nftables: Index | Files | Directories

package nftables

import ""

Package nftables manipulates Linux nftables (the iptables successor).


Package Files

chain.go conn.go counter.go doc.go obj.go rule.go set.go table.go util.go


const (
    SetConcatTypeBits = 6
    SetConcatTypeMask = (1 << SetConcatTypeBits) - 1

SetConcatTypeBits defines concatination bits, originally defined in


var (
    TypeInvalid     = SetDatatype{Name: "invalid", /* contains filtered or unexported fields */}
    TypeVerdict     = SetDatatype{Name: "verdict", Bytes: 0, /* contains filtered or unexported fields */}
    TypeInteger     = SetDatatype{Name: "integer", Bytes: 4, /* contains filtered or unexported fields */}
    TypeIPAddr      = SetDatatype{Name: "ipv4_addr", Bytes: 4, /* contains filtered or unexported fields */}
    TypeIP6Addr     = SetDatatype{Name: "ipv6_addr", Bytes: 16, /* contains filtered or unexported fields */}
    TypeEtherAddr   = SetDatatype{Name: "ether_addr", Bytes: 6, /* contains filtered or unexported fields */}
    TypeInetProto   = SetDatatype{Name: "inet_proto", Bytes: 1, /* contains filtered or unexported fields */}
    TypeInetService = SetDatatype{Name: "inet_service", Bytes: 2, /* contains filtered or unexported fields */}
    TypeMark        = SetDatatype{Name: "mark", Bytes: 4, /* contains filtered or unexported fields */}

NFT datatypes. See:

var ErrTooManyTypes = errors.New("too many types to concat")

ErrTooManyTypes is the error returned by ConcatSetType, if nftMagic would overflow.

type Chain Uses

type Chain struct {
    Name     string
    Table    *Table
    Hooknum  ChainHook
    Priority ChainPriority
    Type     ChainType
    Policy   *ChainPolicy

A Chain contains Rules. See also

type ChainHook Uses

type ChainHook uint32

ChainHook specifies at which step in packet processing the Chain should be executed. See also

const (
    ChainHookPrerouting  ChainHook = unix.NF_INET_PRE_ROUTING
    ChainHookInput       ChainHook = unix.NF_INET_LOCAL_IN
    ChainHookForward     ChainHook = unix.NF_INET_FORWARD
    ChainHookOutput      ChainHook = unix.NF_INET_LOCAL_OUT
    ChainHookPostrouting ChainHook = unix.NF_INET_POST_ROUTING
    ChainHookIngress     ChainHook = unix.NF_NETDEV_INGRESS

Possible ChainHook values.

type ChainPolicy Uses

type ChainPolicy uint32

ChainPolicy defines what this chain default policy will be.

const (
    ChainPolicyDrop ChainPolicy = iota

Possible ChainPolicy values.

type ChainPriority Uses

type ChainPriority int32

ChainPriority orders the chain relative to Netfilter internal operations. See also

const (
    ChainPriorityFirst            ChainPriority = math.MinInt32
    ChainPriorityConntrackDefrag  ChainPriority = -400
    ChainPriorityRaw              ChainPriority = -300
    ChainPrioritySELinuxFirst     ChainPriority = -225
    ChainPriorityConntrack        ChainPriority = -200
    ChainPriorityMangle           ChainPriority = -150
    ChainPriorityNATDest          ChainPriority = -100
    ChainPriorityFilter           ChainPriority = 0
    ChainPrioritySecurity         ChainPriority = 50
    ChainPriorityNATSource        ChainPriority = 100
    ChainPrioritySELinuxLast      ChainPriority = 225
    ChainPriorityConntrackHelper  ChainPriority = 300
    ChainPriorityConntrackConfirm ChainPriority = math.MaxInt32
    ChainPriorityLast             ChainPriority = math.MaxInt32

Possible ChainPriority values.

type ChainType Uses

type ChainType string

ChainType defines what this chain will be used for. See also

const (
    ChainTypeFilter ChainType = "filter"
    ChainTypeRoute  ChainType = "route"
    ChainTypeNAT    ChainType = "nat"

Possible ChainType values.

type Conn Uses

type Conn struct {
    TestDial nltest.Func // for testing only; passed to nltest.Dial
    NetNS    int         // Network namespace netlink will interact with.
    // contains filtered or unexported fields

A Conn represents a netlink connection of the nftables family.

