On 26 August 2014 13:09, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > Please, implement this in nft. I think we can probably have an -x > option, eg. > > nft -f -x ruleset-file > > The '-x' indicates that you want to flush any previous existing > configuration before loading this 'ruleset-file'. > > -xx could also be used to remove any configuration regarding the > existing families in the ruleset-file, ie. if the ruleset-file only > contains a configuration for 'ip', all remaining families are left > untouched. > Hi Pablo, Patrick. I've looked into how to implement this '-x' option. I wonder if it worth having better a "formal" command, like % nft flush ruleset % nft flush ruleset ip % nft flush ruleset ip6 % nft flush ruleset arp [...] This way, a user loading a new ruleset with -f can just put a first line like this: ========= nft flush ruleset nft add table ip filter nft add chain ip filter input nft add rule ip filter input counter nft add table ip6 filter nft add chain ip6 filter input [...] ========= Or flush per family, as Pablo suggested: ========= nft flush ruleset inet nft add table inet filter [...] ========= Some benefits of this approach is that we have a concrete order to flush the ruleset, in the case the user wants no ruleset. The lack of this shortcut seem an actual concern of some users. -- Arturo Borrero González -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
