Fix nft socket error (#293)

Author: moubctez

Cargo.lock

@@ -1,9 +1,6 @@
 #[cfg(any(target_os = "freebsd", target_os = "macos", target_os = "netbsd"))]
 use std::fs::{File, OpenOptions};
 
-#[cfg(target_os = "linux")]
-use nftnl::Batch;
-
 use super::{FirewallError, FirewallRule, Policy, SnatBinding};
 
 #[cfg(all(
@@ -18,26 +15,31 @@ const DEV_PF: &str = "/dev/null";
 const DEV_PF: &str = "/dev/pf";
 
 #[allow(dead_code)]
-pub struct FirewallApi {
+pub(crate) struct FirewallApi {
     pub(crate) ifname: String,
     #[cfg(any(target_os = "freebsd", target_os = "macos", target_os = "netbsd"))]
     pub(crate) file: File,
     #[cfg(any(target_os = "freebsd", target_os = "macos", target_os = "netbsd"))]
     pub(crate) default_policy: Policy,
     #[cfg(target_os = "linux")]
-    pub(crate) batch: Option<Batch>,
+    pub(crate) socket: mnl::Socket,
 }
 
 impl FirewallApi {
-    pub fn new<S: Into<String>>(ifname: S) -> Result<Self, FirewallError> {
+    pub(crate) fn new<S>(ifname: S) -> Result<Self, FirewallError>
+    where
+        S: Into<String>,
+    {
         Ok(Self {
             ifname: ifname.into(),
             #[cfg(any(target_os = "freebsd", target_os = "macos", target_os = "netbsd"))]
             file: OpenOptions::new().read(true).write(true).open(DEV_PF)?,
             #[cfg(any(target_os = "freebsd", target_os = "macos", target_os = "netbsd"))]
             default_policy: Policy::Deny,
             #[cfg(target_os = "linux")]
-            batch: None,
+            socket: mnl::Socket::new(mnl::Bus::Netfilter).map_err(|err| {
+                FirewallError::NetlinkError(format!("Failed to create socket: {err:?}"))
+            })?,
         })
     }
 }
@@ -51,18 +53,12 @@ pub(crate) trait FirewallManagementApi {
     fn cleanup(&mut self) -> Result<(), FirewallError>;
 
     /// Add firewall rules.
-    fn add_rules(&mut self, rules: Vec<FirewallRule>) -> Result<(), FirewallError>;
+    fn add_rules(&mut self, rules: &[FirewallRule]) -> Result<(), FirewallError>;
 
     /// Setup Network Address Translation using POSTROUTING chain rules
     fn setup_nat(
         &mut self,
         masquerade_enabled: bool,
         snat_bindings: &[SnatBinding],
     ) -> Result<(), FirewallError>;
-
-    /// Begin rule transaction.
-    fn begin(&mut self) -> Result<(), FirewallError>;
-
-    /// Commit rule transaction.
-    fn commit(&mut self) -> Result<(), FirewallError>;
 }

src/enterprise/firewall/api.rs

@@ -24,10 +24,10 @@ pub enum IpAddrRangeError {
 
 impl fmt::Display for IpAddrRangeError {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        match self {
-            Self::MixedTypes => write!(f, "mixed IPv4 and IPv6 addresses"),
-            Self::WrongOrder => write!(f, "wrong order: higher address preceeds lower"),
-        }
+        f.write_str(match self {
+            Self::MixedTypes => "mixed IPv4 and IPv6 addresses",
+            Self::WrongOrder => "wrong order: higher address preceeds lower",
+        })
     }
 }
 

src/enterprise/firewall/iprange.rs

@@ -177,7 +177,7 @@ impl fmt::Display for Protocol {
             Self::Udp => "udp",
             Self::IcmpV6 => "icmp6",
         };
-        write!(f, "{protocol}")
+        f.write_str(protocol)
     }
 }