nftbackend

package
v1.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 22, 2026 License: MPL-2.0 Imports: 7 Imported by: 0

Documentation

Overview

Package nftbackend provides the core interface to nftables operations.

Architecture

This package is the single point of truth for nftables write operations in NFTBan. It enforces the single-writer architecture where only the nftband daemon should perform nftables modifications.

Operations

The backend supports:

  • Ban: Add IP to blacklist set
  • Unban: Remove IP from blacklist set
  • Whitelist: Add/remove from whitelist set
  • Sync: Bulk update of sets (feeds, geoban)
  • Flush: Clear all entries from a set

Safety Features

  • Validates IPs before operations
  • Prevents blocking of system IPs
  • Uses atomic nft transactions
  • Logs all operations for audit

Thread Safety

The Backend type uses mutex locking to ensure thread-safe operations. Multiple goroutines can safely call Ban/Unban concurrently.

Usage

The backend is instantiated by nftband daemon: 

backend := nftbackend.New()
err := backend.Ban("192.168.1.100", "manual", 0)
err := backend.Unban("192.168.1.100")

CLI tools should use the IPC client instead of this package directly.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AddElementRequest 

type AddElementRequest struct {
	Table   string // e.g., "ip nftban", "ip6 nftban", "inet nftban"
	Set     string // e.g., "whitelist_ipv4", "tcp_ports"
	Element string // e.g., "1.2.3.4", "8080"
	Timeout int    // seconds, 0 = permanent
}

AddElementRequest for generic set element operations

type ApplyRulesetRequest 

type ApplyRulesetRequest struct {
	FilePath string // path to .nft file
	Check    bool   // if true, validate only (nft -c)
}

ApplyRulesetRequest for applying complete rulesets

type Backend 

type Backend struct {
	// contains filtered or unexported fields
}

Backend provides serialized access to nftables write operations. All operations are thread-safe and atomic where possible.

func New 

func New() *Backend

New creates a new nftables backend

func (*Backend) AddElement 

func (b *Backend) AddElement(ctx context.Context, req AddElementRequest) error

AddElement adds an element to any set This is the ONLY authorized add element implementation

func (*Backend) ApplyRuleset 

func (b *Backend) ApplyRuleset(ctx context.Context, req ApplyRulesetRequest) error

ApplyRuleset applies a ruleset from a file This is the ONLY authorized apply ruleset implementation

func (*Backend) Ban 

func (b *Backend) Ban(ctx context.Context, req BanRequest) (*BanResult, error)

Ban adds an IP to the appropriate blacklist set This is the ONLY authorized ban implementation

func (*Backend) CheckIP 

func (b *Backend) CheckIP(ctx context.Context, ip string) (bool, string, error)

CheckIP checks if an IP is in a specific set (read operation)

func (*Backend) DeleteElement 

func (b *Backend) DeleteElement(ctx context.Context, req DeleteElementRequest) error

DeleteElement removes an element from any set This is the ONLY authorized delete element implementation

func (*Backend) FlushSet 

func (b *Backend) FlushSet(ctx context.Context, req FlushSetRequest) error

FlushSet flushes all elements from a set This is the ONLY authorized flush set implementation

func (*Backend) GetStats 

func (b *Backend) GetStats() Stats

GetStats returns current statistics

func (*Backend) HealthCheck 

func (b *Backend) HealthCheck(ctx context.Context) error

HealthCheck verifies nftables is operational

func (*Backend) Unban 

func (b *Backend) Unban(ctx context.Context, req UnbanRequest) (*UnbanResult, error)

Unban removes an IP from the appropriate blacklist set This is the ONLY authorized unban implementation

type BanRequest 

type BanRequest struct {
	IP      string
	Timeout int // seconds, 0 = permanent
	Reason  string
	Source  string
}

BanRequest contains parameters for banning an IP

type BanResult 

type BanResult struct {
	Success bool
	IP      string
	Set     string
	Message string
}

BanResult contains the result of a ban operation

type DeleteElementRequest 

type DeleteElementRequest struct {
	Table   string
	Set     string
	Element string
}

DeleteElementRequest for removing set elements

type FlushSetRequest 

type FlushSetRequest struct {
	Table string
	Set   string
}

FlushSetRequest for flushing sets

type Stats 

type Stats struct {
	Bans      int64
	Unbans    int64
	Syncs     int64
	Errors    int64
	LastError string
}

Stats tracks operation counts

type UnbanRequest 

type UnbanRequest struct {
	IP string
}

UnbanRequest contains parameters for unbanning an IP

type UnbanResult 

type UnbanResult struct {
	Success bool
	IP      string
	Set     string
	Message string
}

UnbanResult contains the result of an unban operation

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.