Skip to content

Comments

Rename FILTER type to DROP for firewall rules#47

Merged
arloor merged 8 commits intomasterfrom
copilot/add-filter-drop-capability
Feb 1, 2026
Merged

Rename FILTER type to DROP for firewall rules#47
arloor merged 8 commits intomasterfrom
copilot/add-filter-drop-capability

Conversation

Copy link
Contributor

Copilot AI commented Feb 1, 2026
edited
Loading

Renames the FILTER type to DROP throughout the codebase for improved clarity - the rules drop packets, not just filter them.

Changes

Type system

  • Enum variant: NftCell::FilterNftCell::Drop
  • Serde annotation: #[serde(rename = "filter")]#[serde(rename = "drop")]
  • Parser: accepts DROP instead of FILTER in legacy format
  • Function naming: build_filter_rule()build_drop_rule()

Configuration formats

TOML:

[[rules]]
type = "drop"  # was "filter"
chain = "input"
src_ip = "192.168.1.1"

Legacy:

DROP,input,src_ip=192.168.1.1,all,ipv4  # was FILTER,input,...

Documentation

  • Updated README examples and format descriptions
  • Updated inline comments and test names
  • Display headers in nat-console

All 26 tests pass. No functional changes - purely a rename for better semantics.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • example.asddddddddddddddddddddaasdasdasdasdasdasadasads.com
    • Triggering command: /home/REDACTED/work/nftables-nat-rust/nftables-nat-rust/target/debug/deps/nat-b300e34d1d8236c3 /home/REDACTED/work/nftables-nat-rust/nftables-nat-rust/target/debug/deps/nat-b300e34d1d8236c3 on-0875dbaada7680f8.1qhs3iz173h75grwc39mo4jdt.1n6bwo1.rcgu.o on-0875dbaada7680f8.1uh98quklm2zop2af2izuidnv.1n6bwo1.rcgu.o on-0875dbaada7680f8.21pff0csrziyyqf0iaymmm21o.1n6bwo1.rcgu.o on-0875dbaada7680f8.2e4zyoeyn5k3qh2xhp9bd1b0o.1n6bwo1.rcgu.o on-0875dbaada7680f8.2k2q629vzf28iije18xi8sblq.1n6bwo1.rcgu.o aef1ad19fc6c.02f477uhwr2mtgy7i6tws4bnx.0it7s82.rcgu.o aef1ad19fc6c.0fod9pw7k2mo0rx9h901q9jdb.0it7s82.rcgu.o aef1ad19fc6c.0i3h51g1vu4j3y1zvlpprxjwx.0it7s82.rcgu.o aef1ad19fc6c.0lmdox9vcpeat7qawfzfpll1u.0it7s82.rcgu.o aef1ad19fc6c.0phtwasaqn0wh95lq5nytm3hz.0it7s82.rcgu.o aef1ad19fc6c.0t4q5zulti7m79vrc28udqars.0it7s82.rcgu.o aef1ad19fc6c.0w7yd9cvgx0wmyho0z7rj4yoz.0it7s82.rcgu.o aef1ad19fc6c.0xe1reobxpwvqwkimplav9p5x.0it7s82.rcgu.o aef1ad19fc6c.11khmfxj3mrhcmmaetyee80qd.0it7s82.rcgu.o aef1ad19fc6c.15phb5jinfct54m9tonje9z2t.0it7s82.rcgu.o aef1ad19fc6c.17cwtnsfhx97sbds598h0i9e2.0it7s82.rcgu.o aef1ad19fc6c.182i28oi2lo2e325od8cxbkpj.0it7s82.rcgu.o aef1ad19fc6c.18adkpdyavmrrmki21i9ktg0l.0it7s82.rcgu.o aef1ad19fc6c.1ahfj541jjpg34m6yi9iubfdz.0it7s82.rcgu.o (dns block)
  • www.google.com
    • Triggering command: /home/REDACTED/work/nftables-nat-rust/nftables-nat-rust/target/debug/deps/nat-b300e34d1d8236c3 /home/REDACTED/work/nftables-nat-rust/nftables-nat-rust/target/debug/deps/nat-b300e34d1d8236c3 on-0875dbaada7680f8.1qhs3iz173h75grwc39mo4jdt.1n6bwo1.rcgu.o on-0875dbaada7680f8.1uh98quklm2zop2af2izuidnv.1n6bwo1.rcgu.o on-0875dbaada7680f8.21pff0csrziyyqf0iaymmm21o.1n6bwo1.rcgu.o on-0875dbaada7680f8.2e4zyoeyn5k3qh2xhp9bd1b0o.1n6bwo1.rcgu.o on-0875dbaada7680f8.2k2q629vzf28iije18xi8sblq.1n6bwo1.rcgu.o aef1ad19fc6c.02f477uhwr2mtgy7i6tws4bnx.0it7s82.rcgu.o aef1ad19fc6c.0fod9pw7k2mo0rx9h901q9jdb.0it7s82.rcgu.o aef1ad19fc6c.0i3h51g1vu4j3y1zvlpprxjwx.0it7s82.rcgu.o aef1ad19fc6c.0lmdox9vcpeat7qawfzfpll1u.0it7s82.rcgu.o aef1ad19fc6c.0phtwasaqn0wh95lq5nytm3hz.0it7s82.rcgu.o aef1ad19fc6c.0t4q5zulti7m79vrc28udqars.0it7s82.rcgu.o aef1ad19fc6c.0w7yd9cvgx0wmyho0z7rj4yoz.0it7s82.rcgu.o aef1ad19fc6c.0xe1reobxpwvqwkimplav9p5x.0it7s82.rcgu.o aef1ad19fc6c.11khmfxj3mrhcmmaetyee80qd.0it7s82.rcgu.o aef1ad19fc6c.15phb5jinfct54m9tonje9z2t.0it7s82.rcgu.o aef1ad19fc6c.17cwtnsfhx97sbds598h0i9e2.0it7s82.rcgu.o aef1ad19fc6c.182i28oi2lo2e325od8cxbkpj.0it7s82.rcgu.o aef1ad19fc6c.18adkpdyavmrrmki21i9ktg0l.0it7s82.rcgu.o aef1ad19fc6c.1ahfj541jjpg34m6yi9iubfdz.0it7s82.rcgu.o (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI changed the title [WIP] Add filter drop capability for firewall functionality Add filter drop capability for firewall functionality Feb 1, 2026
Copilot AI requested a review from arloor February 1, 2026 09:51
arloor
arloor reviewed Feb 1, 2026
View reviewed changes
nat-common/src/lib.rs Outdated
validate_port(*src_port)?;
validate_port(*dst_port)?;
}
NftCell::Filter {
Copy link
Owner

@arloor arloor Feb 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

要检测,源ip和目标ip 和ip版本是否对应

Copy link
Owner

@arloor arloor Feb 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot

Copy link
Contributor Author

Copilot AI Feb 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

已添加使用 ipnetwork 库进行完善的IP地址和版本检测。现在会验证:

  1. IP地址格式是否有效(支持CIDR表示法如192.168.1.0/24)
  2. 源IP/目标IP与指定的IP版本是否匹配
  3. 提供清晰的错误信息

相关提交:2d9fcbb

Copilot AI requested a review from arloor February 1, 2026 10:02
Copilot AI changed the title Add filter drop capability for firewall functionality Rename FILTER type to DROP for firewall rules Feb 1, 2026
@arloor arloor marked this pull request as ready for review February 1, 2026 10:45
@arloor arloor merged commit 425c25c into master Feb 1, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arloor arloor Awaiting requested review from arloor

Assignees

@arloor arloor

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arloor