Exporting nftables rules and configuration

Exporting nftables rules

The usage of nftables will slowly grow in the upcoming years, with the goal to become the successor of iptables. Where iptables rules are harder to parse, nftables comes by default with an exporting facility. Exports formats include JSON and XML.

Command syntax

When using the command line utility nft for the first time, it looks a little bit unfriendly to the user. No suggestions on what to do, nor clear help on often used commands. To save you some time, we will look into nftables and document them for easy access later on. We are sure the utilities of nftables, with nft in particular, will get some work in the upcoming releases.

Exporting rules

The tool nft has an export option, followed by the format to export. Right now it support both JSON or XML. These formats are common and very easy to parse.

Export to XML:

nft export xml

The output will look something like this:

screenshot of nftables export with nft export xml

Exporting nftables rules with nft export xml

nft export json

Importing nftables rules

At this moment there is no import function yet. According to the documentation, this will be implemented in the upcoming releases. Clearly a useful option for sharing rules over many systems. One great example is the proposed nf-sync utility, which replicates nftables rules.

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package




Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Download

One comment

  • RobinRobin

    I have no issue with the aspirational statement that “The usage of nftables will slowly grow in the upcoming years, with the goal to become the successor of iptables”, but I’ve just upgraded from Opensuse Leap 15.2 – using iptables – to Leap 15.3, which uses a nftables backend by default, but that broke the firewall because python-nftables couldn’t create working configuration sets from the correctly-structured and previously working zone file and ipsets.

    The details are at https://forums.opensuse.org/showthread.php/564778-Upgrade-from-15-2-breaks-working-firewalld-configuration if any of the developers are reading this.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.