nftables
This repository contains a Go module to interact with Linux nftables (the iptables successor).
Top Related Projects
Quick Overview
The google/nftables repository is a Go library that provides a high-level interface for interacting with the Linux nftables firewall. It allows users to programmatically manage firewall rules, sets, and other nftables objects using Go code, abstracting away the complexities of the low-level nftables API.
Pros
- Simplifies nftables management with a user-friendly Go API
- Provides type-safe operations and rule creation
- Supports a wide range of nftables features and objects
- Maintained by Google, ensuring reliability and regular updates
Cons
- Limited to Linux systems, as nftables is a Linux-specific firewall
- Requires root privileges or appropriate capabilities to modify firewall rules
- May have a learning curve for users unfamiliar with nftables concepts
- Documentation could be more comprehensive for advanced use cases
Code Examples
- Creating a simple rule to allow incoming SSH traffic:
conn, _ := nftables.New()
table := &nftables.Table{Name: "filter", Family: nftables.TableFamilyINet}
chain := &nftables.Chain{Name: "input", Table: table}
conn.AddTable(table)
conn.AddChain(chain)
conn.AddRule(&nftables.Rule{
Table: table,
Chain: chain,
Exprs: []expr.Any{
&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
&expr.Cmp{
Op: expr.CmpOpEq,
Register: 1,
Data: []byte{unix.IPPROTO_TCP},
},
&expr.Payload{
DestRegister: 1,
Base: expr.PayloadBaseTransportHeader,
Offset: 0,
Len: 2,
},
&expr.Cmp{
Op: expr.CmpOpEq,
Register: 1,
Data: []byte{0, 22}, // SSH port (22) in big-endian
},
&expr.Verdict{Kind: expr.VerdictAccept},
},
})
conn.Flush()
- Creating a set and adding elements to it:
conn, _ := nftables.New()
table := &nftables.Table{Name: "filter", Family: nftables.TableFamilyINet}
conn.AddTable(table)
set := &nftables.Set{
Name: "allowed_ips",
Table: table,
KeyType: nftables.TypeIPAddr,
}
conn.AddSet(set, []nftables.SetElement{
{Key: net.ParseIP("192.168.1.1").To4()},
{Key: net.ParseIP("10.0.0.1").To4()},
})
conn.Flush()
- Deleting a chain:
conn, _ := nftables.New()
table := &nftables.Table{Name: "filter", Family: nftables.TableFamilyINet}
chain := &nftables.Chain{Name: "custom_chain", Table: table}
conn.DelChain(chain)
conn.Flush()
Getting Started
To use the google/nftables library in your Go project:
-
Install the library:
go get github.com/google/nftables -
Import the library in your Go code:
import "github.com/google/nftables" -
Create a new nftables connection:
conn, err := nftables.New() if err != nil { log.Fatalf("Failed to create nftables connection: %v", err) } -
Use the
connobject to interact with nftables, adding tables, chains, rules, etc. -
Remember to call
conn.Flush()to apply your changes to the firewall.
Competitor Comparisons
OPNsense GUI, API and systems backend
Pros of OPNsense
- More comprehensive firewall and network management solution
- Web-based GUI for easier configuration and management
- Broader feature set including VPN, intrusion detection, and traffic shaping
Cons of OPNsense
- Larger codebase and more complex system architecture
- Potentially higher resource requirements for full functionality
- Steeper learning curve for users new to advanced networking concepts
Code Comparison
nftables (C language):
struct nft_rule *rule;
rule = nft_rule_alloc();
nft_rule_attr_set_u32(rule, NFT_RULE_ATTR_FAMILY, NFPROTO_IPV4);
nft_rule_attr_set_str(rule, NFT_RULE_ATTR_TABLE, "filter");
nft_rule_attr_set_str(rule, NFT_RULE_ATTR_CHAIN, "input");
OPNsense (PHP language):
$rule = new OPNsense\Firewall\Rule();
$rule->setInterface("wan");
$rule->setProtocol("tcp");
$rule->setDestination("192.168.1.100");
$rule->setDestinationPort("80");
Main repository for pfSense
Pros of pfSense
- Comprehensive web-based GUI for easy configuration and management
- Extensive feature set including VPN, load balancing, and intrusion detection
- Large community support and extensive documentation
Cons of pfSense
- Higher resource requirements compared to nftables
- Less flexibility for custom, low-level firewall rules
- Steeper learning curve for advanced configurations
Code Comparison
pfSense (PHP):
$rule = array(
'interface' => 'wan',
'ipprotocol' => 'inet',
'protocol' => 'tcp',
'source' => 'any',
'destination' => 'any',
'descr' => 'Allow HTTP'
);
$config['filter']['rule'][] = $rule;
nftables (nft syntax):
add rule inet filter input tcp dport 80 accept
pfSense uses a more verbose, object-oriented approach for rule definition, while nftables employs a concise, command-line syntax. pfSense's code is part of a larger PHP-based system, whereas nftables uses its own domain-specific language for firewall configuration.
Both projects serve different use cases: pfSense is a complete firewall distribution with a user-friendly interface, while nftables is a low-level firewall framework offering more granular control for advanced users and system administrators.
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
This is not the correct repository for issues with the Linux nftables project! This repository contains a third-party Go package to programmatically interact with nftables. Find the official nftables website at https://wiki.nftables.org/
This package manipulates Linux nftables (the iptables successor). It is implemented in pure Go, i.e. does not wrap libnftnl.
This is not an official Google product.
Breaking changes
This package is in very early stages, and only contains enough data types and functions to install very basic nftables rules. It is likely that mistakes with the data types/API will be identified as more functionality is added.
Contributions
Contributions are very welcome!
Top Related Projects
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot