Hi Phil Am 22.06.20 um 18:45 schrieb Phil Sutter: >> but what is the replacement for iterate "/proc/net/ip_tables_names" and >> "/proc/net/ip6_tables_names" in case "iptables-nft" is in use >> >> that is not only used for reset but also on several places for status >> counters, display rulets in "-t filter", "-t mangle and "-t raw" >> >> ------------------------------- >> >> missing that explains that everything is falling in pieces and add >> things which are supposed to be no longer there fails > > Ah yes, that's an obvious change and there's nothing we can do about it. > Unlike legacy iptables, there are no dedicated modules supporting each > table in iptables-nft. For instance, nft_chain_filter.ko suffices for > raw, filter and security tables. For nat table you need nft_chain_nat.ko > and mangle needs nft_chain_route.ko (actually just for OUTPUT chain). > >> $IPTABLES here is a macro within my application >> >> for TABLE in $(<'/proc/net/ip_tables_names'); do >> hlp_rule_ipv4 "$IPTABLES -t $TABLE -F" >> hlp_rule_ipv4 "$IPTABLES -t $TABLE -X" >> done >> if [ "$IPV6_LOADED" == 1 ]; then >> for TABLE in $(<'/proc/net/ip6_tables_names'); do >> hlp_rule_ipv6 "$IPTABLES -t $TABLE -F" >> hlp_rule_ipv6 "$IPTABLES -t $TABLE -X" >> done >> fi > > For iptables-services in Fedora, I simply hard-coded the table names that's exactly what i want to avoid beause in case of iptables-legacy that would load stuff not needed given that "iptables-nft -t raw", "iptables-nft -t mangle", "iptables-nft -t nat" are working as expected as far as i can see some way with "iptables-nft" would be cool --------------------- [root@firewall:/proc/net]$ iptables-nft -t natx -L iptables v1.8.3 (nf_tables): table 'natx' does not exist Perhaps iptables or your kernel needs to be upgraded. well i could write a loop testing that and provide a abstraction layer in case the whole beast runs in iptables-nft mode but that's ugly as hell
