2 releases

0.1.1 Oct 31, 2024
0.1.0 Oct 31, 2024

#301 in Network programming

MIT license

38KB
921 lines

nifty-filter

💥 warning: alpha pre-release version

nifty-filter is a template and configuration tool for netfilter (nftables) and is useful for creating a Linux based Internet protocol (IP) router. It is a program that generates the nftables.nft config file, using its own internal template. The configuration is done entirely by environment variables (or .env file) and the output is type checked and validated.

The jinja-like template is powered by djc/askama, which implements compile time type checking of input values. Therefore, if you wish to customize the template, you will have to compile your own nifty-filter binary. However, the default template is designed to cover most of the use cases for a typical home LAN router, so if that suits your needs then you can simply download the precompiled binary from the releases page.

Install

Download the latest release for your platform.

Or install via cargo (crates.io/crates/nifty-filter):

cargo install nifty-filter

Examples

There are several included examples:

  • home_router.sh - This example is a self-contained bash script where all config is defined inside the script as environment variables.

  • home_router.env - This example is a "dot env" file containging all the config variables. You can pass this to nifty-router --ignore-env --env-file [FILE].

You can mix the two styles together as long you don't specify --ignore-env, in which case only the file passed to --env-file will be used.

Config styles

You can supply your configuration in two ways: set environment variables and/or provide a .env file.

Example with a .env file that ignores all other environment variables:

nifty-filter --env-file .env --ignore-env

Example with a .env file and mixing it with some outside environment variables:

INTERFACE_LAN=eth0 \
INTERFACE_WAN=eth1 \
nifty-filter --env-file .env

Example with only environment variables (but this is an incomplete config):

INTERFACE_LAN=eth0 \
INTERFACE_WAN=eth1 \
nifty-filter

Run with extra validation which passes the output to nft -c -f - for sanity checking:

#...
nifty-filter --validate

Dependencies

~5–7MB
~125K SLoC