Thanks to visit codestin.com
Credit goes to github.com

Skip to content
/ nftdnsd Public

Lightweight Go daemon that keeps a Linux nftables set in sync with hostnames.

0 stars 0 forks Branches Tags Activity
Star

erikbos/nftdnsd

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
README.md
README.md
 
 
example-nftdnsd.yaml
example-nftdnsd.yaml
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

nftdnsd — Dynamic Hostname-based nftables updater

nftdnsd is a lightweight Go daemon that keeps a Linux nftables set in sync with hostnames defined in a YAML configuration file. It’s ideal for managing dynamic ACLs where customers or services are identified by DNS names instead of static IP addresses.

✨ Features

  • Reads configuration from YAML and watches the configuration file for live updates
  • Periodically re-resolves all hostnames every 5 minutes
  • Detects and logs:
    • New hostnames added to the config
    • Added and removed IP addresses per hostname
  • Updates nftables atomically using google/nftables
  • Skips nft updates when nothing changed

🧩 Example Configuration

/etc/nftdnsd.yaml

nft:
  table: filter
  set: customer_hosts
entries:
  - name: VIP customer 42
    hostname: client1.example.com
  - name: VPN partnersite
    hostname: vpn.partner.net

⚙️ Installation

Prerequisites

  • Go 1.24 or newer
  • Linux system with nftables (sudo apt install nftables)
  • Appropriate privileges to modify nftables (usually root)

Build

git clone https://github.com/erikbos/nftdnsd.git
cd nftdnsd
go build -o nftdnsd

Run

sudo ./nftdnsd --config /etc/nftdnsd.yaml

You can also configure it as a systemd service:

[Unit]
Description=nftdnsd NFTables Updater
After=network-online.target

[Service]
ExecStart=/usr/local/bin/nftdnsd --config /etc/nftdnsd.yaml
Restart=always

[Install]
WantedBy=multi-user.target

🔍 Logging

nftdnsd logs key events:

2025/10/07 15:00:00 Starting nftdnsd daemon, config=/etc/nftdnsd.yaml
2025/10/07 15:00:00 Resolved 5 IPs for 3 hostnames
2025/10/07 15:00:00 Added IP 203.0.113.10 (vpn.partner.net)
2025/10/07 15:00:00 Removed IP 192.0.2.5 (client1.example.com)
2025/10/07 15:00:00 Updated nft set filter/customer_hosts with 5 IPs

🔒 nftables Setup

Before running nftdnsd, ensure your target nft set exists:

sudo nft add table filter
sudo nft add set filter customer_hosts { type ipv4_addr; flags dynamic; }

Then, reference it in your ruleset:

sudo nft add rule filter input ip saddr @customer_hosts accept

🧠 Notes

  • nftdnsd performs atomic nft updates — the entire set is replaced in one transaction.
  • When using DNS-based access control, ensure hostnames resolve to stable, trusted endpoints.
  • You can extend the YAML config with IPv6 support or per-host options.

📜 Disclaimer

95% generated using Copilot, use at your own risk.

About

Lightweight Go daemon that keeps a Linux nftables set in sync with hostnames.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages