Atomic rule replacement

From nftables wiki
Revision as of 18:50, 13 July 2016 by Pablo (talk | contribs) (Created page with "You can use the ''-f'' option to atomically update your rule-set: <source lang="bash"> % nft -f file </source> Where ''file'' contains your rule-set. You can save your rule...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

You can use the -f option to atomically update your rule-set:

% nft -f file

Where file contains your rule-set.

You can save your rule-set by storing the existing listing in a file, ie.

% nft list table filter > filter-table

Then you can restore it by using the -f option:

% nft -f filter-table

If you prepend the flush table filter line at the very beginning of the filter-table file, you achieve atomic rule-set replacement equivalent to what iptables-restore provides. Note that the kernel handles the rule commands in the file in one single transaction, so basically the flushing and the load of the new rules happens in one single shot.

Some people prefer to maintain a shell script file with the rule-set. Beware of that approach, you cannot achieve atomic rule-set updates with a shell script file. Therefore, the best way to go is to use the native nftables scripting capabilities and to restore your rule-set via nft -f.