From patchwork Thu Aug 10 17:29:15 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 800284 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3xSwBH4rynz9t2x for ; Fri, 11 Aug 2017 03:29:59 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753134AbdHJR36 (ORCPT ); Thu, 10 Aug 2017 13:29:58 -0400 Received: from orbyte.nwl.cc ([151.80.46.58]:57819 "EHLO mail.nwl.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753114AbdHJR35 (ORCPT ); Thu, 10 Aug 2017 13:29:57 -0400 Received: from mail.nwl.cc (orbyte.nwl.cc [127.0.0.1]) by mail.nwl.cc (Postfix) with ESMTP id D9504681D7; Thu, 10 Aug 2017 19:29:56 +0200 (CEST) Received: from xsao (localhost [IPv6:::1]) by mail.nwl.cc (Postfix) with ESMTP id B9D1F681C4; Thu, 10 Aug 2017 19:29:56 +0200 (CEST) From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [nft PATCH 1/6] nft.8: Document operations on ruleset Date: Thu, 10 Aug 2017 19:29:15 +0200 Message-Id: <20170810172920.14893-2-phil@nwl.cc> X-Mailer: git-send-email 2.13.1 In-Reply-To: <20170810172920.14893-1-phil@nwl.cc> References: <20170810172920.14893-1-phil@nwl.cc> X-Virus-Scanned: ClamAV using ClamSMTP Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org People new to nftables and yet unaware of 'list ruleset' and 'flush ruleset' commands have a hard time. Therefore put description of those prominently at the top, even before explaining operations on tables and chains. Since 'export ruleset' is closely related, document it here as well and remove it's sparse description from ADDITIONAL COMMANDS section. Signed-off-by: Phil Sutter --- doc/nft.xml | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 72 insertions(+), 15 deletions(-) diff --git a/doc/nft.xml b/doc/nft.xml index 4d03a3dbc75bf..91b9bb378c80a 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -465,6 +465,78 @@ filter input iif $int_ifs accept + Ruleset + + + + list + flush + + ruleset + family + + + export + ruleset + format + + + + + The ruleset keyword is used to identify the whole + set of tables, chains, etc. currently in place in kernel. The + following ruleset commands exist: + + + + + + + + Print the ruleset in human-readable format. + + + + + + + + Clear the whole ruleset. Note that unlike iptables, this + will remove all tables and whatever they contain, + effectively leading to an empty ruleset - no packet + filtering will happen anymore, so the kernel accepts any + valid packet it receives. + + + + + + + + Print the ruleset in machine readable format. The + mandatory format parameter + may be either xml or + json. + + + + + + + It is possible to limit list and + flush to a specific address family only. For a + list of valid family names, see ADDRESS FAMILIES above. + + + + Note that contrary to what one might assume, the output generated + by export is not parseable by + nft -f. Instead, the output of + list command serves well for that purpose. + + + + Tables @@ -4362,21 +4434,6 @@ add rule nat prerouting tcp dport 22 redirect to :2222 These are some additional commands included in nft. - export - - Export your current ruleset in XML or JSON format to stdout. - - - Examples: - -% nft export xml -[...] -% nft export json -[...] - - - - monitor The monitor command allows you to listen to Netlink events produced