Go to file
Jan Schär 586337f5ce Set rule handle during flush
This change makes it possible to delete rules after inserting them,
without needing to query the rules first. Rules can be deleted both
before and after they are flushed. Additionally, this allows positioning
a new rule next to an existing rule, both before and after the existing
rule is flushed.

There are two ways to refer to a rule: Either by ID or by handle. The ID
is assigned by userspace, and is only valid within a transaction, so it
can only be used before the flush. The handle is assigned by the kernel
when the transaction is committed, and can thus only be used after the
flush. We thus need to set an ID on each newly created rule, and
retrieve the handle of the rule during the flush.

There was an existing mechanism to allocate IDs for sets, but this was
using a global counter without any synchronization to prevent data
races. I replaced this by a new mechanism which uses a connection-scoped
counter.

I implemented a new mechanism for retrieving replies in Flush, and
handling these replies by adding a callback to netlink messages. There
was some existing code to handle "overrun", which I deleted, because it
was nonsensical and just worked by accident. NLMSG_OVERRUN is in fact
not a flag, but a complete message type, so the (re&netlink.Overrun)
masking makes no sense. Even better, NLMSG_OVERRUN is never actually
used by Linux. What this code was actually doing was skipping over the
NFT_MSG_NEWRULE replies, and possibly a NFT_MSG_NEWGEN reply.

I had to update all existing tests which compared generated netlink
messages against a reference, by inserting the newly added ID attribute.
We also need to generate replies for the NFT_MSG_NEWRULE messages with a
handle added.
2025-03-03 13:29:31 +01:00
.github/workflows Add integration tests for nftables package 2025-01-15 12:42:22 +01:00
alignedbuff alignedbuff: fix alignment test issue on 32-bit machines (#211) 2022-12-12 08:51:36 +01:00
binaryutil add int32 and string types to alignedbuff (#195) 2022-10-15 21:04:45 +02:00
expr fix unmarshalling of expr.Ct source register (#301) 2025-02-21 09:34:44 +01:00
integration Add integration tests for nftables package 2025-01-15 12:42:22 +01:00
internal Set rule handle during flush 2025-03-03 13:29:31 +01:00
userdata add support for comments in set elements (#293) 2025-01-15 09:36:42 +01:00
xt feat: add xt.Comment (#260) 2024-04-22 08:53:34 +02:00
CONTRIBUTING.md Initial commit 2018-05-24 22:09:26 -07:00
LICENSE Initial commit 2018-05-24 22:09:26 -07:00
README.md README: switch to GitHub actions badge 2021-05-14 17:48:51 +02:00
chain.go Set rule handle during flush 2025-03-03 13:29:31 +01:00
compat_policy.go Fix: add NFTA_RULE_COMPAT attribute (#207) 2022-12-08 09:05:15 +01:00
compat_policy_test.go Fix: add NFTA_RULE_COMPAT attribute (#207) 2022-12-08 09:05:15 +01:00
conn.go Set rule handle during flush 2025-03-03 13:29:31 +01:00
counter.go refactor nftable Object handling (NamedObj type) (#259) 2024-07-29 08:43:58 +02:00
doc.go Restructure code base into smaller files (#15) 2019-05-03 23:54:09 +02:00
flowtable.go Set rule handle during flush 2025-03-03 13:29:31 +01:00
gen.go Use const instead of var where possible 2025-02-26 15:11:55 +01:00
go.mod Add integration tests for nftables package 2025-01-15 12:42:22 +01:00
go.sum Add integration tests for nftables package 2025-01-15 12:42:22 +01:00
monitor.go Implement AddGenerationalMonitor to deliver monitor events in batches (#283) 2024-11-09 12:07:36 +01:00
monitor_test.go Fix incorrect size check in NFGenMsg (#287) 2024-12-13 07:30:25 +01:00
nftables_test.go Set rule handle during flush 2025-03-03 13:29:31 +01:00
obj.go Set rule handle during flush 2025-03-03 13:29:31 +01:00
quota.go Fix Fib parsing (#296) 2025-01-16 09:15:33 +01:00
rule.go Set rule handle during flush 2025-03-03 13:29:31 +01:00
set.go Set rule handle during flush 2025-03-03 13:29:31 +01:00
set_test.go Set rule handle during flush 2025-03-03 13:29:31 +01:00
table.go Set rule handle during flush 2025-03-03 13:29:31 +01:00
util.go Fix incorrect size check in NFGenMsg (#287) 2024-12-13 07:30:25 +01:00
util_test.go NAT: prefix test 2024-01-12 21:30:04 +01:00

README.md

Build Status GoDoc

This is not the correct repository for issues with the Linux nftables project! This repository contains a third-party Go package to programmatically interact with nftables. Find the official nftables website at https://wiki.nftables.org/

This package manipulates Linux nftables (the iptables successor). It is implemented in pure Go, i.e. does not wrap libnftnl.

This is not an official Google product.

Breaking changes

This package is in very early stages, and only contains enough data types and functions to install very basic nftables rules. It is likely that mistakes with the data types/API will be identified as more functionality is added.

Contributions

Contributions are very welcome!