Hi Pablo, Originating from a problem with ebtables-nft user-defined chain policies, I made up the following use-case: | # iptables-nft -A FORWARD -j ACCEPT | # iptables-nft-restore --noflush <<EOF | *filter | -D FORWARD -j ACCEPT | -F | COMMIT | EOF | iptables-restore v1.8.2 (nf_tables): | line 3: RULE_FLUSH failed (No such file or directory): rule in chain FORWARD In case anyone reading this is not aware of it: In nftables, flushing a chain works by sending NFT_MSG_DELRULE message with just table and chain defined, no rule handle or position. The problem is that delete command in batch removes the rule, flush command then tries to delete the same rule again. Kernel returns -ENOENT in nf_tables_delrule_deactivate(). The above use-case works with legacy iptables. Question is if I have to work around this in userspace or if we should make nf_tables_delrule_deactivate() return 0 even if given rule is not active? Downside is that second option would cause double deletion of same rule within a single batch to succeed. Help? Thanks, Phil
