Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > But we really do not need NLM_F_NONREC for this new feature, right? I > mean, a quick shortcut to remove the basechain and its content should > be fine. Would deviate a lot from iptables behaviour. > > No, I don't think so. I would prefer if > > iptables-nft -F -t filter > > iptables-nft -X -t filter > > > > ... would result in an empty "filter" table. > > Your concern is that this would change the default behaviour? Yes, maybe ok to change it though. After all, a "iptables-nft -A INPUT ..." will continue to work just fine (its auto-created again). We could check if policy is still set to accept before implicit removal in the "iptables-nft -X" case.
