Lua binding for libnftables

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: lneto

.github/workflows/ldoc.yml

@@ -0,0 +1,40 @@
+name: LDoc
+
+on:
+  push:
+    branches: [master]
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: pages
+  cancel-in-progress: true
+
+jobs:
+  ldoc:
+    runs-on: ubuntu-latest
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y lua5.4 luarocks
+          sudo luarocks install ldoc
+
+      - name: Generate documentation
+        run: ldoc .
+
+      - uses: actions/configure-pages@v5
+      - uses: actions/upload-pages-artifact@v3
+        with:
+          path: doc
+      - uses: actions/deploy-pages@v4
+        id: deployment
+

.gitignore

@@ -0,0 +1,2 @@
+*.so
+*.swp

LICENSE

@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2026 Ring Zero Desenvolvimento de Software LTDA
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

Makefile

@@ -0,0 +1,21 @@
+LUA_VERSION ?= $(shell for v in 5.5 5.4; do pkg-config --exists lua$$v 2>/dev/null && echo $$v && break; done)
+
+LUA_INC  ?= $(shell pkg-config --cflags lua$(LUA_VERSION) 2>/dev/null || echo -I/usr/include/lua$(LUA_VERSION))
+NFT_INC  ?= $(shell pkg-config --cflags libnftables 2>/dev/null)
+NFT_LIB  ?= $(shell pkg-config --libs libnftables 2>/dev/null || echo -lnftables)
+CFLAGS   ?= -O2 -Wall -Wextra -fPIC
+LDFLAGS  ?= -shared
+
+LUA_CMOD ?= /usr/local/lib/lua/$(LUA_VERSION)
+
+nftables.so: luanftables.c
+	$(CC) $(CFLAGS) $(LUA_INC) $(NFT_INC) -o $@ $< $(LDFLAGS) $(NFT_LIB)
+
+install: nftables.so
+	install -D -m 0755 $< $(DESTDIR)$(LUA_CMOD)/$<
+
+clean:
+	rm -f nftables.so
+
+.PHONY: install clean
+

README.md

@@ -0,0 +1,151 @@
+# luanftables
+
+Lua binding for [libnftables](https://wiki.nftables.org/wiki-nftables/index.php/Building_and_installing_nftables_from_sources).
+
+[API Documentation](https://ring0networks.github.io/luanftables/)
+
+## Build
+
+Requires `libnftables-dev` and Lua (>= 5.4) headers.
+
+```
+sudo apt install libnftables-dev lua5.4 liblua5.4-dev
+make
+sudo make install
+```
+
+The build auto-detects the Lua version via `pkg-config` (prefers 5.5, falls back to 5.4).
+To override: `make LUA_VERSION=5.4`.
+
+## Usage
+
+```lua
+local nft = require("nftables")
+local ctx <close> = nft.new()
+
+-- run nftables commands
+local output, err = ctx:cmd("add table bridge dome")
+local output, err = ctx:cmd("list ruleset")
+
+-- run commands from file
+local output, err = ctx:run("rules.nft")
+
+-- multiple commands (atomic)
+ctx:cmd("add table bridge dome\nadd chain bridge dome filter")
+
+-- output flags
+ctx:output("json", true)       -- JSON output (and input)
+ctx:output("handle", true)     -- include handles in output
+ctx:output("stateless", true)  -- omit counters/quotas
+ctx:output("terse", true)      -- omit set element contents
+ctx:output("echo", true)       -- print changes after commit
+
+print(ctx:output("json"))      -- true
+
+-- input flags
+ctx:input("nodns", true)       -- no DNS lookups during parsing
+ctx:input("json", true)        -- accept JSON input
+
+-- boolean flags
+ctx:dryrun(true)               -- validate without applying
+ctx:optimize(true)             -- optimize ruleset (nft -o)
+
+print(ctx:dryrun())            -- true
+
+-- variables (accessible as $key in nft scripts)
+ctx:var("IFACE=br-lan")
+ctx:clear_vars()
+
+-- include paths (for nft include directives)
+ctx:include("/etc/nft/")
+ctx:clear_includes()
+
+-- close (also via <close> or __gc)
+ctx:close()
+```
+
+## JSON
+
+```lua
+local nft = require("nftables")
+local ctx <close> = nft.new()
+
+-- create a table and chain
+ctx:cmd("add table bridge dome")
+ctx:cmd("add chain bridge dome filter { type filter hook forward priority 0; }")
+
+-- list ruleset as JSON
+ctx:output("json", true)
+local json = ctx:cmd("list table bridge dome")
+print(json)
+
+-- submit JSON input
+ctx:input("json", true)
+ctx:cmd([[{"nftables": [
+    {"add": {"rule": {
+        "family": "bridge", "table": "dome", "chain": "filter",
+        "expr": [
+            {"match": {"left": {"payload": {"protocol": "tcp", "field": "dport"}},
+                        "op": "==", "right": 443}},
+            {"counter": null}
+        ]
+    }}}
+]}]])
+```
+
+## Error handling
+
+`ctx:cmd()` and `ctx:run()` return the output string on success, or `nil` +
+error message on failure.
+
+```lua
+local output, err = ctx:cmd("delete table bridge nonexistent")
+if not output then
+    print("error: " .. err)
+end
+```
+
+## Flags
+
+Each flag group has its own method. Call with a value to set, without to get.
+The module also exports flag constants for reference.
+
+| Method | Flags |
+|--------|-------|
+| `ctx:output(name [, bool])` | `reversedns`, `service`, `stateless`, `handle`, `json`, `echo`, `guid`, `numeric_proto`, `numeric_prio`, `numeric_symbol`, `numeric_time`, `terse` |
+| `ctx:input(name [, bool])` | `nodns`, `json` |
+| `ctx:debug(name [, bool])` | `scanner`, `parser`, `evaluation`, `netlink`, `mnl`, `proto_ctx`, `segtree` |
+| `ctx:dryrun([bool])` | validate without applying |
+| `ctx:optimize([bool])` | optimize ruleset |
+
+Constants: `nft.output`, `nft.input`, `nft.debug`.
+
+## API
+
+| Method | Description |
+|--------|-------------|
+| `nft.new()` | Create a new nftables context |
+| `ctx:cmd(str)` | Execute nftables command(s) from string |
+| `ctx:run(file)` | Execute nftables commands from file |
+| `ctx:output(name [, bool])` | Get/set output flag |
+| `ctx:input(name [, bool])` | Get/set input flag |
+| `ctx:debug(name [, bool])` | Get/set debug flag |
+| `ctx:dryrun([bool])` | Get/set dry-run mode |
+| `ctx:optimize([bool])` | Get/set optimization |
+| `ctx:var(kv)` | Define a variable (`"key=value"`) |
+| `ctx:clear_vars()` | Remove all variables |
+| `ctx:include(path)` | Add an include search path |
+| `ctx:clear_includes()` | Remove all include paths |
+| `ctx:close()` | Free the context (idempotent) |
+
+## Requirements
+
+- Lua >= 5.4
+- libnftables (runtime)
+- libnftables-dev (build)
+- Root or `CAP_NET_ADMIN` to execute nftables commands
+
+## License
+
+MIT
+

config.ld

@@ -0,0 +1,9 @@
+project = "luanftables"
+title = "luanftables — Lua binding for libnftables"
+description = "Programmatic access to nftables via the libnftables C library."
+file = {"luanftables.c"}
+dir = "doc"
+format = "markdown"
+backtick_references = true
+sort = true
+

example.lua

@@ -0,0 +1,11 @@
+local nft = require("nftables")
+local ctx <close> = nft.new()
+
+assert(ctx:cmd([[
+add table bridge teste
+add chain bridge teste input { type filter hook input priority 0; }
+add rule bridge teste input tcp dport 443 counter
+]]))
+
+print(ctx:cmd("list table bridge teste"))
+

example_json.lua

@@ -0,0 +1,32 @@
+local nft = require("nftables")
+local ctx <close> = nft.new()
+
+-- create table and chain
+assert(ctx:cmd([[
+add table bridge teste_json
+add chain bridge teste_json filter { type filter hook forward priority 0; }
+add rule bridge teste_json filter tcp dport 443 counter
+]]))
+
+-- list as JSON
+ctx:output("json", true)
+local json = assert(ctx:cmd("list table bridge teste_json"))
+print("=== JSON output ===")
+print(json)
+
+-- delete and recreate from JSON input
+ctx:output("json", false)
+ctx:cmd("delete table bridge teste_json")
+
+ctx:input("json", true)
+assert(ctx:cmd(json))
+ctx:input("json", false)
+
+-- verify it's back
+local out = assert(ctx:cmd("list table bridge teste_json"))
+print("\n=== after JSON roundtrip ===")
+print(out)
+
+-- cleanup
+ctx:cmd("delete table bridge teste_json")
+