Jan Engelhardt <jengelh@xxxxxxx> wrote: > > On Saturday 2021-08-14 19:46, Florian Westphal wrote: > > Conservative change: > > iptables-nft -X will not remove empty builtin chains. > > OTOH, maybe it would be better to auto-remove those too, if empty. > > Comments? > > How are chain policies expressed in nft, as a property on the > chain (like legacy), or as a separate rule? > That is significant when removing "empty" chains. Indeed. Since this removes the base chain, it implicitly reverts a DROP policy too. I wish that iptables-nft would do drop policy by DROP rule (then the deletion would fail), but it does not. As it stands, the only way to get rid of an iptables-nft added table is via nft. For -legacy its not even possible unless you can rmmod the module, which is not always possible. Sucks. Any suggestions/idea?
