Module nftables
Lua binding for libnftables.
Functions
| clear_includes () | Remove all include search paths. |
| clear_vars () | Remove all defined variables. |
| close () | Close the nftables context and free resources. |
| cmd (command) | Execute nftables command(s) from a string. |
| debug (name[, value]) | Get or set a debug flag. |
| dryrun ([value]) | Get or set dry-run mode. |
| include (path) | Add an include search path for nft scripts. |
| input (name[, value]) | Get or set an input flag. |
| new () | Create a new nftables context. |
| optimize ([value]) | Get or set ruleset optimization. |
| output (name[, value]) | Get or set an output flag. |
| run (filename) | Execute nftables commands from a file. |
| var (kv) | Define a variable accessible as $key in nft scripts. |
Functions
- clear_includes ()
- Remove all include search paths.
- clear_vars ()
- Remove all defined variables.
- close ()
-
Close the nftables context and free resources.
Idempotent — safe to call multiple times.
Also called automatically via
__gcand__close. - cmd (command)
-
Execute nftables command(s) from a string.
Multiple commands can be separated by newlines and are applied atomically.
Parameters:
- command string nftables command(s)
Returns:
-
string
output on success
Or
- nil
- string error message
Usage:
local out, err = ctx:cmd("add table bridge dome") ctx:cmd("add table bridge dome\nadd chain bridge dome filter")
- debug (name[, value])
-
Get or set a debug flag.
Flags:
scanner,parser,evaluation,netlink,mnl,proto_ctx,segtree.Parameters:
- name string flag name
- value bool set flag if provided (optional)
Returns:
-
bool
current value (when getting)
- dryrun ([value])
-
Get or set dry-run mode.
When enabled, commands are parsed and validated but not applied.
Parameters:
- value bool set mode if provided (optional)
Returns:
-
bool
current value (when getting)
- include (path)
-
Add an include search path for nft scripts.
Parameters:
- path string directory path
- input (name[, value])
-
Get or set an input flag.
Flags:
nodns,json.Parameters:
- name string flag name
- value bool set flag if provided (optional)
Returns:
-
bool
current value (when getting)
Usage:
ctx:input("nodns", true)
- new ()
-
Create a new nftables context.
Output and error buffering are enabled automatically.
Returns:
-
context
nftables context (supports
<close>)Usage:
local nft = require("nftables") local ctx <close> = nftables.new()
- optimize ([value])
-
Get or set ruleset optimization.
When enabled, nftables performs a two-pass operation: validates in dry-run,
then optimizes (e.g., collapsing linear rules into sets) before committing.
Parameters:
- value bool set mode if provided (optional)
Returns:
-
bool
current value (when getting)
- output (name[, value])
-
Get or set an output flag.
Flags:
reversedns,service,stateless,handle,json,echo,guid,numeric_proto,numeric_prio,numeric_symbol,numeric_time,terse.Parameters:
- name string flag name
- value bool set flag if provided (optional)
Returns:
-
bool
current value (when getting)
Usage:
ctx:output("json", true) print(ctx:output("json")) -- true
- run (filename)
-
Execute nftables commands from a file.
Parameters:
- filename string path to nftables script
Returns:
-
string
output on success
Or
- nil
- string error message
- var (kv)
-
Define a variable accessible as
$keyin nft scripts.Parameters:
- kv
string
variable in
"key=value"format
Usage:
ctx:var("IFACE=br-lan")
- kv
string
variable in