@@ -3,9 +3,8 @@

 package nftabler

 import (

-	"bytes"

 	"context"

-	"os/exec"

+	"fmt"

 	"github.com/containerd/log"

 	"github.com/moby/moby/v2/daemon/libnetwork/drivers/bridge/internal/firewaller"

@@ -25,14 +24,10 @@ func Cleanup(ctx context.Context, config firewaller.Config) {

 }

 func tryCleanup(ctx context.Context, family nftables.Family, label string) {

-	cmd := exec.CommandContext(ctx, "nft", "delete", "table", string(family), dockerTable)

-	out, err := cmd.CombinedOutput()

+	err := nftables.RunCmd(ctx, fmt.Appendf(nil, "delete table %s %s", family, dockerTable))

 	if err != nil {

 		// May not exist ("Error: Could not process rule: No such file or directory")

-		log.G(ctx).WithFields(log.Fields{

-			"error":  err,

-			"output": string(bytes.TrimRight(out, "\n ^")), // remove "^^^^^" added in nft's error message.

-		}).Info("Deleting nftables " + label + " rules")

+		log.G(ctx).WithError(err).Info("Deleting nftables " + label + " rules")

 		return

 	}

@@ -20,6 +20,10 @@ import (

 // #include <nftables/libnftables.h>

 import "C"

+func preflight() error {

+	return nil

+}

+

 type nftCtx C.struct_nft_ctx

 // Apply calls libnftables to execute the nftables commands in nftCmd.

@@ -20,17 +20,37 @@ type nftCtx struct{}

 var lookPathNSEnter = sync.OnceValues(func() (string, error) {

 	return exec.LookPath("nsenter")

 })

+var lookPathNft = sync.OnceValues(func() (string, error) {

+	p, err := exec.LookPath("nft")

+	if err != nil {

+		log.G(context.Background()).WithError(err).Warnf("Failed to find nft tool")

+		return "", fmt.Errorf("failed to find nft tool: %w", err)

+	}

+	return p, nil

+})

+

+func preflight() error {

+	_, err := lookPathNft()

+	return err

+}

 func newNftCtx() (*nftCtx, error) {

-	return *nftCtx{}, nil

+	_, err := lookPathNft()

+	if err != nil {

+		return nil, err

+	}

+	return &nftCtx{}, nil

 }

 func (*nftCtx) Apply(ctx context.Context, nftCmd []byte) error {

 	ctx, span := otel.Tracer("").Start(ctx, spanPrefix+".nftApply.exec")

 	defer span.End()

-	cmdPath := nftPath

-	cmdArgs := []string{nftPath, "-f", "-"}

+	cmdPath, err := lookPathNft()

+	if err != nil {

+		return err

+	}

+	cmdArgs := []string{cmdPath, "-f", "-"}

 	detachedNetNS, err := rootless.DetachedNetNS()

 	if err != nil {

 		return fmt.Errorf("could not check for detached netns: %w", err)

@@ -49,7 +49,6 @@ import (

 	"errors"

 	"fmt"

 	"iter"

-	"os/exec"

 	"runtime"

 	"slices"

 	"strconv"

@@ -64,16 +63,15 @@ import (

 const spanPrefix = "libnetwork.internal.nftables"

 var (

-	// nftPath is the path of the "nft" tool, set by [Enable] and left empty if the tool

-	// is not present - in which case, nftables is disabled.

-	nftPath string

+	// enabled is set by [Enable].

+	enabled bool

 	// Error returned by Enable if nftables could not be initialised.

 	nftEnableError error

 	// incrementalUpdateTempl is a parsed text/template, used to apply incremental updates.

 	incrementalUpdateTempl *template.Template

 	// reloadTempl is a parsed text/template, used to apply a whole table.

 	reloadTempl *template.Template

-	// enableOnce is used by [Enable] to avoid checking the path for "nft" more than once.

+	// enableOnce is used by [Enable] to avoid parsing the templates more than once.

 	enableOnce sync.Once

 )

@@ -211,10 +209,10 @@ func (t Typeof) VMap() MapTypeof {

 // Enable tries once to initialise nftables.

 func Enable() error {

 	enableOnce.Do(func() {

-		path, err := exec.LookPath("nft")

+		err := preflight()

 		if err != nil {

-			log.G(context.Background()).WithError(err).Warnf("Failed to find nft tool")

-			nftEnableError = fmt.Errorf("failed to find nft tool: %w", err)

+			log.G(context.Background()).WithError(err).Warnf("Failed to initialize nftables")

+			nftEnableError = err

 			return

 		}

 		if err := parseTemplate(); err != nil {

@@ -222,24 +220,38 @@ func Enable() error {

 			nftEnableError = fmt.Errorf("internal error while initialising nftables: %w", err)

 			return

 		}

-		nftPath = path

+		enabled = true

 	})

 	return nftEnableError

 }

-// Enabled returns true if the "nft" tool is available and [Enable] has been called.

+// Enabled returns true if [Enable] has been called and nftables was initialized successfully.

 func Enabled() bool {

-	return nftPath != ""

+	return enabled

 }

 // Disable undoes Enable. Intended for unit testing.

 func Disable() {

-	nftPath = ""

+	enabled = false

 	incrementalUpdateTempl = nil

 	reloadTempl = nil

 	enableOnce = sync.Once{}

 }

+// RunCmd runs arbitrary nftables ruleset commands, like `nft -f`, irrespective

+// of whether nftables is [Enabled].

+//

+// Most users of this package should use [Table] and [Modifier] to manage their

+// nftables ruleset.

+func RunCmd(ctx context.Context, nftCmd []byte) error {

+	h, err := newNftCtx()

+	if err != nil {

+		return err

+	}

+	defer h.Close()

+	return h.Apply(ctx, nftCmd)

+}

+

 //////////////////////////////

 // Tables