On Wed, 2023-12-13 at 16:15 +0100, Pablo Neira Ayuso wrote: > On Wed, Dec 13, 2023 at 01:13:54PM +0100, Phil Sutter wrote: > > > > > > > I don't think we need a persist flag. If we want it to persist > > > then > > > we'll just avoid setting the owner flag entirely. > > > > The benefit of using it is to avoid interference from other users > > calling 'nft flush ruleset'. Introducing a "persist" flag would > > enable > > this while avoiding the restart/crash downtime. > > I think this 'persist' flag provides semantics the described above, > that is: > > - keep it in place if process goes away. > - allow to retake ownership. > Isn't the problem to solve that `nft flush ruleset` deletes tables owned by somebody else (firewalld)? Using the owner flag for that seems wrong, if the overall semantics of that flag are not desired. A "persist" flag sounds like a good solution. It would just have informational value (for user space) to be skipped by `nft flush ruleset`. Thomas
