* Processing nftable rules without loading them into the kernel
@ 2023-07-09 8:02 George Shuklin
2023-07-09 15:12 ` Eric
0 siblings, 1 reply; 3+ messages in thread
From: George Shuklin @ 2023-07-09 8:02 UTC (permalink / raw)
To: netfilter
I got a rather interesting task: I need to check if a given set of rules
on the disk is the same as loaded into the kernel.
The main problem is that nft list is quite different from the original
config (ordering, comments, etc), so I wonder if there is a way to make
nft just to read rules, process them and output back in the same format
as it is from nft ruleset list. Is there a way to force nft to just
'process' rules to stdout without loading them into the kernel?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Processing nftable rules without loading them into the kernel
2023-07-09 8:02 Processing nftable rules without loading them into the kernel George Shuklin
@ 2023-07-09 15:12 ` Eric
2023-07-10 7:39 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: Eric @ 2023-07-09 15:12 UTC (permalink / raw)
To: George Shuklin; +Cc: netfilter
On Sunday, July 9th, 2023 at 01:02, George Shuklin <george.shuklin@gmail.com> wrote:
> I got a rather interesting task: I need to check if a given set of rules
> on the disk is the same as loaded into the kernel.
>
> The main problem is that nft list is quite different from the original
> config (ordering, comments, etc), so I wonder if there is a way to make
> nft just to read rules, process them and output back in the same format
> as it is from nft ruleset list. Is there a way to force nft to just
> 'process' rules to stdout without loading them into the kernel?
Well, after experimenting a bit, I'm not going to say, "No, it can't be done" as I've got sort of a hack that might be usable.
$ nft list ruleset | nft -c -d netlink -f - > x
$ nft -c -d netlink -f my_rules.nft > y
$ diff x y
At the very least, the counter values are different (so sed them?), but maybe it might be made to sort of work???
Eric
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Processing nftable rules without loading them into the kernel
2023-07-09 15:12 ` Eric
@ 2023-07-10 7:39 ` Pablo Neira Ayuso
0 siblings, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2023-07-10 7:39 UTC (permalink / raw)
To: Eric; +Cc: George Shuklin, netfilter
On Sun, Jul 09, 2023 at 03:12:31PM +0000, Eric wrote:
> On Sunday, July 9th, 2023 at 01:02, George Shuklin <george.shuklin@gmail.com> wrote:
> > I got a rather interesting task: I need to check if a given set of rules
> > on the disk is the same as loaded into the kernel.
> >
> > The main problem is that nft list is quite different from the original
> > config (ordering, comments, etc), so I wonder if there is a way to make
> > nft just to read rules, process them and output back in the same format
> > as it is from nft ruleset list. Is there a way to force nft to just
> > 'process' rules to stdout without loading them into the kernel?
>
> Well, after experimenting a bit, I'm not going to say, "No, it can't be done" as I've got sort of a hack that might be usable.
>
> $ nft list ruleset | nft -c -d netlink -f - > x
> $ nft -c -d netlink -f my_rules.nft > y
> $ diff x y
>
> At the very least, the counter values are different (so sed them?), but maybe it might be made to sort of work???
`-s' can be used to remove the stateful part of the counters.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-07-10 7:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-07-09 8:02 Processing nftable rules without loading them into the kernel George Shuklin
2023-07-09 15:12 ` Eric
2023-07-10 7:39 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox