NFTables.Sysctl.Network (NFTables v0.8.2)
View SourceConvenience functions for common network sysctl operations.
This module provides high-level helpers for frequently-used network
configuration tasks, wrapping the low-level NFTables.Sysctl API.
Examples
# Enable IP forwarding (for routers)
:ok = NFTables.Sysctl.Network.enable_ipv4_forwarding(pid)
# Configure router settings
:ok = NFTables.Sysctl.Network.configure_router(pid,
ipv4_forwarding: true,
ipv6_forwarding: true,
syncookies: true
)
# Harden security settings
:ok = NFTables.Sysctl.Network.harden_security(pid)Summary
Functions
Allow ICMP ping requests.
Configure router settings.
Disable IPv4 forwarding.
Disable IPv6 forwarding.
Disable TCP SYN cookies.
Enable IPv4 forwarding.
Enable IPv6 forwarding.
Enable TCP SYN cookies for DDoS protection.
Get current connection tracking max.
Harden network security settings for both IPv4 and IPv6.
Harden IPv4 network security settings.
Harden IPv6 network security settings.
Ignore all ICMP ping requests (stealth mode).
Check if IPv4 forwarding is enabled.
Set maximum connection tracking entries.
Functions
Allow ICMP ping requests.
Example
:ok = NFTables.Sysctl.Network.allow_ping(pid)Configure router settings.
Applies common settings for a router/gateway.
Options
:ipv4_forwarding- Enable IPv4 forwarding (default: false):ipv6_forwarding- Enable IPv6 forwarding (default: false):syncookies- Enable SYN cookies (default: false):send_redirects- Enable ICMP redirects (default: false)
Example
:ok = NFTables.Sysctl.Network.configure_router(pid,
ipv4_forwarding: true,
ipv6_forwarding: true,
syncookies: true,
send_redirects: false
)Disable IPv4 forwarding.
Example
:ok = NFTables.Sysctl.Network.disable_ipv4_forwarding(pid)Disable IPv6 forwarding.
Example
:ok = NFTables.Sysctl.Network.disable_ipv6_forwarding(pid)Disable TCP SYN cookies.
Example
:ok = NFTables.Sysctl.Network.disable_syncookies(pid)Enable IPv4 forwarding.
Enables IP forwarding on all interfaces. Required for routers and NAT gateways.
Example
:ok = NFTables.Sysctl.Network.enable_ipv4_forwarding(pid)Enable IPv6 forwarding.
Example
:ok = NFTables.Sysctl.Network.enable_ipv6_forwarding(pid)Enable TCP SYN cookies for DDoS protection.
SYN cookies help protect against SYN flood attacks.
Example
:ok = NFTables.Sysctl.Network.enable_syncookies(pid)@spec get_conntrack_max(pid() | keyword()) :: {:ok, pos_integer()} | {:error, term()}
Get current connection tracking max.
Example
{:ok, 65536} = NFTables.Sysctl.Network.get_conntrack_max(pid)Harden network security settings for both IPv4 and IPv6.
Applies security-focused sysctl settings by calling both
harden_security_ipv4/1 and harden_security_ipv6/1.
Example
:ok = NFTables.Sysctl.Network.harden_security(pid)Harden IPv4 network security settings.
Applies IPv4 security-focused sysctl settings:
- Enable reverse path filtering (anti-spoofing)
- Disable source routing
- Disable ICMP redirects
- Disable send redirects
- Enable SYN cookies (SYN flood protection)
Example
:ok = NFTables.Sysctl.Network.harden_security_ipv4(pid)Harden IPv6 network security settings.
Applies IPv6 security-focused sysctl settings:
- Disable source routing
- Disable ICMP redirects
- Disable Router Advertisements (prevents RA-based attacks)
- Disable RA default router
- Disable RA prefix information
Example
:ok = NFTables.Sysctl.Network.harden_security_ipv6(pid)Ignore all ICMP ping requests (stealth mode).
Example
:ok = NFTables.Sysctl.Network.ignore_ping(pid)Check if IPv4 forwarding is enabled.
Returns {:ok, true} if enabled, {:ok, false} if disabled.
Example
{:ok, true} = NFTables.Sysctl.Network.ipv4_forwarding_enabled?(pid)@spec set_conntrack_max(pid() | keyword(), pos_integer()) :: :ok | {:error, term()}
Set maximum connection tracking entries.
Higher values allow more concurrent connections but use more memory.
Example
:ok = NFTables.Sysctl.Network.set_conntrack_max(pid, 131072)