On Sun, Aug 15, 2021 at 04:14:14PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > But we really do not need NLM_F_NONREC for this new feature, right? I > > mean, a quick shortcut to remove the basechain and its content should > > be fine. > > Would deviate a lot from iptables behaviour. It's a new feature: you could still keep NLM_F_NONREC in place, and only allow to remove one chain (with no rules) at a time if you prefer, ie. iptables-nft -K INPUT -t filter or -X if you prefer to overload the existing command. > > > No, I don't think so. I would prefer if > > > iptables-nft -F -t filter > > > iptables-nft -X -t filter > > > > > > ... would result in an empty "filter" table. > > > > Your concern is that this would change the default behaviour? > > Yes, maybe ok to change it though. After all, a "iptables-nft -A INPUT > ..." will continue to work just fine (its auto-created again). > > We could check if policy is still set to accept before implicit > removal in the "iptables-nft -X" case. That's possible yes, but why force the user to change the policy from DROP to ACCEPT to delete an empty basechain right thereafter?
