Exporting nftables rules and configuration
Exporting nftables rules
The usage of nftables will slowly grow in the upcoming years, with the goal to become the successor of iptables. Where iptables rules are harder to parse, nftables comes by default with an exporting facility. Exports formats include JSON and XML.
When using the command line utility nft for the first time, it looks a little bit unfriendly to the user. No suggestions on what to do, nor clear help on often used commands. To save you some time, we will look into nftables and document them for easy access later on. We are sure the utilities of nftables, with nft in particular, will get some work in the upcoming releases.
The tool nft has an export option, followed by the format to export. Right now it support both JSON or XML. These formats are common and very easy to parse.
Export to XML:
nft export xml
The output will look something like this:
nft export json
Importing nftables rules
At this moment there is no import function yet. According to the documentation, this will be implemented in the upcoming releases. Clearly a useful option for sharing rules over many systems. One great example is the proposed nf-sync utility, which replicates nftables rules.
I have no issue with the aspirational statement that “The usage of nftables will slowly grow in the upcoming years, with the goal to become the successor of iptables”, but I’ve just upgraded from Opensuse Leap 15.2 – using iptables – to Leap 15.3, which uses a nftables backend by default, but that broke the firewall because python-nftables couldn’t create working configuration sets from the correctly-structured and previously working zone file and ipsets.
The details are at https://forums.opensuse.org/showthread.php/564778-Upgrade-from-15-2-breaks-working-firewalld-configuration if any of the developers are reading this.