NFTables.Expr.Socket (NFTables v0.8.2)

View Source

Socket and process filtering functions for firewall rules.

This module provides functions to match packets based on socket owner (UID/GID), control groups (cgroups) for container filtering, and transparent socket detection for transparent proxy setups.

Common Use Cases

  • Block specific users from internet access
  • Allow only certain users to access services
  • Container-specific firewall rules
  • Transparent proxy (TPROXY) setups
  • Process-based access control

Important Notes

  • Socket owner matching (skuid/skgid) only works for locally-generated traffic
  • These functions are only effective in the OUTPUT chain
  • Cgroup matching is useful for container/cgroup-based filtering

Import

import NFTables.Expr.Socket

For more information, see the nftables socket expressions wiki.

Summary

Functions

cgroup(builder \\ Expr.expr(), cgroup_id)

Match cgroup (control group) ID.

skgid(builder \\ Expr.expr(), gid)

Match packets by socket owner group ID.

skuid(builder \\ Expr.expr(), uid)

Match packets by socket owner user ID.

socket_transparent(builder \\ Expr.expr())

Match packets with transparent socket.

Functions

cgroup(builder \\ Expr.expr(), cgroup_id)

@spec cgroup(NFTables.Expr.t(), non_neg_integer()) :: NFTables.Expr.t()

Match cgroup (control group) ID.

Used for container-specific filtering. Cgroups are used by Docker, Kubernetes, and other container systems to isolate processes.

Example

# Route specific cgroup to custom chain
cgroup(1001) |> jump("container_rules")

# Block specific container
cgroup(2000) |> drop()

# Apply rate limiting per container
cgroup(1001) |> limit(1000, :second) |> accept()

# Mark traffic from specific cgroup
cgroup(1001) |> set_mark(100) |> accept()

skgid(builder \\ Expr.expr(), gid)

@spec skgid(NFTables.Expr.t(), non_neg_integer()) :: NFTables.Expr.t()

Match packets by socket owner group ID.

Matches packets based on the GID of the process that created the socket. Only works for locally-generated traffic in the OUTPUT chain.

Example

# Block specific group from internet access
skgid(1002)
|> oif("wan0")
|> reject()

# Allow admin group to access admin port
skgid(100)
|> tcp()
|> dport(8443)
|> accept()

# Log traffic from development group
skgid(1000) |> log("dev-group") |> accept()

skuid(builder \\ Expr.expr(), uid)

@spec skuid(NFTables.Expr.t(), non_neg_integer()) :: NFTables.Expr.t()

Match packets by socket owner user ID.

Matches packets based on the UID of the process that created the socket. Only works for locally-generated traffic in the OUTPUT chain.

Example

# Block specific user from internet access
skuid(1001)
|> oif("wan0")
|> reject()

# Allow only root to access management port
skuid(0)
|> tcp()
|> dport(9000)
|> accept()

# Per-user bandwidth limiting
skuid(1001) |> limit(1000, :second) |> accept()

socket_transparent(builder \\ Expr.expr())

@spec socket_transparent(NFTables.Expr.t()) :: NFTables.Expr.t()

Match packets with transparent socket.

Used in transparent proxy setups to identify packets that belong to an existing transparent socket. This prevents loops where proxied packets are re-proxied.

Examples

# Mark packets with existing transparent socket
socket_transparent()
|> set_mark(1)
|> accept()

# Skip TPROXY for packets already handled
socket_transparent() |> accept()

Use Cases

  • Transparent proxy setups (TPROXY)
  • Avoiding proxy loops
  • Identifying proxy-handled traffic

Typical TPROXY Setup

# Chain 1: Mark existing transparent connections
socket_transparent()
|> set_mark(1)
|> accept()

# Chain 2: TPROXY unmarked traffic
tcp()
|> dport(80)
|> mark(0)
|> tproxy(to: 8080)

# Chain 3: Accept marked traffic
mark(1) |> accept()

For more information, see the TPROXY documentation.