17. Dezember 2014 21:37 Uhr, "Arturo Borrero Gonzalez" <arturo.borrero.glez@xxxxxxxxx> schrieb:
> On 17 December 2014 at 20:54, Jörg Thalheim <joerg@xxxxxxxxxxxxx> wrote:
>
>> Signed-off-by: Jörg Thalheim <joerg@xxxxxxxxxxxxx>
>> ---
>> .gitignore | 2 +
>> configure.ac | 35 +++++++++++++
>> files/Makefile.am | 7 +++
>> files/nftables.service.in | 12 +++++
>> files/nftablesctl.in | 129 ++++++++++++++++++++++++++++++++++++++++++++++
>> 5 files changed, 185 insertions(+)
>> create mode 100644 files/nftables.service.in
>> create mode 100755 files/nftablesctl.in
>
> Thanks for your work :-)
>
> IMHO, this belongs to distributors, don't you?
this was in the old sysvinit world. Thesedays it is common for upstream projects to come along with service files, as
they are more portable then shell scripts.
>
> Anyway, some inlined comments.
>
>> +nftables_start() {
>> + find /etc/nftables -maxdepth 1 -type f -name '*.rules' -print0 | \
>> + sort -z | xargs --null --no-run-if-empty --max-args=1 @sbindir@nft -f
>> +
>
> You are making lot of assumptions, for example the '.rules' suffix.
>
>> + if [ -t 0 ] && [ "$1" = "--confirm" ]
>> + then
>> + echo "Please confirm that your network connection is working and press Ctrl+C on
>> success"
>> + trap ctrl_c INT
>> +
>> + sleep 20
>> +
>> + echo "No response, flushing rules"
>> + nftables_stop
>> + fi
>> +}
>> +
>> +nftables_list() {
>
> Now (see latest v0.4 release) this is simply `nft list ruleset'.
>
>> + for P in ip inet ip6 arp bridge
>> + do
>> + nft_list_protocol "$P"
>> + done
>> +}
>> +
>> +nftables_stop() {
>
> Now this is simply `nft flush ruleset'.
Ok. I did not have a look at latest release, when the script was written a year before, this was not possible.
>
>> + for P in ip inet ip6 arp bridge
>> + do
>> + nft_clear_protocol "$P"
>> + done
>> +}
>> +
>> +nftables_restart() {
>> + nftables_stop
>> + nftables_start "$1"
>
> Here, I think the time between the stop and start, there is not
> ruleset in the kernel.
> I guess we can do it better, flushing the old ruleset and loading the
> new one in a single,atomic step.
Is this possible with nft? If so, how?
>
> --
> Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
