delandtj/rustables
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
308 commits 1 branch 0 tags 639 KiB
Find a file
Exact
Jan De Landtsheer 0294700023
 Fix IO safety violation: use into_raw_fd() to transfer socket ownership 
The nix crate's socket::socket() returns an OwnedFd which automatically
closes the file descriptor when dropped. However, socket_close_wrapper()
also manually closes the fd via nix::unistd::close().

This causes a double-close issue that triggers Rust's IO safety checks
in recent Rust versions (1.85+), resulting in:
  "fatal runtime error: IO Safety violation: owned file descriptor
   already closed"

Fix by using into_raw_fd() instead of as_raw_fd() when passing to
socket_close_wrapper(). This transfers ownership of the fd so the
OwnedFd doesn't try to close it when dropped.

Affected functions:
- Batch::send() in batch.rs
- list_objects_with_data() in query.rs
2026-02-05 05:04:51 +01:00
nix switch to a cargo workspace hierarchy 2023-10-18 22:00:41 +02:00
rustables Fix IO safety violation: use into_raw_fd() to transfer socket ownership 2026-02-05 05:04:51 +01:00
rustables-macros Bump rustables to 0.8.5 2024-10-10 23:17:44 +02:00
.gitattributes switch to rust:alpine docker image with ci fix 2021-10-20 22:51:35 +02:00
.gitignore version bump + prepare the crate for publication on crates.io 2023-01-09 19:47:07 +01:00
.gitlab-ci.yml CI: remove the unused cache 2023-01-08 14:08:48 +01:00
Cargo.toml switch to a cargo workspace hierarchy 2023-10-18 22:00:41 +02:00
CHANGELOG.md Release rustables 0.8.7 2025-07-13 12:39:42 +02:00
LICENSE Add GPLv3 LICENSE 2021-10-18 21:04:11 +00:00
ORIGINAL-LICENSE-APACHE Release rustables 0.8.7 2025-07-13 12:39:42 +02:00
ORIGINAL-LICENSE-MIT Release rustables 0.8.7 2025-07-13 12:39:42 +02:00
README.md Readme: add some badges 2023-10-18 22:24:35 +02:00
rustfmt.toml Bump libc dependency to the *actual* lowest required 2020-06-04 17:49:09 +02:00

README.md

rustables

Crates.io Documentation CI pipeline status License

Safe abstraction for userspace access to the in-kernel nf_tables subsystem. Can be used to create and remove tables, chains, sets and rules from the nftables firewall, the successor to iptables.

This library is a fork of the nftnl-rs crate. Let us thank here the original project team for their great work without which this library would probably not exist today.

This library currently has quite rough edges and does not make adding and removing netfilter entries super easy and elegant. That is partly because the library needs more work, but also partly because nftables is super low level and extremely customizable, making it hard, and probably wrong, to try and create a too simple/limited wrapper. See examples for inspiration.

Understanding how to use the netlink subsystem and implementing this crate has mostly been done by reading the source code for the nftables userspace program and its corresponding kernel code, as well as attaching debuggers to the nft binary. Since the implementation is mostly based on trial and error, there might of course be a number of places where the forged netlink messages are used in an invalid or not intended way. Contributions are welcome!

Licensing

License: GNU GPLv3

Original work licensed by Amagicom AB under MIT/Apache-2.0.