On Mon, Sep 01, 2014 at 05:07:23PM +0200, Arturo Borrero Gonzalez wrote: > On 26 August 2014 13:09, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > Please, implement this in nft. I think we can probably have an -x > > option, eg. > > > > nft -f -x ruleset-file > > > > The '-x' indicates that you want to flush any previous existing > > configuration before loading this 'ruleset-file'. > > > > -xx could also be used to remove any configuration regarding the > > existing families in the ruleset-file, ie. if the ruleset-file only > > contains a configuration for 'ip', all remaining families are left > > untouched. > > > > Hi Pablo, Patrick. > > I've looked into how to implement this '-x' option. > > I wonder if it worth having better a "formal" command, like > % nft flush ruleset > % nft flush ruleset ip > % nft flush ruleset ip6 > % nft flush ruleset arp > [...] > > This way, a user loading a new ruleset with -f can just put a first > line like this: > > ========= > nft flush ruleset > nft add table ip filter > nft add chain ip filter input > nft add rule ip filter input counter > nft add table ip6 filter > nft add chain ip6 filter input > [...] > ========= > > Or flush per family, as Pablo suggested: > > ========= > nft flush ruleset inet > nft add table inet filter > [...] > ========= > > Some benefits of this approach is that we have a concrete order to > flush the ruleset, in the case the user wants no ruleset. > The lack of this shortcut seem an actual concern of some users. I agree, this sounds better than a command line option. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
