Re: [PATCH iptabes-nft] iptables-nft: allow removal of empty builtin chains

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> On Sat, Aug 14, 2021 at 10:53:14PM +0200, Florian Westphal wrote:
> > Indeed.  Since this removes the base chain, it implicitly reverts
> > a DROP policy too.
> User still has to iptables -F on that given chain before deleting,
> right?

Yes, -X fails if the chain has rules.

> If NLM_F_NONREC is used, the EBUSY is reported when trying to delete
> a chain with rules.


> My assumption is that the user will perform:
> iptables-nft -F -t filter
> iptables-nft -D -t filter

Yes, assuminy you meant -X instead of -D.

This behaves just like before, it deletes all rules (-F) and all user-defined
chains (-X).

> I mean, by when the user has an empty basechain with default policy to
> DROP, if they remove the chain, then they are really meaning to remove
> the chain and this default policy to DROP.

ATM iptables -X $BUILTIN will always fail.
In -legecy there is no kernel API to allow for its removal,
for -nft there is an extra check that throws an error.

> Or am I missing anything else?

No, I don't think so.  I would prefer if
iptables-nft -F -t filter
iptables-nft -X -t filter

... would result in an empty "filter" table.

I could also add a patch that requests removal
of the table as well for the -X case; but unlike base chain the
presence of the table alone has no impact on dataplane.

[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux