Difference between revisions of "Atomic rule replacement"
(Created page with "You can use the ''-f'' option to atomically update your rule-set: <source lang="bash"> % nft -f file </source> Where ''file'' contains your rule-set. You can save your rule...") |
Jeff.welling (talk | contribs) m (Noted ability to add comments to filter-file, and caveats of flush table filter) |
||
| Line 19: | Line 19: | ||
</source> | </source> | ||
If you prepend the ''flush table filter'' line at the very beginning of the ''filter-table'' file, you achieve atomic rule-set replacement equivalent to what ''iptables-restore'' provides. | You can also add comments to the filter-table file. Comments are bash style, starting with # and go to the end of the line. | ||
If you prepend the ''flush table filter'' line at the very beginning of the ''filter-table'' file, you achieve atomic rule-set replacement equivalent to what ''iptables-restore'' provides. The kernel handles the rule commands in the file in one single transaction, so basically the flushing and the load of the new rules happens in one single shot. | |||
Note: ''flush table filter'' will not flush any sets defined in that table. To flush sets as well, use ''flush ruleset'' (not available in Linux 3.16 or below) or delete the sets explicitly. Early versions (Linux <=3.16) do not allow you to import a set if it already exists, but this is allowed in later versions. | |||
== Shell Scripting == | |||
Some people prefer to maintain a shell script file with the rule-set. '''Beware of that approach, you cannot achieve atomic rule-set updates with a shell script file'''. Therefore, the best way to go is to use the native [[Scripting|nftables scripting capabilities]] and to restore your rule-set via ''nft -f''. | Some people prefer to maintain a shell script file with the rule-set. '''Beware of that approach, you cannot achieve atomic rule-set updates with a shell script file'''. Therefore, the best way to go is to use the native [[Scripting|nftables scripting capabilities]] and to restore your rule-set via ''nft -f''. | ||
Revision as of 05:17, 1 March 2017
You can use the -f option to atomically update your rule-set:
% nft -f file
Where file contains your rule-set.
You can save your rule-set by storing the existing listing in a file, ie.
% nft list table filter > filter-table
Then you can restore it by using the -f option:
% nft -f filter-table
You can also add comments to the filter-table file. Comments are bash style, starting with # and go to the end of the line.
If you prepend the flush table filter line at the very beginning of the filter-table file, you achieve atomic rule-set replacement equivalent to what iptables-restore provides. The kernel handles the rule commands in the file in one single transaction, so basically the flushing and the load of the new rules happens in one single shot.
Note: flush table filter will not flush any sets defined in that table. To flush sets as well, use flush ruleset (not available in Linux 3.16 or below) or delete the sets explicitly. Early versions (Linux <=3.16) do not allow you to import a set if it already exists, but this is allowed in later versions.
Shell Scripting
Some people prefer to maintain a shell script file with the rule-set. Beware of that approach, you cannot achieve atomic rule-set updates with a shell script file. Therefore, the best way to go is to use the native nftables scripting capabilities and to restore your rule-set via nft -f.