Stephen Satchell <list@xxxxxxxxxxxx> writes: > On 2/24/20 5:12 PM, Trent W. Buck wrote: >> Can't you use "ip netns" (or systemd-nspawn, or docker, or libvirt-qemu) >> to set up a test network with a test firewall, then send packets into / >> out of that test environment? >> >> OK, it's a bit fiddly to set up, but I don't see why you need any >> special nftables-specific thing when you can just do regular >> namespace/container/vm techniques. > > HOWTO link? I don't have one, but this is a basic introduction to "ip netns": https://lwn.net/Articles/580893/ Once the netns is set up, you'd do something like ip netns exec my-cool-namespace nft --file=my-cool-firewall.nft ip netns exec my-cool-namespace firefox gopher://porn.example.edu Then look at nft's counters (add rule ... counter accept), or kernel logs (add rule ... log accept), or whatever diagnostics you normally do. The fiddly part is turning that into a turnkey "solution" that can have multiple namespaces hooked up to one another, and to the real internet.
