Hi, On Tue, Dec 12, 2023 at 05:47:22PM -0500, Eric Garver wrote: > I'm not concerned with optimizing for the crash case. We wouldn't be > able to make any assumptions about the state of nftables. The only safe > option is to flush and reload all the rules. The problem with crashes is tables with owner flag set will vanish, leaving the system without a firewall. [...] > > For firewalld on the other hand, I think introducing this "persist" flag > > would be a full replacement to the proposed owner flag update. > > I don't think we need a persist flag. If we want it to persist then > we'll just avoid setting the owner flag entirely. The benefit of using it is to avoid interference from other users calling 'nft flush ruleset'. Introducing a "persist" flag would enable this while avoiding the restart/crash downtime. Cheers, Phil
