Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: safe creation of a base chain #64

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: safe creation of a base chain #64

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 19 additions & 18 deletions nftnl/examples/add-rules.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,12 +37,12 @@
//! ```

use ipnetwork::{IpNetwork, Ipv4Network};
use nftnl::{nft_expr, nftnl_sys::libc, Batch, Chain, FinalizedBatch, ProtoFamily, Rule, Table};
use std::{ffi::CString, io, net::Ipv4Addr};
use nftnl::{nft_expr, nftnl_sys::libc, *};
use std::{ffi::{CStr, CString}, io, net::Ipv4Addr};

const TABLE_NAME: &str = "example-table";
const OUT_CHAIN_NAME: &str = "chain-for-outgoing-packets";
const IN_CHAIN_NAME: &str = "chain-for-incoming-packets";
const TABLE_NAME: &CStr = c"example-table";
const OUT_CHAIN_NAME: &CStr = c"chain-for-outgoing-packets";
const IN_CHAIN_NAME: &CStr = c"chain-for-incoming-packets";

fn main() -> Result<(), Box<dyn std::error::Error>> {
// Create a batch. This is used to store all the netlink messages we will later send.
Expand All @@ -51,24 +51,25 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
let mut batch = Batch::new();

// Create a netfilter table operating on both IPv4 and IPv6 (ProtoFamily::Inet)
let table = Table::new(&CString::new(TABLE_NAME).unwrap(), ProtoFamily::Inet);
let table = Table::new(TABLE_NAME, ProtoFamily::Inet);
// Add the table to the batch with the `MsgType::Add` type, thus instructing netfilter to add
// this table under its `ProtoFamily::Inet` ruleset.
batch.add(&table, nftnl::MsgType::Add);

// Create input and output chains under the table we created above.
let mut out_chain = Chain::new(&CString::new(OUT_CHAIN_NAME).unwrap(), &table);
let mut in_chain = Chain::new(&CString::new(IN_CHAIN_NAME).unwrap(), &table);

// Hook the chains to the input and output event hooks, with highest priority (priority zero).
// See the `Chain::set_hook` documentation for details.
out_chain.set_hook(nftnl::Hook::Out, 0);
in_chain.set_hook(nftnl::Hook::In, 0);

// Set the default policies on the chains. If no rule matches a packet processed by the
// `out_chain` or the `in_chain` it will accept the packet.
out_chain.set_policy(nftnl::Policy::Accept);
in_chain.set_policy(nftnl::Policy::Accept);
let mut out_chain = Chain::new(OUT_CHAIN_NAME, &table);
let mut in_chain = Chain::new(IN_CHAIN_NAME, &table);

let setter = BaseChainSetter::new()
.chain_type(ChainType::Filter)
.hook(Hook::Out)
.priority(Priority::Integer(0))
.policy(Some(Policy::Accept));

setter.try_set(&mut out_chain).unwrap();

let setter = setter.hook(Hook::In);
setter.try_set(&mut in_chain).unwrap();

// Add the two chains to the batch with the `MsgType` to tell netfilter to create the chains
// under the table.
Expand Down
20 changes: 12 additions & 8 deletions nftnl/examples/filter-ethernet.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,24 +22,28 @@
//! # nft delete table inet example-filter-ethernet
//! ```

use nftnl::{nft_expr, nftnl_sys::libc, Batch, Chain, FinalizedBatch, ProtoFamily, Rule, Table};
use std::{ffi::CString, io};
use nftnl::{nft_expr, nftnl_sys::libc, *};
use std::{ffi::CStr, io};

const TABLE_NAME: &str = "example-filter-ethernet";
const OUT_CHAIN_NAME: &str = "chain-for-outgoing-packets";
const TABLE_NAME: &CStr = c"example-filter-ethernet";
const OUT_CHAIN_NAME: &CStr = c"chain-for-outgoing-packets";

const BLOCK_THIS_MAC: &[u8] = &[0, 0, 0, 0, 0, 0];

fn main() -> io::Result<()> {
// For verbose explanations of what all these lines up until the rule creation does, see the
// `add-rules` example.
let mut batch = Batch::new();
let table = Table::new(&CString::new(TABLE_NAME).unwrap(), ProtoFamily::Inet);
let table = Table::new(TABLE_NAME, ProtoFamily::Inet);
batch.add(&table, nftnl::MsgType::Add);

let mut out_chain = Chain::new(&CString::new(OUT_CHAIN_NAME).unwrap(), &table);
out_chain.set_hook(nftnl::Hook::Out, 3);
out_chain.set_policy(nftnl::Policy::Accept);
let mut out_chain = Chain::new(OUT_CHAIN_NAME, &table);
let setter = BaseChainSetter::new()
.chain_type(ChainType::Filter)
.hook(Hook::Out)
.priority(Priority::Integer(3))
.policy(Some(Policy::Accept));
setter.try_set(&mut out_chain).unwrap();
batch.add(&out_chain, nftnl::MsgType::Add);

// === ADD RULE DROPPING ALL TRAFFIC TO THE MAC ADDRESS IN `BLOCK_THIS_MAC` ===
Expand Down
Loading