source: https://wiki.nftables.org/wiki-nftables/index.php/Operations_at_ruleset_level
이전 글: 룰 표현 / Building rules through expressions
다음 글: 룰셋 갱신 지켜보기 / Monitoring ruleset updates
nft native 문법
목록 확인
salsal@r3:~$ sudo nft list ruleset
table ip filter {
chain output {
type filter hook output priority 0; policy accept;
ip daddr 7.7.7.7 counter packets 0 bytes 0
ip daddr 6.6.6.6 counter packets 0 bytes 0
ip daddr 9.9.9.9 counter packets 0 bytes 0
}
}family 별로도 확인 가능합니다.
salsal@r3:~$ sudo nft list ruleset ip6
salsal@r3:~$ sudo nft list ruleset ip
salsal@r3:~$ sudo nft list ruleset arp
salsal@r3:~$ sudo nft list ruleset bridge
salsal@r3:~$ sudo nft list ruleset inetFlusing
salsal@r3:~$ sudo nft list ruleset
table ip filter {
chain output {
type filter hook output priority 0; policy accept;
ip daddr 7.7.7.7 counter packets 0 bytes 0
ip daddr 6.6.6.6 counter packets 0 bytes 0
ip daddr 9.9.9.9 counter packets 0 bytes 0
}
}
salsal@r3:~$ sudo nft flush ruleset
salsal@r3:~$ sudo nft list ruleset
salsal@r3:~$family 별로 flush 할 수 있습니다.
salsal@r3:~$ sudo nft flush ruleset ip6
salsal@r3:~$ sudo nft flush ruleset ip
salsal@r3:~$ sudo nft flush ruleset arp
salsal@r3:~$ sudo nft flush ruleset bridge
salsal@r3:~$ sudo nft flush ruleset inet백업/복구
salsal@r3:~$ sudo nft list ruleset
table ip filter {
chain output {
type filter hook output priority 0; policy accept;
ip daddr 7.7.7.7 counter packets 0 bytes 0
ip daddr 6.6.6.6 counter packets 0 bytes 0
ip daddr 9.9.9.9 counter packets 0 bytes 0
}
}
salsal@r3:~$ echo "flush ruleset" > backup.nft
salsal@r3:~$ sudo nft list ruleset >> backup.nft
salsal@r3:~$ cat backup.nft
flush ruleset
table ip filter {
chain output {
type filter hook output priority 0; policy accept;
ip daddr 7.7.7.7 counter packets 0 bytes 0
ip daddr 6.6.6.6 counter packets 0 bytes 0
ip daddr 9.9.9.9 counter packets 0 bytes 0
}
}nft -f file을 이용하여 복구할 수 있습니다.
salsal@r3:~$ sudo nft -f backup.nft
salsal@r3:~$ sudo nft list ruleset
table ip filter {
chain output {
type filter hook output priority 0; policy accept;
ip daddr 7.7.7.7 counter packets 0 bytes 0
ip daddr 6.6.6.6 counter packets 0 bytes 0
ip daddr 9.9.9.9 counter packets 0 bytes 0
}
}
JSON 형식
salsal@r3:~$ sudo nft list ruleset
table ip filter {
chain output {
type filter hook output priority 0; policy accept;
ip daddr 7.7.7.7 counter packets 0 bytes 0
ip daddr 6.6.6.6 counter packets 0 bytes 0
ip daddr 9.9.9.9 counter packets 0 bytes 0
}
}
# 아래 명령어는 동작하지 않음
salsal@r3:~$ sudo nft --json list ruleset
nft: unrecognized option '--json'
# 대신 아래 명령어를 이용
salsal@r3:~$ sudo nft export ruleset vm json
{"nftables":[{"add":[{"table":{"name":"filter","family":"ip","flags":0,"use":1}},{"chain":{"name":"output","handle":1,"table":"filter","family":"ip","use":3,"type":"filter","hooknum":"output","prio":0,"policy":"accept"}},{"rule":{"family":"ip","table":"filter","chain":"output","handle":2,"expr":[{"type":"payload","dreg":1,"offset":16,"len":4,"base":"network"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":4,"data0":"0x07070707"}}},{"type":"counter","pkts":0,"bytes":0}]}},{"rule":{"family":"ip","table":"filter","chain":"output","handle":3,"position":2,"expr":[{"type":"payload","dreg":1,"offset":16,"len":4,"base":"network"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":4,"data0":"0x06060606"}}},{"type":"counter","pkts":0,"bytes":0}]}},{"rule":{"family":"ip","table":"filter","chain":"output","handle":4,"position":3,"expr":[{"type":"payload","dreg":1,"offset":16,"len":4,"base":"network"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":4,"data0":"0x09090909"}}},{"type":"counter","pkts":0,"bytes":0}]}}]}]}
salsal@r3:~$
'nftables' 카테고리의 다른 글
| Scripting (0) | 2021.08.06 |
|---|---|
| 룰셋 갱신 지켜보기 / Monitoring ruleset updates (0) | 2021.08.06 |
| 룰 표현 / Building rules through expressions (0) | 2021.08.06 |
| 명령어에서 오류 출력 (0) | 2021.08.06 |
| 순식간에 많은 룰 변경 / Atomic rule replacement (0) | 2021.08.05 |