* when will nftables have ability to delete matching rule like iptables?
@ 2021-03-08 13:14 Amish
2021-03-08 15:24 ` kfm
0 siblings, 1 reply; 3+ messages in thread
From: Amish @ 2021-03-08 13:14 UTC (permalink / raw)
To: netfilter
Hello,
I have few programs that currently use iptables to add / delete firewall
rules.
I have been waiting to migrate to nftables from 3-4 years. (I do not
want to use nft based iptables)
But roadblock for me is inability of nftables to delete a matching rule.
(similart to iptables -D INPUT -s 192.168.1.10 -j ACCEPT)
Obtaining the handle first and then deleting is difficult programmatically.
Have I missed any easy way out here?
Why is it difficult for nftables to find and delete matching rule?
Is there any ETA for this?
Curious to know,
Thank you,
Amish.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: when will nftables have ability to delete matching rule like iptables?
2021-03-08 13:14 when will nftables have ability to delete matching rule like iptables? Amish
@ 2021-03-08 15:24 ` kfm
2021-03-08 22:46 ` Amish V
0 siblings, 1 reply; 3+ messages in thread
From: kfm @ 2021-03-08 15:24 UTC (permalink / raw)
To: Amish, netfilter
On 08/03/2021 13:14, Amish wrote:
> Hello,
>
> I have few programs that currently use iptables to add / delete firewall
> rules.
>
> I have been waiting to migrate to nftables from 3-4 years. (I do not
> want to use nft based iptables)
>
> But roadblock for me is inability of nftables to delete a matching rule.
> (similart to iptables -D INPUT -s 192.168.1.10 -j ACCEPT)
>
> Obtaining the handle first and then deleting is difficult programmatically.
>
> Have I missed any easy way out here?
Assuming that "-D INPUT -s 192.168.1.10 -j ACCEPT" is indicative of the
rules that are being added and removed, the easy way would be to
manipulate a set rather than a chain. That also goes for iptables, given
the existence of ipset.
--
Kerin Millar
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: when will nftables have ability to delete matching rule like iptables?
2021-03-08 15:24 ` kfm
@ 2021-03-08 22:46 ` Amish V
0 siblings, 0 replies; 3+ messages in thread
From: Amish V @ 2021-03-08 22:46 UTC (permalink / raw)
To: kfm; +Cc: netfilter
> On 08-Mar-2021, at 8:54 PM, "" <kfm@plushkava.net> <kfm@plushkava.net> wrote:
>
>> On 08/03/2021 13:14, Amish wrote:
>> Hello,
>> I have few programs that currently use iptables to add / delete firewall rules.
>> I have been waiting to migrate to nftables from 3-4 years. (I do not want to use nft based iptables)
>> But roadblock for me is inability of nftables to delete a matching rule. (similart to iptables -D INPUT -s 192.168.1.10 -j ACCEPT)
>> Obtaining the handle first and then deleting is difficult programmatically.
>> Have I missed any easy way out here?
>
> Assuming that "-D INPUT -s 192.168.1.10 -j ACCEPT" is indicative of the rules that are being added and removed, the easy way would be to manipulate a set rather than a chain. That also goes for iptables, given the existence of ipset.
No I have many complex rules. Above was just an example.
When rules are complex parsing the nft output programmatically to find the handle of the rule is not easy.
Regards,
Amish
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-08 22:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-08 13:14 when will nftables have ability to delete matching rule like iptables? Amish
2021-03-08 15:24 ` kfm
2021-03-08 22:46 ` Amish V
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.