Atomic rule replacement

From nftables HOWTO
Jump to: navigation, search

You can use the -f option to atomically update your rule-set:

% nft -f file

Where file contains your rule-set.

You can save your rule-set by storing the existing listing in a file, ie.

% nft list table filter > filter-table

Then you can restore it by using the -f option:

% nft -f filter-table

If you prepend the flush table filter line at the very beginning of the filter-table file, you achieve atomic rule-set replacement equivalent to what iptables-restore provides. Note that the kernel handles the rule commands in the file in one single transaction, so basically the flushing and the load of the new rules happens in one single shot.

Some people prefer to maintain a shell script file with the rule-set. Beware of that approach, you cannot achieve atomic rule-set updates with a shell script file. Therefore, the best way to go is to use the native nftables scripting capabilities and to restore your rule-set via nft -f.

Personal tools