/nufftables

A thin wrapper around Google's nftables to ease reasoning over the current state of tables, chains, rules, and expressions.

Primary LanguageGoApache License 2.0Apache-2.0

'nuff tables!

PkgGoDev GitHub build and test Go Report Card Coverage

The nufftables go module is a thin wrapper around Google's nftables to ease reasoning over the current state of tables, chains, rules, and expressions. If you just want to setup and remove netfilter chains and rules, then @google/nftables should already be sufficient most of the time.

CLI Tool Examples

  • cmd/nftdump is a simple CLI tool that fetches all netfilter tables (in the host network namespace) and then dumps the corresponding objects to stdout.

  • cmd/portfinder is another simple CLI tool that fetches the IPv4 and IPv6 netfilter tables and scans them for certain port forwarding expressions, dumping the forwarded port information found to stdout. Only port forwarding expressions using port range and target DNAT expressions (with an optional IP address compare) will be detected.

Example Usage

A simplified example, without proper error handling, that reasons about netfilter port match expressions:

import (
    "github.com/google/nftables"
    "github.com/google/nftables/expr"
    "github.com/thediveo/nufftables"
)

func main() {
    conn, _ := nftables.New(nftables.AsLasting())
    defer conn.CloseLasting()

    tables := nufftables.GetFamilyTables(conn, nufftables.TableFamilyIPv4)
    for _, chain := range tables.Table("nat", nufftables.TableFamilyIPv4) {
        for _, rule := range chain.Rules {
            if _, match := nufftables.OfType[*expr.Match](rule.Expressions()); match != nil {
                fmt.Printf("port match expression: %#v\n", match)
            }
        }
    }
}

Note

nufftables supports versions of Go that are noted by the Go release policy, that is, major versions N and N-1 (where N is the current major version).

VSCode Tasks

The included nufftables.code-workspace defines the following tasks:

  • View Go module documentation task: installs pkgsite, if not done already so, then starts pkgsite and opens VSCode's integrated ("simple") browser to show the nufftable's documentation.

Aux Tasks

  • pksite service: auxilliary task to run pkgsite as a background service using scripts/pkgsite.sh. The script leverages browser-sync and nodemon to hot reload the Go module documentation on changes; many thanks to @mdaverde's Build your Golang package docs locally for paving the way. scripts/pkgsite.sh adds automatic installation of pkgsite, as well as the browser-sync and nodemon npm packages for the local user.
  • view pkgsite: auxilliary task to open the VSCode-integrated "simple" browser and pass it the local URL to open in order to show the module documentation rendered by pkgsite. This requires a detour via a task input with ID "pkgsite".

Make Targets

  • make: lists all targets.
  • make coverage: runs all tests with coverage and then updates the coverage badge in README.md.
  • make pkgsite: installs x/pkgsite, as well as the browser-sync and nodemon npm packages first, if not already done so. Then runs the pkgsite and hot reloads it whenever the documentation changes.
  • make report: installs @gojp/goreportcard if not yet done so and then runs it on the code base.
  • make test: runs all tests, once as root and then as the invoking user.

Copyright and License

Copyright 2022-24 Harald Albrecht, licensed under the Apache License, Version 2.0.