All methods return their input, so that variables can be defined from string literals when desired.

Commands are buffered. Flush sends all buffered commands in a single batch.

func (*Conn) AddChain Uses

func (cc *Conn) AddChain(c *Chain) *Chain

AddChain adds the specified Chain. See also

func (*Conn) AddObj Uses

func (cc *Conn) AddObj(o Obj) Obj

AddObj adds the specified Obj. See also

func (*Conn) AddObject Uses

func (cc *Conn) AddObject(o Obj) Obj

AddObject adds the specified Obj. Alias of AddObj.

func (*Conn) AddRule Uses

func (cc *Conn) AddRule(r *Rule) *Rule

func (*Conn) AddSet Uses

func (cc *Conn) AddSet(s *Set, vals []SetElement) error

AddSet adds the specified Set.

func (*Conn) AddTable Uses

func (cc *Conn) AddTable(t *Table) *Table

AddTable adds the specified Table. See also

func (*Conn) DelChain Uses

func (cc *Conn) DelChain(c *Chain)

DelChain deletes the specified Chain. See also

func (*Conn) DelRule Uses

func (cc *Conn) DelRule(r *Rule) error

DelRule deletes the specified Rule, rule's handle cannot be 0

func (*Conn) DelSet Uses

func (cc *Conn) DelSet(s *Set)

DelSet deletes a specific set, along with all elements it contains.

func (*Conn) DelTable Uses

func (cc *Conn) DelTable(t *Table)

DelTable deletes a specific table, along with all chains/rules it contains.

func (*Conn) DeleteObject Uses

func (cc *Conn) DeleteObject(o Obj)

DeleteObject deletes the specified Obj

func (*Conn) Flush Uses

func (cc *Conn) Flush() error

Flush sends all buffered commands in a single batch to nftables.

func (*Conn) FlushChain Uses

func (cc *Conn) FlushChain(c *Chain)

FlushChain removes all rules within the specified Chain. See also

func (*Conn) FlushRuleset Uses

func (cc *Conn) FlushRuleset()

FlushRuleset flushes the entire ruleset. See also

func (*Conn) FlushSet Uses

func (cc *Conn) FlushSet(s *Set)

FlushSet deletes all data points from an nftables set.

func (*Conn) FlushTable Uses

func (cc *Conn) FlushTable(t *Table)

FlushTable removes all rules in all chains within the specified Table. See also

func (*Conn) GetObj Uses

func (cc *Conn) GetObj(o Obj) ([]Obj, error)

GetObj is a legacy method that return all Obj that belongs to the same table as the given one

func (*Conn) GetObjReset Uses

func (cc *Conn) GetObjReset(o Obj) ([]Obj, error)

GetObjReset is a legacy method that reset all Obj that belongs the same table as the given one

func (*Conn) GetObject Uses

func (cc *Conn) GetObject(o Obj) (Obj, error)

GetObject gets the specified Object

func (*Conn) GetObjects Uses

func (cc *Conn) GetObjects(t *Table) ([]Obj, error)

GetObjects get all the Obj that belongs to the given table

func (*Conn) GetRule Uses

func (cc *Conn) GetRule(t *Table, c *Chain) ([]*Rule, error)

GetRule returns the rules in the specified table and chain.

func (*Conn) GetSetByName Uses

func (cc *Conn) GetSetByName(t *Table, name string) (*Set, error)

GetSetByName returns the set in the specified table if matching name is found.

func (*Conn) GetSetElements Uses

func (cc *Conn) GetSetElements(s *Set) ([]SetElement, error)

GetSetElements returns the elements in the specified set.

func (*Conn) GetSets Uses

func (cc *Conn) GetSets(t *Table) ([]*Set, error)

GetSets returns the sets in the specified table.

func (*Conn) InsertRule Uses

func (cc *Conn) InsertRule(r *Rule) *Rule

func (*Conn) ListChains Uses

func (cc *Conn) ListChains() ([]*Chain, error)

ListChains returns currently configured chains in the kernel

func (*Conn) ListTables Uses

func (cc *Conn) ListTables() ([]*Table, error)

