On Sun, Jul 09, 2023 at 03:12:31PM +0000, Eric wrote: > On Sunday, July 9th, 2023 at 01:02, George Shuklin <george.shuklin@xxxxxxxxx> wrote: > > I got a rather interesting task: I need to check if a given set of rules > > on the disk is the same as loaded into the kernel. > > > > The main problem is that nft list is quite different from the original > > config (ordering, comments, etc), so I wonder if there is a way to make > > nft just to read rules, process them and output back in the same format > > as it is from nft ruleset list. Is there a way to force nft to just > > 'process' rules to stdout without loading them into the kernel? > > Well, after experimenting a bit, I'm not going to say, "No, it can't be done" as I've got sort of a hack that might be usable. > > $ nft list ruleset | nft -c -d netlink -f - > x > $ nft -c -d netlink -f my_rules.nft > y > $ diff x y > > At the very least, the counter values are different (so sed them?), but maybe it might be made to sort of work??? `-s' can be used to remove the stateful part of the counters.
