Atomic rule replacement

From nftables wiki
Revision as of 04:18, 1 March 2017 by Jeff.welling (talk | contribs) (Match existing formatting)
Jump to navigation Jump to search

You can use the -f option to atomically update your rule-set:

% nft -f file

Where file contains your rule-set.

You can save your rule-set by storing the existing listing in a file, ie.

% nft list table filter > filter-table

Then you can restore it by using the -f option:

% nft -f filter-table

You can also add comments to the filter-table file. Comments are bash style, starting with # and go to the end of the line.

If you prepend the flush table filter line at the very beginning of the filter-table file, you achieve atomic rule-set replacement equivalent to what iptables-restore provides. The kernel handles the rule commands in the file in one single transaction, so basically the flushing and the load of the new rules happens in one single shot.

Note: flush table filter will not flush any sets defined in that table. To flush sets as well, use flush ruleset (not available in Linux 3.16 or below) or delete the sets explicitly. Early versions (Linux <=3.16) do not allow you to import a set if it already exists, but this is allowed in later versions.


Shell Scripting

Some people prefer to maintain a shell script file with the rule-set. Beware of that approach, you cannot achieve atomic rule-set updates with a shell script file. Therefore, the best way to go is to use the native nftables scripting capabilities and to restore your rule-set via nft -f.