NftChain

Description

The NftChain object represents a nftables chain. It consists of a set of rules which are being processed depending on the type, hook, priority and policy properties.

This object was introduced in InCore 2.1.

› Inherits:

Object

Overview

Properties

enabled hook name policy priority

rawRules rules type Object.objectId Object.parent

Methods

Object.deserializeProperties() Object.fromJson() Object.serializeProperties() Object.toJson()

Signals

rulesDataChanged() Object.completed()

Enumerations

Hook Policy Priority Type

Properties

enabled

This property holds whether the chain is enabled, i.e. it should be included in the corresponding table.

› Type:

Boolean

› Default:

true

› Signal:

enabledChanged()

› Attributes:

Writable

hook

This property holds a the stage of the packet while it’s being processed through the kernel. See the nftables documentation on chains for details

› Type:

Hook

› Default:

NftChain.Input

› Signal:

hookChanged()

› Attributes:

Writable

name

This property holds the name of the firewall chain, e.g. input.

› Type:

String

› Signal:

nameChanged()

› Attributes:

Writable

policy

This property holds the default verdict statement to control the flow in the chain. See the Policy enumeration or details.

› Type:

Policy

› Default:

NftChain.Accept

› Signal:

policyChanged()

› Attributes:

Writable

priority

This property holds a number used to order the chains or to set them between some Netfilter operations. See the nftables documentation on chains for details

› Type:

Priority

› Default:

NftChain.FilterPriority

› Signal:

priorityChanged()

› Attributes:

Writable

rawRules

This property holds a list of nftables rules as defined inside nftables chains, e.g. [ "ip daddr 8.8.8.8 counter packets 0 bytes 0", "tcp dport ssh counter packets 0 bytes 0" ].

Consider using NftRule objects with the rules property.

See also

• nftables documentation on rules

• nftables quick reference on rules

› Type:

StringList

› Signal:

rawRulesChanged()

› Attributes:

Writable

rules

This property holds a list of nftables rules described by NftRule objects.

› Type:

List<NftRule>

› Signal:

rulesChanged()

› Attributes:

Readonly

type

This property holds the type of the nftables chain. See the nftables documentation on chains for details

› Type:

Type

› Default:

NftChain.Filter

› Signal:

typeChanged()

› Attributes:

Writable

Signals

rulesDataChanged(SignedInteger index)

This signal is emitted whenever the List.dataChanged() signal is emitted, i.e. the item at index in the rules list itself emitted the dataChanged() signal.

Enumerations

Hook

This enumeration describes stages of the packet processing at which the chains are processed.

Name	Value	Description
NftChain.Prerouting	0	Process chain before routing decision when it’s not known if packets are addressed to the local or remote systems.
NftChain.Input	1	Process chain after the routing decision for packets which are directed to the local system and/or processes running in system.
NftChain.Forward	2	Process chain after the routing decision for packets which are not directed to the local system and/or processes running in system.
NftChain.Output	3	Process chain for packets originating from processes on the local system.
NftChain.Postrouting	4	Process chain after the routing decision for packets leaving the local system.
NftChain.Ingress	5	Process chain to filter traffic even before prerouting, right after the packet is received by the NIC driver. This hook is available for the NftTable.NetDev family only.

Policy

Name	Value	Description
NftChain.Accept	0
NftChain.Drop	1
NftChain.Queue	2
NftChain.Continue	3
NftChain.Return	4

Priority

This enumeration describes priorities which can be used to order the chains or to put them before or after some Netfilter internal operations. For example, a chain on the prerouting hook with the priority -300 will be placed before connection tracking operations.

Name	Value	Description
NftChain.FirstPriority	-2147483648	Highest priority to process the chain before all other chains with lower priorities.
NftChain.ConnTrackDefragPriority	-400	Priority of defragmentation.
NftChain.RawPriority	-300	Traditional priority of the raw table placed before connection tracking operation.
NftChain.SeLinuxFirstPriority	-225	Priority for SELinux operations.
NftChain.ConnTrackPriority	-200	Priority for connection tracking operations.
NftChain.ManglePriority	-150	Priority for mangle operations.
NftChain.DestinationNatPriority	-100	Priority for chains implementing destination NAT.
NftChain.FilterPriority	0	Priority for chains implementing packet filtering operations.
NftChain.SecurityPriority	50	Priority for chains implementing source NAT.
NftChain.SourceNatPriority	100	Place of security table where secmark can be set for example.
NftChain.SeLinuxLastPriority	225	Priority for SELinux at packet exit.
NftChain.ConnTrackHelperPriority	300	Priority for connection tracking at exit.
NftChain.ConnTrackConfirmPriority	2147483646	Priority for connection tracking confirmation operations.
NftChain.LastPriority	2147483647	Lowest priority to process the chain after all other chains with higher priorities.

Type

This enumeration describes supported chain types to implement different kinds of operations.

Name	Value	Description
NftChain.Filter	0	Implement a packet filter chain. This is supported by the NftTable.ARP, NftTable.Bridge, NftTable.IP, NftTable.IP6 and NftTable.INet table families.
NftChain.Rule	1
NftChain.Nat	2	Perform Networking Address Translation (NAT). The first packet that belongs to a flow always hits this chain, follow up packets not. Therefore, never use this chain for filtering. This is supported by the NftTable.IP and NftTable.IP6 table families.

Example

See NftFirewall example on how to use NftChain.