NftChain¶
Description¶
The NftChain object represents a nftables chain. It consists of a set of rules which are being processed depending on the type, hook, priority and policy properties.
This object was introduced in InCore 2.1.
› Inherits: | Object |
---|
Properties¶
enabled¶
This property holds whether the chain is enabled, i.e. it should be included in the corresponding table.
› Type: | Boolean |
---|---|
› Default: | true |
› Signal: | enabledChanged() |
› Attributes: | Writable |
hook¶
This property holds a the stage of the packet while it’s being processed through the kernel. See the nftables documentation on chains for details
› Type: | Hook |
---|---|
› Default: | NftChain.Input |
› Signal: | hookChanged() |
› Attributes: | Writable |
name¶
This property holds the name of the firewall chain, e.g. input
.
› Type: | String |
---|---|
› Signal: | nameChanged() |
› Attributes: | Writable |
policy¶
This property holds the default verdict statement to control the flow in the chain. See the Policy enumeration or details.
› Type: | Policy |
---|---|
› Default: | NftChain.Accept |
› Signal: | policyChanged() |
› Attributes: | Writable |
priority¶
This property holds a number used to order the chains or to set them between some Netfilter operations. See the nftables documentation on chains for details
› Type: | Priority |
---|---|
› Default: | NftChain.FilterPriority |
› Signal: | priorityChanged() |
› Attributes: | Writable |
rawRules¶
This property holds a list of nftables rules as defined inside nftables chains, e.g. [ "ip daddr 8.8.8.8 counter packets 0 bytes 0", "tcp dport ssh counter packets 0 bytes 0" ]
.
Consider using NftRule objects with the rules property.
› Type: | StringList |
---|---|
› Signal: | rawRulesChanged() |
› Attributes: | Writable |
rules¶
This property holds a list of nftables rules described by NftRule objects.
› Type: | List<NftRule> |
---|---|
› Signal: | rulesChanged() |
› Attributes: | Readonly |
type¶
This property holds the type of the nftables chain. See the nftables documentation on chains for details
› Type: | Type |
---|---|
› Default: | NftChain.Filter |
› Signal: | typeChanged() |
› Attributes: | Writable |
Signals¶
rulesDataChanged(SignedInteger index)¶
This signal is emitted whenever the List.dataChanged() signal is emitted, i.e. the item at index
in the rules list itself emitted the dataChanged() signal.
Enumerations¶
Hook¶
This enumeration describes stages of the packet processing at which the chains are processed.
Name | Value | Description |
---|---|---|
NftChain.Prerouting |
0 |
Process chain before routing decision when it’s not known if packets are addressed to the local or remote systems. |
NftChain.Input |
1 |
Process chain after the routing decision for packets which are directed to the local system and/or processes running in system. |
NftChain.Forward |
2 |
Process chain after the routing decision for packets which are not directed to the local system and/or processes running in system. |
NftChain.Output |
3 |
Process chain for packets originating from processes on the local system. |
NftChain.Postrouting |
4 |
Process chain after the routing decision for packets leaving the local system. |
NftChain.Ingress |
5 |
Process chain to filter traffic even before prerouting, right after the packet is received by the NIC driver. This hook is available for the NftTable.NetDev family only. |
Policy¶
Name | Value | Description |
---|---|---|
NftChain.Accept |
0 |
|
NftChain.Drop |
1 |
|
NftChain.Queue |
2 |
|
NftChain.Continue |
3 |
|
NftChain.Return |
4 |
Priority¶
This enumeration describes priorities which can be used to order the chains or to put them before or after some Netfilter internal operations. For example, a chain on the prerouting hook with the priority -300
will be placed before connection tracking operations.
Name | Value | Description |
---|---|---|
NftChain.FirstPriority |
-2147483648 |
Highest priority to process the chain before all other chains with lower priorities. |
NftChain.ConnTrackDefragPriority |
-400 |
Priority of defragmentation. |
NftChain.RawPriority |
-300 |
Traditional priority of the raw table placed before connection tracking operation. |
NftChain.SeLinuxFirstPriority |
-225 |
Priority for SELinux operations. |
NftChain.ConnTrackPriority |
-200 |
Priority for connection tracking operations. |
NftChain.ManglePriority |
-150 |
Priority for mangle operations. |
NftChain.DestinationNatPriority |
-100 |
Priority for chains implementing destination NAT. |
NftChain.FilterPriority |
0 |
Priority for chains implementing packet filtering operations. |
NftChain.SecurityPriority |
50 |
Priority for chains implementing source NAT. |
NftChain.SourceNatPriority |
100 |
Place of security table where secmark can be set for example. |
NftChain.SeLinuxLastPriority |
225 |
Priority for SELinux at packet exit. |
NftChain.ConnTrackHelperPriority |
300 |
Priority for connection tracking at exit. |
NftChain.ConnTrackConfirmPriority |
2147483646 |
Priority for connection tracking confirmation operations. |
NftChain.LastPriority |
2147483647 |
Lowest priority to process the chain after all other chains with higher priorities. |
Type¶
This enumeration describes supported chain types to implement different kinds of operations.
Name | Value | Description |
---|---|---|
NftChain.Filter |
0 |
Implement a packet filter chain. This is supported by the NftTable.ARP, NftTable.Bridge, NftTable.IP, NftTable.IP6 and NftTable.INet table families. |
NftChain.Rule |
1 |
|
NftChain.Nat |
2 |
Perform Networking Address Translation (NAT). The first packet that belongs to a flow always hits this chain, follow up packets not. Therefore, never use this chain for filtering. This is supported by the NftTable.IP and NftTable.IP6 table families. |
Example¶
See NftFirewall example on how to use NftChain.