From: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Netfilter Development Mailing list
<netfilter-devel@vger.kernel.org>,
Patrick McHardy <kaber@trash.net>
Subject: Re: nft option to flush out the existing ruleset [was Re: [libnftnl PATCH] examples: add nft-ruleset-replace]
Date: Mon, 1 Sep 2014 17:07:23 +0200 [thread overview]
Message-ID: <CAOkSjBhJQGyJOJ=VwZmr-vhtPF5LRiCqD54XfOteHDo68X4dWw@mail.gmail.com> (raw)
In-Reply-To: <20140826110954.GA5648@salvia>
On 26 August 2014 13:09, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Please, implement this in nft. I think we can probably have an -x
> option, eg.
>
> nft -f -x ruleset-file
>
> The '-x' indicates that you want to flush any previous existing
> configuration before loading this 'ruleset-file'.
>
> -xx could also be used to remove any configuration regarding the
> existing families in the ruleset-file, ie. if the ruleset-file only
> contains a configuration for 'ip', all remaining families are left
> untouched.
>
Hi Pablo, Patrick.
I've looked into how to implement this '-x' option.
I wonder if it worth having better a "formal" command, like
% nft flush ruleset
% nft flush ruleset ip
% nft flush ruleset ip6
% nft flush ruleset arp
[...]
This way, a user loading a new ruleset with -f can just put a first
line like this:
=========
nft flush ruleset
nft add table ip filter
nft add chain ip filter input
nft add rule ip filter input counter
nft add table ip6 filter
nft add chain ip6 filter input
[...]
=========
Or flush per family, as Pablo suggested:
=========
nft flush ruleset inet
nft add table inet filter
[...]
=========
Some benefits of this approach is that we have a concrete order to
flush the ruleset, in the case the user wants no ruleset.
The lack of this shortcut seem an actual concern of some users.
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2014-09-01 15:07 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-26 9:57 [libnftnl PATCH] examples: add nft-ruleset-replace Arturo Borrero Gonzalez
2014-08-26 11:09 ` nft option to flush out the existing ruleset [was Re: [libnftnl PATCH] examples: add nft-ruleset-replace] Pablo Neira Ayuso
2014-08-26 12:14 ` Patrick McHardy
2014-08-26 13:12 ` Arturo Borrero Gonzalez
2014-08-26 13:30 ` Patrick McHardy
2014-08-26 13:47 ` Pablo Neira Ayuso
2014-08-26 14:35 ` Patrick McHardy
2014-08-26 13:38 ` Pablo Neira Ayuso
2014-09-01 15:07 ` Arturo Borrero Gonzalez [this message]
2014-09-01 15:17 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAOkSjBhJQGyJOJ=VwZmr-vhtPF5LRiCqD54XfOteHDo68X4dWw@mail.gmail.com' \
--to=arturo.borrero.glez@gmail.com \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.