On 2020/03/10 10:14, Frank Myhr wrote:
On Mon, Mar 09, 2020 at 07:35:15PM -0400, Frank Myhr wrote:
I do want to keep the dynamically-added elements across reboot.
...
For now I'll stick with released & packaged (debian buster-backports)
nft, and use sed 's/[ ]\+counter[^,\}]\+//g' on saved rulesets before
restoring them.
...
For limits,
sed 's/[ ]\+limit[^,\}]\+//g' before restoring from saved ruleset works
for me.
Thought I'd better follow up that I'm running these sed commands on
ruleset fragments that each include a single dynamic set _only_. I then
cat these together with other files that contain nftables chains and
rules, then load the combined file using nft -f.
Just want to be clear that nobody should run those sed commands on a
complete ruleset file; they will wipe out any counter and limit
statements that occur anywhere in the file, not just in sets. For a
complete ruleset file you would need to use some additional logic to
distinguish whether or not the set & limit statements occur inside of a set.
Best regards,
Frank
