NFTables.Sysctl (NFTables v0.8.2)

View Source

Manage Linux network sysctl parameters via /proc/sys/net/*.

This module provides safe read/write operations for network-related sysctl parameters. All operations require CAP_NET_ADMIN capability.

Security

  • Parameter whitelist enforced by port (no arbitrary file access)
  • Value validation per parameter type
  • Limited to /proc/sys/net/* only
  • Uses existing CAP_NET_ADMIN capability

Supported Parameters

IPv4 Core

  • net.ipv4.ip_forward - IP forwarding (0/1)
  • net.ipv4.conf.all.forwarding - Enable forwarding on all interfaces
  • net.ipv4.conf.default.forwarding - Default forwarding for new interfaces

IPv4 TCP

  • net.ipv4.tcp_syncookies - SYN cookie protection (0/1)
  • net.ipv4.tcp_timestamps - TCP timestamps (0/1)
  • net.ipv4.tcp_tw_reuse - Reuse TIME-WAIT sockets (0/1)
  • net.ipv4.tcp_fin_timeout - FIN timeout in seconds
  • net.ipv4.tcp_keepalive_time - Keepalive time in seconds
  • net.ipv4.tcp_keepalive_probes - Number of keepalive probes
  • net.ipv4.tcp_keepalive_intvl - Keepalive interval in seconds
  • net.ipv4.ip_local_port_range - Local port range (format: "min max")

IPv6

  • net.ipv6.conf.all.forwarding - IPv6 forwarding
  • net.ipv6.conf.default.forwarding - Default IPv6 forwarding

Netfilter / Connection Tracking

  • net.netfilter.nf_conntrack_max - Max conntrack entries
  • net.netfilter.nf_conntrack_tcp_timeout_established - TCP established timeout
  • net.netfilter.nf_conntrack_tcp_timeout_time_wait - TCP TIME-WAIT timeout
  • net.netfilter.nf_conntrack_tcp_timeout_close_wait - TCP CLOSE-WAIT timeout
  • net.netfilter.nf_conntrack_tcp_timeout_fin_wait - TCP FIN-WAIT timeout
  • net.nf_conntrack_max - Same as above (kernel alias)

ICMP

  • net.ipv4.icmp_echo_ignore_all - Ignore all ping requests (0/1)
  • net.ipv4.icmp_echo_ignore_broadcasts - Ignore broadcast pings (0/1)
  • net.ipv4.icmp_ratelimit - ICMP rate limit

IPv4 Security

  • net.ipv4.conf.all.rp_filter - Reverse path filtering
  • net.ipv4.conf.default.rp_filter - Default reverse path filtering
  • net.ipv4.conf.all.accept_source_route - Accept source routed packets
  • net.ipv4.conf.default.accept_source_route - Default accept source route
  • net.ipv4.conf.all.send_redirects - Send ICMP redirects
  • net.ipv4.conf.default.send_redirects - Default send redirects
  • net.ipv4.conf.all.accept_redirects - Accept ICMP redirects
  • net.ipv4.conf.default.accept_redirects - Default accept redirects

IPv6 Security

  • net.ipv6.conf.all.accept_redirects - Accept ICMP redirects
  • net.ipv6.conf.default.accept_redirects - Default accept redirects
  • net.ipv6.conf.all.accept_source_route - Accept source routed packets
  • net.ipv6.conf.default.accept_source_route - Default accept source route

Examples

# Get current IP forwarding setting
{:ok, "0"} = NFTables.Sysctl.get(pid, "net.ipv4.ip_forward")

# Enable IP forwarding
:ok = NFTables.Sysctl.set(pid, "net.ipv4.ip_forward", "1")

# Configure connection tracking
:ok = NFTables.Sysctl.set(pid, "net.netfilter.nf_conntrack_max", "131072")

# Set local port range
:ok = NFTables.Sysctl.set(pid, "net.ipv4.ip_local_port_range", "32768 60999")

Error Handling

  • {:error, reason} - Parameter not in whitelist, not found, or invalid value
  • Port validates all parameters and values before applying changes

Summary

Functions

get(pid_or_opts, parameter)

Get a sysctl parameter value.

get!(pid_or_opts, parameter)

Get a sysctl parameter value, raising on error.

set(pid_or_opts, parameter, value)

Set a sysctl parameter value.

set!(pid_or_opts, parameter, value)

Set a sysctl parameter value, raising on error.

Functions

get(pid_or_opts, parameter)

@spec get(pid() | keyword(), String.t()) :: {:ok, String.t()} | {:error, term()}

Get a sysctl parameter value.

Parameters

  • pid_or_opts - NFTables process pid or keyword list with :pid key
  • parameter - Sysctl parameter name (e.g., "net.ipv4.ip_forward")

Returns

  • {:ok, value} - Parameter value as string
  • {:error, reason} - Error message

Examples

{:ok, "1"} = NFTables.Sysctl.get(pid, "net.ipv4.ip_forward")
{:ok, "131072"} = NFTables.Sysctl.get(pid, "net.netfilter.nf_conntrack_max")

get!(pid_or_opts, parameter)

@spec get!(pid() | keyword(), String.t()) :: String.t()

Get a sysctl parameter value, raising on error.

Parameters

  • pid_or_opts - NFTables process pid or keyword list with :pid key
  • parameter - Sysctl parameter name

Returns

Parameter value as string, or raises on error.

Examples

"1" = NFTables.Sysctl.get!(pid, "net.ipv4.ip_forward")

set(pid_or_opts, parameter, value)

@spec set(pid() | keyword(), String.t(), String.t()) :: :ok | {:error, term()}

Set a sysctl parameter value.

Parameters

  • pid_or_opts - NFTables process pid or keyword list with :pid key
  • parameter - Sysctl parameter name (e.g., "net.ipv4.ip_forward")
  • value - New value as string

Returns

  • :ok - Parameter successfully set
  • {:error, reason} - Error message

Examples

:ok = NFTables.Sysctl.set(pid, "net.ipv4.ip_forward", "1")
:ok = NFTables.Sysctl.set(pid, "net.ipv4.tcp_syncookies", "1")
:ok = NFTables.Sysctl.set(pid, "net.ipv4.ip_local_port_range", "32768 60999")

set!(pid_or_opts, parameter, value)

@spec set!(pid() | keyword(), String.t(), String.t()) :: :ok

Set a sysctl parameter value, raising on error.

Parameters

  • pid_or_opts - NFTables process pid or keyword list with :pid key
  • parameter - Sysctl parameter name
  • value - New value as string

Returns

:ok or raises on error.

Examples

:ok = NFTables.Sysctl.set!(pid, "net.ipv4.ip_forward", "1")