Add a dry-run option that outputs the new rules to stdout but doesn't modify anything

rpthms / nft-geo-filter

Allow/deny traffic in nftables using country specific IP blocks

MIT License

97 stars 24 forks source link

Add a dry-run option that outputs the new rules to stdout but doesn't modify anything #13

Open CristianCantoro opened 3 years ago

CristianCantoro commented 3 years ago

Hi,

this is a request for an enhancement. The idea is to add a --dry-run option that outputs the new rules to stdout without actually changing anything, that would be useful to check the output of the command before actually running it.

rpthms commented 3 years ago

Dry run shouldn't be too hard. We could set the geo-filter table to dormant right from the get go (that way it's rules will never be evaulated), then add the IP block sets and rules as usual, then print out the ruleset and delete the geo-filter table.

andrey-utkin commented 2 years ago

I think the point is to work successfully even if it's impossible to run nft. That way I could

familiarise with how the result actually look
transform its output in some custom way
make sanity checks on the resulting blocked set

all before affecting the actual configuration. Potentially before the target machine even boots.