Peter Hoeg <peter@xxxxxxxx> wrote: > as part of deploying nftables rules on NixOS, I want to check the syntax before actually trying to deploy them. > > Now, nft --check --file works fine when run as root but the builder used does not have root permissions (or access to sudo or anything like that). Is there any particular reason why nft --check needs to run as root or any way to make it work as !root? Yes, this not a syntax check. The ruleset is passed to the kernel. The only difference is the lack of the final 'commit' instruction to activate the ruleset, this makes the kernel abort/unwind the entire transaction.
