Comments (7)
Hey! Here’s a few pointers:
- You can work in a network namespace to play around with
nft
without any consequences for your host system:
# ip netns add nattest
# ip netns exec nattest /bin/bash
- You can use nft’s
--debug all
flag to get a bunch more details about what’s going on. For this particular case:
# nft --debug all add rule nat postrouting ip saddr 192.168.69.2 masquerade
[…]
ip nat postrouting
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp eq reg 1 0x0245a8c0 ]
[ masq ]
[…]
These are the expressions you’ll need to model with your Go code.
- Check out
Line 77 in 9ac63cb
nft
through strace, stuff the resulting byte slices into the test and then work on the Go portion until it matches. I’ve done this to verify that all the building blocks are in place, and will commit it for illustration purposes in a sec.
Hope that helps,
from nftables.
Thank you so much!
Would you be open to a PR where I implement an abstraction for building these rules? Something like:
builder := nftables.ExprBuilder{Chain: chain}
if err := builder.FilterSourceAddr(srcIP); err != nil {
// ... Errors such as ipv6 address /w ipv4 table family
}
builder.ActionCounter(&counter)
builder.ActionMasquerade()
conn.AddRule(&Rule{ ... Exprs: builder.Expr() ... })
from nftables.
Disclaimer: I haven’t thought much about how a good abstraction layer would look like.
To me, an important question that I can’t answer yet, is whether the ideal abstraction would implement nft(8)’s config/command line syntax (and how stable those are), or whether something else makes more sense.
Intuitively, I’d gravitate towards implementing nft’s syntax: that way, users could just copy their already-existing configuration files. What do you think?
from nftables.
For the sake of minimizing the learning curve, I agree we should keep the concepts as similar to nft & nft's representation as possible.
However, I do think the abstraction needs to be embodied in types; any approach which does string parsing is probably re-inventing the wheel, and loosing the benefits of a type system.
Maybe:
builder.Table(Table{
Name: ...
Family: ...
Chain: &Chain{
...
Rules: []builder.Rules{
builder.FilterSaddr(saddr),
builder.Masquerade(),
},
},
}).Build()
Thoughts?
from nftables.
However, I do think the abstraction needs to be embodied in types; any approach which does string parsing is probably re-inventing the wheel, and loosing the benefits of a type system.
I’m not sure about that — neither for nor against, I just can’t tell. Given that, I think the best course of action is to develop your abstraction in a separate repository and see how well it works out in practice.
from nftables.
I'll give it a try and report back.
from nftables.
I tried a few things but complexity always crept in to the stage where the APIs were roughly equivalent.
The best thing we can do is probably a bunch of examples & maybe a paragraph on using nft --debug all
to work out what to do.
from nftables.
Related Issues (20)
- Please consider create a release/tag HOT 1
- Alignment issues on 32-bit archs: TestAlignedBuff32 & TestAlignedBuffInt32 failures HOT 9
- Test failures on s390x: endianness problems? HOT 11
- Reason for not wrapping libnftnl/libmnl. HOT 1
- GetRules lost expr.Masq HOT 1
- nftables go dynset implementation will not work with libnftnl versions <1.1.9 HOT 1
- High
- Feature: add support for monitor HOT 6
- AddSet IPv4 wrong byte order on Ubuntu 22.04 HOT 8
- Rule Handle not updated after InsertRule even using Flush. HOT 4
- Not all response messages are received causing the receive buffer to overflow HOT 8
- Named quotas and their usage in map HOT 1
- BUG: block in Conn.Flush() HOT 4
- How to get an error when try to add an existed table?
- Adding rules in code produces different results and logs than the rules I added directly from the command line HOT 6
- Use a CIDR prefix as target in a NAT rule HOT 3
- Troubleshooting NFTables Table Creation with Go HOT 2
- Objects implementation refactor HOT 1
- Broken deps HOT 3
- Is there a way to mock interface? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nftables.