Re: Is viewing a "candidate" ruleset in 'nft list ruleset' format possible?

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: trentbuck@gmail.com (Trent W. Buck)
To: netfilter@vger.kernel.org
Subject: Re: Is viewing a "candidate" ruleset in 'nft list ruleset' format possible?
Date: Wed, 22 Apr 2020 14:51:20 +1000	[thread overview]
Message-ID: <87blnkqg1j.fsf@goll.lan> (raw)
In-Reply-To: CANf9dFNVrz_YjQ2Xe9vZP=U5h-3C7Hxk+oDz9rTD8Q4nALHO5A@mail.gmail.com

Martin Gignac <martin.gignac@gmail.com> writes:

> I'd like to know if it's possible tell 'nft' to load a ruleset from
> file *without* applying it (a la 'nft -c -f <ruleset>) *but* also have
> it show the parsed (yet unapplied) ruleset in 'nft list ruleset'
> format as well?

I am also interested in this.

You can simply put "list ruleset" at the bottom of the foo.nft file.
However in my experience this routinely gives outright wrong rulesets
(as at nftables 0.9.1), so I don't trust it.

A possible short-term workaround would be to spin up a netns, load the
new ruleset in *there*, then dump it and tear the ns down again...

    $ sudo nft list ruleset | b2sum
    5524[...]3459  -
    $ sudo ip netns add delete-me
    $ sudo ip netns exec delete-me  nft -i
    nft> list ruleset
    nft> add table inet filter
    nft> add chain inet filter frobozz
    nft> add rule inet filter frobozz  tcp dport ssh accept
    nft> list ruleset
    table inet filter {
            chain frobozz {
                    tcp dport 22 accept
            }
    }
    nft>
    $ sudo nft list ruleset | b2sum
    5524[...]3459  -
    $ # Good, the production ruleset hasn't changed.
    $ sudo ip netns del delete-me   # clean up

If you need to do this as unprivileged user,
I guess look into unshare(1) or bwrap...

next prev parent reply	other threads:[~2020-04-22  4:51 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-19  2:12 Is viewing a "candidate" ruleset in 'nft list ruleset' format possible? Martin Gignac
2020-04-22  4:51 ` Trent W. Buck [this message]
2020-04-22 16:34   ` Martin Gignac
2020-04-23  2:06     ` Duncan Roe
2020-04-23 12:10       ` Martin Gignac
2020-04-30  3:25       ` Trent W. Buck
2020-04-30  8:05         ` Trent W. Buck
2020-04-30  3:10     ` Trent W. Buck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87blnkqg1j.fsf@goll.lan \
    --to=trentbuck@gmail.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox