On Sunday, July 9th, 2023 at 01:02, George Shuklin <george.shuklin@xxxxxxxxx> wrote: > I got a rather interesting task: I need to check if a given set of rules > on the disk is the same as loaded into the kernel. > > The main problem is that nft list is quite different from the original > config (ordering, comments, etc), so I wonder if there is a way to make > nft just to read rules, process them and output back in the same format > as it is from nft ruleset list. Is there a way to force nft to just > 'process' rules to stdout without loading them into the kernel? Well, after experimenting a bit, I'm not going to say, "No, it can't be done" as I've got sort of a hack that might be usable. $ nft list ruleset | nft -c -d netlink -f - > x $ nft -c -d netlink -f my_rules.nft > y $ diff x y At the very least, the counter values are different (so sed them?), but maybe it might be made to sort of work??? Eric
