Martin Gignac <martin.gignac@xxxxxxxxx> writes:
> I'd like to know if it's possible tell 'nft' to load a ruleset from
> file *without* applying it (a la 'nft -c -f <ruleset>) *but* also have
> it show the parsed (yet unapplied) ruleset in 'nft list ruleset'
> format as well?
I am also interested in this.
You can simply put "list ruleset" at the bottom of the foo.nft file.
However in my experience this routinely gives outright wrong rulesets
(as at nftables 0.9.1), so I don't trust it.
A possible short-term workaround would be to spin up a netns, load the
new ruleset in *there*, then dump it and tear the ns down again...
$ sudo nft list ruleset | b2sum
5524[...]3459 -
$ sudo ip netns add delete-me
$ sudo ip netns exec delete-me nft -i
nft> list ruleset
nft> add table inet filter
nft> add chain inet filter frobozz
nft> add rule inet filter frobozz tcp dport ssh accept
nft> list ruleset
table inet filter {
chain frobozz {
tcp dport 22 accept
}
}
nft>
$ sudo nft list ruleset | b2sum
5524[...]3459 -
$ # Good, the production ruleset hasn't changed.
$ sudo ip netns del delete-me # clean up
If you need to do this as unprivileged user,
I guess look into unshare(1) or bwrap...
