Re: "Test" mode for nft ?

Re: "Test" mode for nft ?

[J Doe]

Hi Jeff,

As far as I know there is not a command line option for nft to parse the syntax to check that it is correct and then NOT apply the ruleset.  I know pf (Mac OS X and OpenBSD), has this and it's quite handy.

The wiki does have documentation for how to debug the rules (testing what rule fires on what packet, etc.), at [1] but doesn't mention syntax checking.

If you are accidentally locking yourself out you could create a cron job that calls "nft rule flush ruleset" to drop the firewall and schedule it to run every few minutes or so.

- J

Sources:
[1] wiki.nftables.org/wiki-nftables/index.php/Ruleset_debug/tracing

Re: "Test" mode for nft?

[J Doe]

Hi Arturo,

Ah, great!  Thank you for pointing this out.  I see from the commit that it is accessible via "-c" or "--check".

Out of curiosity, do you have a rough timeline of when the next release of nft will land (this quarter, next quarter, etc.) ?

Thanks again,

- J

Re: "Test" mode for nft?

[Arturo Borrero Gonzalez]

On 21 August 2017 at 19:54, Jeff Kletsky <netfilter@allycomm.com> wrote:
> Thanks, good to know I wasn't missing anything.
>
> The cron job certainly works in a development environment. There is also the
> approach to use a script that captures the current state, loads the new
> rules, then waits for keyboard input for a length of time. If there isn't a
> "yes, keep these" response, it reverts to the previous state.
>

This has been already discussed in Netfilter Workshop 2017 in Faro, Portugal.
So, we are likely getting this feature at some point.

A 'dry' mode has been recently added and will be part of next nftables release.

Reference:
http://git.netfilter.org/nftables/commit/?id=b4953803f26c442cdec4cad78a8261e9b97cd015

Re: "Test" mode for nft?

[Jeff Kletsky]

Thanks, good to know I wasn't missing anything.

The cron job certainly works in a development environment. There is also 
the approach to use a script that captures the current state, loads the 
new rules, then waits for keyboard input for a length of time. If there 
isn't a "yes, keep these" response, it reverts to the previous state.

It's not under GPL, but one example of this can be found in FreeBSD, 
tailored for use with ipfw:

https://svnweb.freebsd.org/base/releng/11.1/share/examples/ipfw/change_rules.sh


Jeff



On 8/21/17 9:09 AM, J Doe wrote:
> Hi Jeff,
>
> As far as I know there is not a command line option for nft to parse 
> the syntax to check that it is correct and then NOT apply the ruleset. 
>  I know pf (Mac OS X and OpenBSD), has this and it's quite handy.
>
> The wiki does have documentation for how to debug the rules (testing 
> what rule fires on what packet, etc.), at [1] but doesn't mention 
> syntax checking.
>
> If you are accidentally locking yourself out you could create a cron 
> job that calls "nft rule flush ruleset" to drop the firewall and 
> schedule it to run every few minutes or so.
>
> - J
>
> Sources:
> [1] 
> https://wiki.nftables.org/wiki-nftables/index.php/Ruleset_debug/tracing

"Test" mode for nft?

[Jeff Kletsky]

Slowly working through nftables syntax, with a lot of trial and error, 
my rules occasionally compile and load.

Unfortunately, they also have resulted in rules that have blocked my 
access to the machine, even with (I thought) carefully ensuring that my 
management interface was unrestricted.

Is there a "test" mode for nft that allows me to compile a candidate 
rule set and dump the results for inspection, without loading it into 
the kernel?

Jeff