On 21 January 2014 12:27, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> On Tue, Jan 21, 2014 at 11:06:46AM +0000, Patrick McHardy wrote:
>> We currently only support "add table" and "add chain" with NLM_F_EXCL.
>> This means we can't replace entire tables without a lot of extra effort,
>> also its not possible to create tables/chains just in case they don't
>> already exist.
>>
>> To fix this, I'd propose to add two new commands, so we have the following:
>>
>> - add: add without NLM_F_EXCL
>> - create: add with NLM_F_EXCL
>> - replace: replace the entire thing
>
> I guess you have in mind to simplify current reloading via nft -f.
> Currently, we have to manually flush and delete chain/tables at this
> moment, which is a bit of PITA.
>
I have some old patches to allow operate over the entire ruleset:
list ruleset
flush ruleset
delete ruleset
wipe ruleset
I think they are handy for these situations.
Think about a 'ruleset.nft' file starting like this:
==== 8< ====
wipe ruleset
table ip filter {
[...]
}
table ip6 filter {
[...]
}
==== 8< ====
Then, the load via `nft -f' could be straightforward.
Let me know if you want me to reboot them and resend.
regards
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
