Background

The idea originated in https://progress.opensuse.org/issues/164060: in the openSUSE infrastructure, using fail2ban on backend machines to ban IP networks generating malicious traffic was deemed not efficient, as it would not stop the traffic from passing through the network and would not synchronize across clusters. Better would be for backend machines to trigger the ban on our core firewalls. Since these are security sensitive machines however, I did not want to hack together some scripts and allow backend machines (which run applications processing user input from the internet) to trigger shell commands on our firewalls - a controlled remote interface to nftables would not only be a more secure, but also a much more versatile approach. Unfortunately, such an interface did not seem to exist, but creating one with a RESTful API which translates authorized HTTP requests to operations in nftables seemed feasible - especially with libnftables-json(5).

Originally, I started developing such an interface in Go, utilizing https://github.com/google/nftables. The conversion of string networks to nftables set elements was problematic (unfortunately no record of details), and I started a second attempt in Python, which made interaction much simpler thanks to native nftables Python bindings.

Goals

1. Find and track the issue with google/nftables
2. Revisit and polish the Python code
3. Finish functionality to interact with nftables sets (retrieving and updating elements), which are the primary interest
4. Structure the API paths in a way to allow for coverage of other nftables functionality in the future, without having to break sets
5. Make the test suite useful

Non-goals

• finishing the client library
• making fail2ban/sshguard plugins utilizing the client

Resources

https://git.netfilter.org/nftables/tree/py/src/nftables.py https://git.com.de/Georg/nftables-http-api (to be moved to GitHub) https://build.opensuse.org/package/show/home:crameleon:containers/pytest-nftables-container