This change makes it possible to delete rules after inserting them, without needing to query the rules first. Rules can be deleted both before and after they are flushed. Additionally, this allows positioning a new rule next to an existing rule, both before and after the existing rule is flushed. There are two ways to refer to a rule: Either by ID or by handle. The ID is assigned by userspace, and is only valid within a transaction, so it can only be used before the flush. The handle is assigned by the kernel when the transaction is committed, and can thus only be used after the flush. We thus need to set an ID on each newly created rule, and retrieve the handle of the rule during the flush. There was an existing mechanism to allocate IDs for sets, but this was using a global counter without any synchronization to prevent data races. I replaced this by a new mechanism which uses a connection-scoped counter. I implemented a new mechanism for retrieving replies in Flush, and handling these replies by adding a callback to netlink messages. There was some existing code to handle "overrun", which I deleted, because it was nonsensical and just worked by accident. NLMSG_OVERRUN is in fact not a flag, but a complete message type, so the (re&netlink.Overrun) masking makes no sense. Even better, NLMSG_OVERRUN is never actually used by Linux. What this code was actually doing was skipping over the NFT_MSG_NEWRULE replies, and possibly a NFT_MSG_NEWGEN reply. I had to update all existing tests which compared generated netlink messages against a reference, by inserting the newly added ID attribute. We also need to generate replies for the NFT_MSG_NEWRULE messages with a handle added. |
||
---|---|---|
.github/workflows | ||
alignedbuff | ||
binaryutil | ||
expr | ||
integration | ||
internal | ||
userdata | ||
xt | ||
CONTRIBUTING.md | ||
LICENSE | ||
README.md | ||
chain.go | ||
compat_policy.go | ||
compat_policy_test.go | ||
conn.go | ||
counter.go | ||
doc.go | ||
flowtable.go | ||
gen.go | ||
go.mod | ||
go.sum | ||
monitor.go | ||
monitor_test.go | ||
nftables_test.go | ||
obj.go | ||
quota.go | ||
rule.go | ||
set.go | ||
set_test.go | ||
table.go | ||
util.go | ||
util_test.go |
README.md
This is not the correct repository for issues with the Linux nftables project! This repository contains a third-party Go package to programmatically interact with nftables. Find the official nftables website at https://wiki.nftables.org/
This package manipulates Linux nftables (the iptables successor). It is implemented in pure Go, i.e. does not wrap libnftnl.
This is not an official Google product.
Breaking changes
This package is in very early stages, and only contains enough data types and functions to install very basic nftables rules. It is likely that mistakes with the data types/API will be identified as more functionality is added.
Contributions
Contributions are very welcome!