Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Sat, Aug 14, 2021 at 10:53:14PM +0200, Florian Westphal wrote: > > Indeed. Since this removes the base chain, it implicitly reverts > > a DROP policy too. > > User still has to iptables -F on that given chain before deleting, > right? Yes, -X fails if the chain has rules. > If NLM_F_NONREC is used, the EBUSY is reported when trying to delete > a chain with rules. Yes. > My assumption is that the user will perform: > > iptables-nft -F -t filter > iptables-nft -D -t filter Yes, assuminy you meant -X instead of -D. This behaves just like before, it deletes all rules (-F) and all user-defined chains (-X). > I mean, by when the user has an empty basechain with default policy to > DROP, if they remove the chain, then they are really meaning to remove > the chain and this default policy to DROP. ATM iptables -X $BUILTIN will always fail. In -legecy there is no kernel API to allow for its removal, for -nft there is an extra check that throws an error. > Or am I missing anything else? No, I don't think so. I would prefer if iptables-nft -F -t filter iptables-nft -X -t filter ... would result in an empty "filter" table. I could also add a patch that requests removal of the table as well for the -X case; but unlike base chain the presence of the table alone has no impact on dataplane.