NftMsgGetsetelem, 
            Nfproto::NFPROTO_IPV4,
            NlmFFlags::NLM_F_DUMP | NlmFFlags::NLM_F_REQUEST,
            seq
        )?;


    nl_set.nftnl_set_elems_nlmsg_build_payload(&mut batch)?;

    drop(nl_set);

    let mut nl = MnlSocket::mnl_socket_open(NETLINK_NETFILTER)?;

    nl.mnl_socket_bind(0, MNL_SOCKET_AUTOPID)?;

    let portid = nl.mnl_socket_get_portid();

    let len = batch.mnl_nlmsg_batch_size();
    nl.mnl_socket_sendto(batch.mnl_nlmsg_batch_msg(), len)?;

    let mut ret = nl.mnl_socket_recvfrom(*MNL_SOCKET_BUFFER_SIZE)?;

    let mut sets: Vec<NftnlSet> = Vec::new();

    while ret.len() > 0
    {
        let mut resp = NetlinkResponse::new(&ret);

        let lret =
            resp.mnl_parse_check(0, portid, &mut sets)?;

        if lret == NetlinkRespRes::MnlCbStop
        {
            break;
        }

        ret = nl.mnl_socket_recvfrom(*MNL_SOCKET_BUFFER_SIZE)?;
    }

    for set in sets
    {
        if set.is_ip_present(ip_check)? == true
        {
            return Ok(true);
        }
    }

    return Ok(false);
}
Commit count: 0

cargo fmt