On Mon, Oct 24, 2022 at 01:01:22PM +0200, Fernando Fernandez Mancera wrote:
> "destroy" command performs a deletion as "delete" command but does not fail
> when the object does not exist. As there is no NLM_F_* flag for ignoring such
> error, it needs to be ignored directly on error handling.
>
> Example of use:
>
> # nft list ruleset
> table ip filter {
> chain output {
> }
> }
> # nft destroy table ip missingtable
> # echo $?
> 0
> # nft list ruleset
> table ip filter {
> chain output {
> }
> }
Looks good, but this will also require a small patch in kernel.
Ignoring the return value is not sufficient for the transaction
semantics, considering the following example batch to be loaded via
nft -f:
destroy table ip xyz
table ip xyz {
}
so the transaction does not fail.
Kernel patch would be similar to what nf_conntrack_netlink.c does with
IPCTNL_MSG_CT_GET_CTRZERO.
You have to define a new command NFT_MSG_DESTROYTABLE, then register a
new entry in nfnl_callback that refers to nf_tables_deltable. Then,
from nf_tables_deltable:
if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_DESTROYTABLE)
return 0;
return -ENOENT;
to silence the error reporting.
Keep it mind that:
nft flush table ip x
leaves the table in place, but:
nft delete table ip x
removes the table and its content (but it fails if table does not
exists).
What we need from kernel is the destroy semantics, it should be a
relatively small patch.
Thanks Fernando.
