On Sun, Aug 15, 2021 at 03:27:33PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > On Sat, Aug 14, 2021 at 10:53:14PM +0200, Florian Westphal wrote: > > > Indeed. Since this removes the base chain, it implicitly reverts > > > a DROP policy too. > > > > User still has to iptables -F on that given chain before deleting, > > right? > > Yes, -X fails if the chain has rules. > > > If NLM_F_NONREC is used, the EBUSY is reported when trying to delete > > a chain with rules. > > Yes. But we really do not need NLM_F_NONREC for this new feature, right? I mean, a quick shortcut to remove the basechain and its content should be fine. > > My assumption is that the user will perform: > > > > iptables-nft -F -t filter > > iptables-nft -D -t filter > > Yes, assuminy you meant -X instead of -D. Oh well, embarrasing, yes. > This behaves just like before, it deletes all rules (-F) and all user-defined > chains (-X). > > > I mean, by when the user has an empty basechain with default policy to > > DROP, if they remove the chain, then they are really meaning to remove > > the chain and this default policy to DROP. > > ATM iptables -X $BUILTIN will always fail. > In -legecy there is no kernel API to allow for its removal, > for -nft there is an extra check that throws an error. > > > Or am I missing anything else? > > No, I don't think so. I would prefer if > iptables-nft -F -t filter > iptables-nft -X -t filter > > ... would result in an empty "filter" table. Your concern is that this would change the default behaviour? > I could also add a patch that requests removal > of the table as well for the -X case; but unlike base chain the > presence of the table alone has no impact on dataplane. Then, probably add a new command for this? iptables-nft -K INPUT -t filter => to remove the INPUT/filter basechain. Then: iptables-nft -N INPUT -t filter to bring it back (if it was removed).
