NftFirewall¶
Description¶
The NftFirewall object represents a network firewall configuration and can be used to implement all kinds of networking and packet filtering scenarios. It uses nftables, a modern firewall software solution provided in the Linux kernel. Consequently NftFirewall and all subobjects (such as NftTable, NftChain and NftRule) follow the nftables concepts and semantics while providing QML syntax including dynamic updates on any property change. See the nftables Wiki for more information on how nftables-based firewalling and packet filtering works.
This object was introduced in InCore 2.1.
› Inherits: | Object |
---|
Properties¶
externalRulesetFile¶
This property holds a path to an external file containing the ruleset to load. If set, the tables and ruleset properties are ignored and the specified ruleset file is loaded instead.
› Type: | String |
---|---|
› Signal: | externalRulesetFileChanged() |
› Attributes: | Writable |
ruleset¶
This property holds the effective ruleset in nftables syntax which is being loaded and used.
› Type: | String |
---|---|
› Signal: | rulesetChanged() |
› Attributes: | Readonly |
Signals¶
tablesDataChanged(SignedInteger index)¶
This signal is emitted whenever the List.dataChanged() signal is emitted, i.e. the item at index
in the tables list itself emitted the dataChanged() signal.
Example¶
import InCore.Foundation 2.5
Application {
id: app
System {
id: system
Polling on cpuLoad { }
}
NftFirewall {
NftTable {
family: NftTable.IP
name: "example"
NftChain {
name: "incoming"
type: NftChain.Filter
hook: NftChain.Input
priority: NftChain.FilterPriority
policy: NftChain.Drop
rawRules: [ "ip protocol icmp icmp type { echo-request } accept" ]
NftRule { inputInterface: "lo"; statement.type: NftStatement.Accept }
NftRule { protocol: NftRule.Icmp; statement.type: NftStatement.Accept }
NftRule { connectionStates: NftRule.Established | NftRule.Related; statement.type: NftStatement.Accept }
// disable new SSH connections if system load is too high
NftRule {
connectionStates: NftRule.New
protocol: NftRule.Tcp
destinationPorts: 22
statement.type: system.cpuLoad < 1 ? NftStatement.Accept : NftStatement.Drop
}
}
NftChain {
id: proxy
enabled: app.commandLineArguments[0] === "proxy"
name: "transparentwebproxy"
type: NftChain.Nat
hook: NftChain.Postrouting
priority: NftChain.SourceNatPriority
policy: NftChain.Accept
NftRule {
protocol: NftRule.Tcp
sourceAddress: "192.168.19.1"
destinationPorts: [ 80, 443 ]
statement.type: NftStatement.Masquerade
}
}
}
onRulesetChanged: console.log(ruleset)
}
}