On Wed, Dec 13, 2023 at 01:13:54PM +0100, Phil Sutter wrote: > Hi, > > On Tue, Dec 12, 2023 at 05:47:22PM -0500, Eric Garver wrote: > > I'm not concerned with optimizing for the crash case. We wouldn't be > > able to make any assumptions about the state of nftables. The only safe > > option is to flush and reload all the rules. > > The problem with crashes is tables with owner flag set will vanish, > leaving the system without a firewall. I'd rather see the daemon be automatically restarted. After a crash you still have a flush + re-apply on daemon restart. Avoiding the cleanup due to table owner flag only shortens the window. I think we're getting off topic for this list. Let's discuss off list if you want. :) [..]
