diff --git a/contract/batch.go b/contract/batch.go new file mode 100644 index 0000000..5a52d4e --- /dev/null +++ b/contract/batch.go @@ -0,0 +1,31 @@ +package contract + +import ( + "git.kor-elf.net/kor-elf-shield/go-nftables-client/contract/batch" +) + +// BatchBuilder is an API for building a batch of commands. +type BatchBuilder interface { + // Clear clears all rules. + // + // This command is equivalent to: + // nft flush ruleset + Clear() error + + // Table returns an API for working with tables. + Table() batch.Table + + // Chain returns an API for working with chains. + Chain() batch.Chain + + // Rule returns an API for working with rules. + Rule() batch.Rule + + // Build returns a batch of commands. + Build() Batch +} + +type Batch interface { + // Args returns the arguments of the batch. + Args() []string +} diff --git a/contract/batch/chain.go b/contract/batch/chain.go new file mode 100644 index 0000000..60af687 --- /dev/null +++ b/contract/batch/chain.go @@ -0,0 +1,46 @@ +package batch + +import ( + chain2 "git.kor-elf.net/kor-elf-shield/go-nftables-client/chain" + "git.kor-elf.net/kor-elf-shield/go-nftables-client/family" +) + +// Chain for working with chains. +type Chain interface { + // Add adds a new chain. + // + // This command is equivalent to: + // nft add chain (ip|ip6|inet|arp|bridge) {table_name} {chain_name} + // nft add chain (ip|ip6|inet|arp|bridge) {table_name} {chain_name} '{ type (filter|route|nat) hook (ingress|prerouting|forward|input|output|postrouting|egress) priority (priority_value = int32) ;}' + // nft add chain (ip|ip6|inet|arp|bridge) {table_name} {chain_name} '{ type filter hook (forward|input|output) priority (priority_value = int32) ; policy (accept|drop) ;}' + // nft add chain (ip|ip6|inet|arp|bridge) {table_name} {chain_name} '{ type (filter|route|nat) hook (ingress|egress) device {device} priority (priority_value = int32) ;}' + Add(family family.Type, tableName string, chainName string, baseChain chain2.ChainOptions) error + + // Create creates a new chain. + // Similar to the Add, but returns an error if the chain already exists. + // + // This command is equivalent to: + // nft create chain (ip|ip6|inet|arp|bridge) {table_name} {chain_name} + // nft create chain (ip|ip6|inet|arp|bridge) {table_name} {chain_name} '{ type (filter|route|nat) hook (ingress|prerouting|forward|input|output|postrouting|egress) priority (priority_value = int32) ;}' + // nft create chain (ip|ip6|inet|arp|bridge) {table_name} {chain_name} '{ type filter hook (forward|input|output) priority (priority_value = int32) ; policy (accept|drop) ;}' + // nft create chain (ip|ip6|inet|arp|bridge) {table_name} {chain_name} '{ type (filter|route|nat) hook (ingress|egress) device {device} priority (priority_value = int32) ;}' + Create(family family.Type, tableName string, chainName string, baseChain chain2.ChainOptions) error + + // Delete deletes a chain. + // + // This command is equivalent to: + // nft delete chain (ip|ip6|inet|arp|bridge) {table_name} {chain_name} + Delete(family family.Type, tableName string, chainName string) error + + // Clear clears all rules in a chain. + // + // This command is equivalent to: + // nft flush chain (ip|ip6|inet|arp|bridge) {table_name} {chain_name} + Clear(family family.Type, tableName string, chainName string) error + + // Rename renames a chain. + // + // This command is equivalent to: + // nft rename chain (ip|ip6|inet|arp|bridge) {table_name} {old_chain_name} {new_chain_name} + Rename(family family.Type, tableName string, oldChainName string, newChainName string) error +} diff --git a/contract/batch/rule.go b/contract/batch/rule.go new file mode 100644 index 0000000..9a9e577 --- /dev/null +++ b/contract/batch/rule.go @@ -0,0 +1,31 @@ +package batch + +import "git.kor-elf.net/kor-elf-shield/go-nftables-client/family" + +// Rule is the interface for rule manipulation. +type Rule interface { + // Add adds a new rule. + // + // This command is equivalent to: + // nft add rule (ip|ip6|inet|arp|bridge) {table_name} {chain_name} '{ expr }' + Add(family family.Type, tableName string, chainName string, expr ...string) error + + // Insert inserts a new rule. + // Inserted rules are placed at the beginning of the chain, by default. + // + // This command is equivalent to: + // nft insert rule (ip|ip6|inet|arp|bridge) {table_name} {chain_name} '{ expr }' + Insert(family family.Type, tableName string, chainName string, expr ...string) error + + // Replace replaces a rule. + // + // This command is equivalent to: + // nft replace rule (ip|ip6|inet|arp|bridge) {table_name} {chain_name} {handle} '{ expr }' + Replace(family family.Type, tableName string, chainName string, handle uint64, expr ...string) error + + // Delete deletes a rule. + // + // This command is equivalent to: + // nft delete rule (ip|ip6|inet|arp|bridge) {table_name} {chain_name} {handle} + Delete(family family.Type, tableName string, chainName string, handle uint64) error +} diff --git a/contract/batch/table.go b/contract/batch/table.go new file mode 100644 index 0000000..dcbf5da --- /dev/null +++ b/contract/batch/table.go @@ -0,0 +1,24 @@ +package batch + +import "git.kor-elf.net/kor-elf-shield/go-nftables-client/family" + +// Table for working with tables. +type Table interface { + // AddTable adds a new table. + // + // This command is equivalent to: + // nft add table (ip|ip6|inet|arp|bridge) {table_name} + Add(family family.Type, tableName string) error + + // DeleteTable deletes a table. + // + // This command is equivalent to: + // nft delete table (ip|ip6|inet|arp|bridge) {table_name} + Delete(family family.Type, tableName string) error + + // ClearTable clears all rules in a table. + // + // This command is equivalent to: + // nft flush table (ip|ip6|inet|arp|bridge) {table_name} + Clear(family family.Type, tableName string) error +} diff --git a/contract/nft.go b/contract/nft.go index 28303e6..8b07196 100644 --- a/contract/nft.go +++ b/contract/nft.go @@ -8,6 +8,9 @@ type NFT interface { // You can execute your raw request. Command() Command + // ExecuteBatch executes a batch of commands. + ExecuteBatch(batch Batch) error + // Clear clears all rules. // // This command is equivalent to: