NftFirewall

Description

The NftFirewall object represents a network firewall configuration and can be used to implement all kinds of networking and packet filtering scenarios. It uses nftables, a modern firewall software solution provided in the Linux kernel. Consequently NftFirewall and all subobjects (such as NftTable, NftChain and NftRule) follow the nftables concepts and semantics while providing QML syntax including dynamic updates on any property change. See the nftables Wiki for more information on how nftables-based firewalling and packet filtering works.

This object was introduced in InCore 2.1.

› Inherits:Object

Overview

Properties

externalRulesetFile ruleset tables Object.objectId Object.parent

Methods

flush() load() Object.deserializeProperties() Object.fromJson() Object.serializeProperties() Object.toJson()

Signals

tablesDataChanged() Object.completed()

Properties

externalRulesetFile

This property holds a path to an external file containing the ruleset to load. If set, the tables and ruleset properties are ignored and the specified ruleset file is loaded instead.

› Type:String › Signal:externalRulesetFileChanged() › Attributes:Writable

ruleset

This property holds the effective ruleset in nftables syntax which is being loaded and used.

› Type:String › Signal:rulesetChanged() › Attributes:Readonly

tables

This property holds a list of tables containing chains and rules.

› Type:List<NftTable> › Signal:tablesChanged() › Attributes:Readonly

Methods

flush()

load()

Signals

tablesDataChanged(SignedInteger index)

This signal is emitted whenever the List.dataChanged() signal is emitted, i.e. the item at index in the tables list itself emitted the dataChanged() signal.

Example

import InCore.Foundation 2.5

Application {

    id: app

    System {
        id: system
        Polling on cpuLoad { }
    }

    NftFirewall {

        NftTable {
            family: NftTable.IP
            name: "example"

            NftChain {
                name: "incoming"
                type: NftChain.Filter
                hook: NftChain.Input
                priority: NftChain.FilterPriority
                policy: NftChain.Drop
                rawRules: [ "ip protocol icmp icmp type { echo-request } accept" ]
                NftRule { inputInterface: "lo"; statement.type: NftStatement.Accept }
                NftRule { protocol: NftRule.Icmp; statement.type: NftStatement.Accept }
                NftRule { connectionStates: NftRule.Established | NftRule.Related; statement.type: NftStatement.Accept }
                // disable new SSH connections if system load is too high
                NftRule {
                    connectionStates: NftRule.New
                    protocol: NftRule.Tcp
                    destinationPorts: 22
                    statement.type: system.cpuLoad < 1 ? NftStatement.Accept : NftStatement.Drop
                }
            }

            NftChain {
                id: proxy
                enabled: app.commandLineArguments[0] === "proxy"
                name: "transparentwebproxy"
                type: NftChain.Nat
                hook: NftChain.Postrouting
                priority: NftChain.SourceNatPriority
                policy: NftChain.Accept
                NftRule {
                    protocol: NftRule.Tcp
                    sourceAddress: "192.168.19.1"
                    destinationPorts: [ 80, 443 ]
                    statement.type: NftStatement.Masquerade
                }
            }
        }

        onRulesetChanged: console.log(ruleset)
    }
}