Skip to content

Commit

Permalink
Initial draft of nftables support
Browse files Browse the repository at this point in the history
This implementation lacks isolation support at present (that'll
be a followon PR) and has only very minimal testing at the moment
(including absolutely 0 testing for IPv6), but does handle all
core tasks including forwarding and all types of port forwarding.

Fixes containers#816

Signed-off-by: Matthew Heon <[email protected]>
  • Loading branch information
mheon committed Jan 4, 2024
1 parent dbe870c commit 521b5b3
Show file tree
Hide file tree
Showing 5 changed files with 879 additions and 3 deletions.
44 changes: 44 additions & 0 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ sha2 = "0.10.8"
netlink-packet-utils = "0.5.2"
netlink-packet-route = "0.17.1"
netlink-packet-core = "0.7.0"
nftables = "0.2.4"
fs2 = "0.4.3"
netlink-sys = "0.8.5"
tokio = { version = "1.34", features = ["rt", "rt-multi-thread", "signal", "fs"] }
Expand Down
26 changes: 26 additions & 0 deletions src/error/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,11 @@ pub enum NetavarkError {
DHCPProxy(tonic::Status),

List(NetavarkErrorList),

Nftables(nftables::helper::NftablesError),

SubnetParse(ipnet::AddrParseError),
AddrParse(std::net::AddrParseError),
}

/// Internal struct for JSON output
Expand Down Expand Up @@ -160,6 +165,9 @@ impl fmt::Display for NetavarkError {
Ok(())
}
}
NetavarkError::Nftables(e) => write!(f, "nftables error: {e}"),
NetavarkError::SubnetParse(e) => write!(f, "parsing IP subnet error: {e}"),
NetavarkError::AddrParse(e) => write!(f, "parsing IP address error: {e}"),
}
}
}
Expand Down Expand Up @@ -213,3 +221,21 @@ impl From<tonic::Status> for NetavarkError {
NetavarkError::DHCPProxy(err)
}
}

impl From<nftables::helper::NftablesError> for NetavarkError {
fn from(err: nftables::helper::NftablesError) -> Self {
NetavarkError::Nftables(err)
}
}

impl From<ipnet::AddrParseError> for NetavarkError {
fn from(err: ipnet::AddrParseError) -> Self {
NetavarkError::SubnetParse(err)
}
}

impl From<std::net::AddrParseError> for NetavarkError {
fn from(err: std::net::AddrParseError) -> Self {
NetavarkError::AddrParse(err)
}
}
5 changes: 2 additions & 3 deletions src/firewall/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ use zbus::blocking::Connection;
pub mod firewalld;
pub mod fwnone;
pub mod iptables;
pub mod nft;
pub mod state;
mod varktables;

Expand Down Expand Up @@ -113,9 +114,7 @@ pub fn get_supported_firewall_driver(
}
FirewallImpl::Nftables => {
info!("Using nftables firewall driver");
Err(NetavarkError::msg(
"nftables support presently not available",
))
nft::new()
}
FirewallImpl::Fwnone => {
info!("Not using firewall");
Expand Down
Loading

0 comments on commit 521b5b3

Please sign in to comment.