* Re: "Test" mode for nft ?
@ 2017-08-21 16:49 J Doe
0 siblings, 0 replies; 5+ messages in thread
From: J Doe @ 2017-08-21 16:49 UTC (permalink / raw)
To: netfilter
Hi Jeff,
As far as I know there is not a command line option for nft to parse the syntax to check that it is correct and then NOT apply the ruleset. I know pf (Mac OS X and OpenBSD), has this and it's quite handy.
The wiki does have documentation for how to debug the rules (testing what rule fires on what packet, etc.), at [1] but doesn't mention syntax checking.
If you are accidentally locking yourself out you could create a cron job that calls "nft rule flush ruleset" to drop the firewall and schedule it to run every few minutes or so.
- J
Sources:
[1] wiki.nftables.org/wiki-nftables/index.php/Ruleset_debug/tracing
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: "Test" mode for nft?
2017-08-21 21:28 ` Arturo Borrero Gonzalez
@ 2017-08-22 17:38 ` J Doe
0 siblings, 0 replies; 5+ messages in thread
From: J Doe @ 2017-08-22 17:38 UTC (permalink / raw)
To: Arturo Borrero Gonzalez; +Cc: Jeff Kletsky, Netfilter Users Mailing list
Hi Arturo,
Ah, great! Thank you for pointing this out. I see from the commit that it is accessible via "-c" or "--check".
Out of curiosity, do you have a rough timeline of when the next release of nft will land (this quarter, next quarter, etc.) ?
Thanks again,
- J
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: "Test" mode for nft?
2017-08-21 17:54 ` Jeff Kletsky
@ 2017-08-21 21:28 ` Arturo Borrero Gonzalez
2017-08-22 17:38 ` J Doe
0 siblings, 1 reply; 5+ messages in thread
From: Arturo Borrero Gonzalez @ 2017-08-21 21:28 UTC (permalink / raw)
To: Jeff Kletsky; +Cc: Netfilter Users Mailing list, J Doe
On 21 August 2017 at 19:54, Jeff Kletsky <netfilter@allycomm.com> wrote:
> Thanks, good to know I wasn't missing anything.
>
> The cron job certainly works in a development environment. There is also the
> approach to use a script that captures the current state, loads the new
> rules, then waits for keyboard input for a length of time. If there isn't a
> "yes, keep these" response, it reverts to the previous state.
>
This has been already discussed in Netfilter Workshop 2017 in Faro, Portugal.
So, we are likely getting this feature at some point.
A 'dry' mode has been recently added and will be part of next nftables release.
Reference:
http://git.netfilter.org/nftables/commit/?id=b4953803f26c442cdec4cad78a8261e9b97cd015
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: "Test" mode for nft?
[not found] ` <A9D44313-3B7A-4BD0-A308-AFA150BA50A1@nativemethods.com>
@ 2017-08-21 17:54 ` Jeff Kletsky
2017-08-21 21:28 ` Arturo Borrero Gonzalez
0 siblings, 1 reply; 5+ messages in thread
From: Jeff Kletsky @ 2017-08-21 17:54 UTC (permalink / raw)
To: netfilter; +Cc: J Doe
Thanks, good to know I wasn't missing anything.
The cron job certainly works in a development environment. There is also
the approach to use a script that captures the current state, loads the
new rules, then waits for keyboard input for a length of time. If there
isn't a "yes, keep these" response, it reverts to the previous state.
It's not under GPL, but one example of this can be found in FreeBSD,
tailored for use with ipfw:
https://svnweb.freebsd.org/base/releng/11.1/share/examples/ipfw/change_rules.sh
Jeff
On 8/21/17 9:09 AM, J Doe wrote:
> Hi Jeff,
>
> As far as I know there is not a command line option for nft to parse
> the syntax to check that it is correct and then NOT apply the ruleset.
> Â I know pf (Mac OS X and OpenBSD), has this and it's quite handy.
>
> The wiki does have documentation for how to debug the rules (testing
> what rule fires on what packet, etc.), at [1] but doesn't mention
> syntax checking.
>
> If you are accidentally locking yourself out you could create a cron
> job that calls "nft rule flush ruleset" to drop the firewall and
> schedule it to run every few minutes or so.
>
> - J
>
> Sources:
> [1]
> https://wiki.nftables.org/wiki-nftables/index.php/Ruleset_debug/tracing
^ permalink raw reply [flat|nested] 5+ messages in thread
* "Test" mode for nft?
@ 2017-08-21 0:05 Jeff Kletsky
[not found] ` <A9D44313-3B7A-4BD0-A308-AFA150BA50A1@nativemethods.com>
0 siblings, 1 reply; 5+ messages in thread
From: Jeff Kletsky @ 2017-08-21 0:05 UTC (permalink / raw)
To: netfilter
Slowly working through nftables syntax, with a lot of trial and error,
my rules occasionally compile and load.
Unfortunately, they also have resulted in rules that have blocked my
access to the machine, even with (I thought) carefully ensuring that my
management interface was unrestricted.
Is there a "test" mode for nft that allows me to compile a candidate
rule set and dump the results for inspection, without loading it into
the kernel?
Jeff
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-08-22 17:38 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-21 16:49 "Test" mode for nft ? J Doe
-- strict thread matches above, loose matches on Subject: below --
2017-08-21 0:05 "Test" mode for nft? Jeff Kletsky
[not found] ` <A9D44313-3B7A-4BD0-A308-AFA150BA50A1@nativemethods.com>
2017-08-21 17:54 ` Jeff Kletsky
2017-08-21 21:28 ` Arturo Borrero Gonzalez
2017-08-22 17:38 ` J Doe
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.