path: root/doc/nft.txt
diff options
authorPhil Sutter <>2018-12-17 16:29:56 +0100
committerPablo Neira Ayuso <>2018-12-21 01:35:54 +0100
commit8d51f169e0e832a41d2ed278be903c08bd4fa473 (patch)
treee53044907bdd144a2948dba52cd65f83ab183c2e /doc/nft.txt
parent9e84f3f083bb33f4de974fd87a5d06fb9609be12 (diff)
src: Reject 'export vm json' command
Since libnftnl recently dropped JSON output support, this form of JSON export is not available anymore. Point at 'nft -j list ruleset' command for a replacement in error message. Since 'export' command is not useable anymore, remove it from documentation. Instead point out that 'list ruleset' command serves well for dumping and later restoring. To not cause pointless inconvenience for users wishing to store their ruleset in JSON format, make JSON parser fallback to CMD_ADD if no recognized command property was found. This allows to feed the output of 'nft -j list ruleset' into 'nft -f' without any modification. Signed-off-by: Phil Sutter <> Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to 'doc/nft.txt')
1 files changed, 9 insertions, 9 deletions
diff --git a/doc/nft.txt b/doc/nft.txt
index 45af5bb9..a4ab4a8e 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -9,7 +9,7 @@ nft - Administration tool of the nftables framework for packet filtering and cla
-*nft* [ *-nNscaeSupy* ] [ *-I* 'directory' ] [ *-f* 'filename' | *-i* | 'cmd' ...]
+*nft* [ *-nNscaeSupyj* ] [ *-I* 'directory' ] [ *-f* 'filename' | *-i* | 'cmd' ...]
*nft* *-h*
*nft* *-v*
@@ -74,6 +74,10 @@ For a full summary of options, run *nft --help*.
When inserting items into the ruleset using *add*, *insert* or *replace* commands, print notifications
just like *nft monitor*.
+ Format output in JSON. See libnftables-json(5) for a schema description.
*--includepath directory*::
Add the directory 'directory' to the list of directories to be searched for included files. This
@@ -228,7 +232,6 @@ RULESET
{list | flush} *ruleset* ['family']
-export [*ruleset*] 'format'
The *ruleset* keyword is used to identify the whole set of tables, chains, etc.
currently in place in kernel. The following *ruleset* commands exist:
@@ -241,15 +244,12 @@ all tables and whatever they contain, effectively leading to an empty ruleset -
no packet filtering will happen anymore, so the kernel accepts any valid packet
it receives.
-*export*:: Print the ruleset in machine readable format. The mandatory 'format'
-parameter may be either xml or json.
It is possible to limit *list* and *flush* to a specific address family only.
For a list of valid family names, see <<ADDRESS_FAMILIES>> above.
-Note that contrary to what one might assume, the output generated by *export* is
-not parseable by *nft -f*. Instead, the output of *list* command serves well for
-that purpose.
+By design, *list ruleset* command output may be used as input to *nft -f*.
+Effectively, this is the nft-equivalent of *iptables-save* and
@@ -783,7 +783,7 @@ Netlink socket with 3.
-iptables(8), ip6tables(8), arptables(8), ebtables(8), ip(8), tc(8)
+libnftables(3), libnftables-json(5), iptables(8), ip6tables(8), arptables(8), ebtables(8), ip(8), tc(8)
There is an official wiki at: