Le 26/11/2014 18:47, Pablo Neira Ayuso a écrit :
Use 'nft -f file' to load your ruleset instead of scripts. Otherwise
the rule-set is not loaded atomically, and it will also take longer to
load your ruleset. Please, help spread the word, people should use nft -f.
I wanted to use 'nft -f' at the begining but I faced some issues.
How is 'nft -f' to be used ? Does it takes as input the output of 'nft
list table filter' ?
I tried it, it adds rules but doesn't remove the previous ones. How can
I replace previous rules in one go with 'nft -f' ?
How can it interpret the below output which seems buggy ?
root@vgoip:~# nft list table filter
table ip filter {
chain input {
type filter hook input priority 0;
oifname "lo" accept
ip protocol icmp accept
ct state 8 unknown unknown 0x16 [invalid type] accept
ct state { 4, 2} accept
reject with icmp type 10
}
chain forward {
type filter hook forward priority 0;
drop
}
}
Looks like it dumps using numeric values, but crashes when trying to use
those numeric values
root@vgoip:~# nft add rule filter input ct state { 4, 2} accept
Segmentation fault (core dumped)
https://wiki.archlinux.org/index.php/nftables says that "nft -f" is not
atomic. Is it wrong ?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
