On 9 April 2014 14:10, Daniel Tiebler
<daniel.tiebler@xxxxxxxxxxxxxxxxxxxx> wrote:
[...]
> * Is something similar possible with nftables?
>
In nftables, you can know a low-level (netlink) representation of all
nftables objects (tables, sets, chains, rules...) in userspace (using
libnftnl).
This representation is either XML or JSON, where DNS name resolution,
service name resolution and friends are translations to the internal
kernel data structures.
To know if two rules are the same, you could check if the expressions
set is the same.
For these nftables rules:
* nft add rule test test tcp dport 22 accept
* nft add rule test test tcp dport ssh accept
The list of expressions in XML is exactly the same. The handle
attribute is unique for each rule.
<rule>
<family>ip</family>
<table>test</table>
<chain>test</chain>
<handle>3</handle>
<flags>0</flags>
<expr type="payload">
<dreg>1</dreg>
<offset>9</offset>
<len>1</len>
<base>network</base>
</expr>
<expr type="cmp">
<sreg>1</sreg>
<op>eq</op>
<cmpdata>
<data_reg type="value">
<len>1</len>
<data0>0x00000006</data0>
</data_reg>
</cmpdata>
</expr>
<expr type="payload">
<dreg>1</dreg>
<offset>2</offset>
<len>2</len>
<base>transport</base>
</expr>
<expr type="cmp">
<sreg>1</sreg>
<op>eq</op>
<cmpdata>
<data_reg type="value">
<len>2</len>
<data0>0x00001600</data0>
</data_reg>
</cmpdata>
</expr>
</rule>
If you are using a recent nftables, you can run `nft export
{xml|json}' to get your current ruleset in XML or JSON format.
We plan to add `nft import {xml|json}' operation as well.
Tracking FQDNs changes is another, different issue.
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