ListTables returns currently configured tables in the kernel

func (*Conn) ReplaceRule Uses

func (cc *Conn) ReplaceRule(r *Rule) *Rule

func (*Conn) ResetObject Uses

func (cc *Conn) ResetObject(o Obj) (Obj, error)

ResetObject reset the given Obj

func (*Conn) ResetObjects Uses

func (cc *Conn) ResetObjects(t *Table) ([]Obj, error)

ResetObjects reset all the Obj that belongs to the given table

func (*Conn) SetAddElements Uses

func (cc *Conn) SetAddElements(s *Set, vals []SetElement) error

SetAddElements applies data points to an nftables set.

func (*Conn) SetDeleteElements Uses

func (cc *Conn) SetDeleteElements(s *Set, vals []SetElement) error

SetDeleteElements deletes data points from an nftables set.

type CounterObj Uses

type CounterObj struct {
    Table *Table
    Name  string // e.g. “fwded”

    Bytes   uint64
    Packets uint64

CounterObj implements Obj.

type Obj Uses

type Obj interface {
    // contains filtered or unexported methods

Obj represents a netfilter stateful object. See also

type Rule Uses

type Rule struct {
    Table    *Table
    Chain    *Chain
    Position uint64
    Handle   uint64
    Exprs    []expr.Any
    UserData []byte

A Rule does something with a packet. See also

type Set Uses

type Set struct {
    Table      *Table
    ID         uint32
    Name       string
    Anonymous  bool
    Constant   bool
    Interval   bool
    IsMap      bool
    HasTimeout bool
    Timeout    time.Duration
    KeyType    SetDatatype
    DataType   SetDatatype

Set represents an nftables set. Anonymous sets are only valid within the context of a single batch.

type SetDatatype Uses

type SetDatatype struct {
    Name  string
    Bytes uint32
    // contains filtered or unexported fields

SetDatatype represents a datatype declared by nft.

func ConcatSetType Uses

func ConcatSetType(types ...SetDatatype) (SetDatatype, error)

ConcatSetType constructs a new SetDatatype which consists of a concatenation of the passed types. It returns ErrTooManyTypes, if nftMagic would overflow (more than 5 types).

func MustConcatSetType Uses

func MustConcatSetType(types ...SetDatatype) SetDatatype

MustConcatSetType does the same as ConcatSetType, but panics instead of an error. It simplifies safe initialization of global variables.

func (*SetDatatype) GetNFTMagic Uses

func (s *SetDatatype) GetNFTMagic() uint32

GetNFTMagic returns a custom datatype based on user's parameters

func (*SetDatatype) SetNFTMagic Uses

func (s *SetDatatype) SetNFTMagic(nftMagic uint32)

SetNFTMagic returns a custom datatype based on user's parameters

type SetElement Uses

type SetElement struct {
    Key         []byte
    Val         []byte
    IntervalEnd bool
    // To support vmap, a caller must be able to pass Verdict type of data.
    // If IsMap is true and VerdictData is not nil, then Val of SetElement will be ignored
    // and VerdictData will be wrapped into Attribute data.
    VerdictData *expr.Verdict
    // To support aging of set elements
    Timeout time.Duration

SetElement represents a data point within a set.

type Table Uses

type Table struct {
    Name   string // NFTA_TABLE_NAME
    Use    uint32 // NFTA_TABLE_USE (Number of chains in table)
    Flags  uint32 // NFTA_TABLE_FLAGS
    Family TableFamily

A Table contains Chains. See also

type TableFamily Uses

type TableFamily byte

TableFamily specifies the address family for this table.

const (
    TableFamilyINet   TableFamily = unix.NFPROTO_INET
    TableFamilyIPv4   TableFamily = unix.NFPROTO_IPV4
    TableFamilyIPv6   TableFamily = unix.NFPROTO_IPV6
    TableFamilyARP    TableFamily = unix.NFPROTO_ARP
    TableFamilyNetdev TableFamily = unix.NFPROTO_NETDEV
    TableFamilyBridge TableFamily = unix.NFPROTO_BRIDGE

Possible TableFamily values.


binaryutilPackage binaryutil contains convenience wrappers around encoding/binary.
exprPackage expr provides nftables rule expressions.

Package nftables imports 12 packages (graph) and is imported by 7 packages. Updated 2020-08-03. Refresh now. Tools for package owners.