On 17 December 2014 at 20:54, Jörg Thalheim <joerg@xxxxxxxxxxxxx> wrote:
> Signed-off-by: Jörg Thalheim <joerg@xxxxxxxxxxxxx>
> ---
> .gitignore | 2 +
> configure.ac | 35 +++++++++++++
> files/Makefile.am | 7 +++
> files/nftables.service.in | 12 +++++
> files/nftablesctl.in | 129 ++++++++++++++++++++++++++++++++++++++++++++++
> 5 files changed, 185 insertions(+)
> create mode 100644 files/nftables.service.in
> create mode 100755 files/nftablesctl.in
>
Thanks for your work :-)
IMHO, this belongs to distributors, don't you?
Anyway, some inlined comments.
> +nftables_start() {
> + find /etc/nftables -maxdepth 1 -type f -name '*.rules' -print0 | \
> + sort -z | xargs --null --no-run-if-empty --max-args=1 @sbindir@nft -f
> +
You are making lot of assumptions, for example the '.rules' suffix.
> + if [ -t 0 ] && [ "$1" = "--confirm" ]
> + then
> + echo "Please confirm that your network connection is working and press Ctrl+C on success"
> + trap ctrl_c INT
> +
> + sleep 20
> +
> + echo "No response, flushing rules"
> + nftables_stop
> + fi
> +}
> +
> +nftables_list() {
Now (see latest v0.4 release) this is simply `nft list ruleset'.
> + for P in ip inet ip6 arp bridge
> + do
> + nft_list_protocol "$P"
> + done
> +}
> +
> +nftables_stop() {
Now this is simply `nft flush ruleset'.
> + for P in ip inet ip6 arp bridge
> + do
> + nft_clear_protocol "$P"
> + done
> +}
> +
> +nftables_restart() {
> + nftables_stop
> + nftables_start "$1"
Here, I think the time between the stop and start, there is not
ruleset in the kernel.
I guess we can do it better, flushing the old ruleset and loading the
new one in a single,atomic step.
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
