Re: issue with nftable - goto : Operation not supported

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Nov 26, 2014 at 07:00:14PM +0100, leroy christophe wrote:
> 
> Le 26/11/2014 18:47, Pablo Neira Ayuso a écrit :
> >Use 'nft -f file' to load your ruleset instead of scripts.
> >Otherwise the rule-set is not loaded atomically, and it will also
> >take longer to load your ruleset. Please, help spread the word,
> >people should use nft -f.
> 
> I wanted to use 'nft -f' at the begining but I faced some issues.
> 
> How is 'nft -f' to be used ? Does it takes as input the output of
> 'nft list table filter' ?

Yes.

> I tried it, it adds rules but doesn't remove the previous ones. How
> can I replace previous rules in one go with 'nft -f' ?

You have to prepend:

 flush table filter

to the output of 'nft list table filter'.

Since 3.18, you can also use:

 flush ruleset

that removes everything, including the existing table and chain
configuration.

http://wiki.nftables.org/wiki-nftables/index.php/Operations_at_ruleset_level

> How can it interpret the below output which seems buggy ?
> 
> root@vgoip:~# nft list table filter
> table ip filter {
>         chain input {
>                  type filter hook input priority 0;
>                  oifname "lo" accept
>                  ip protocol icmp accept
>                  ct state 8 unknown unknown 0x16 [invalid type] accept
>                  ct state { 4, 2} accept
>                  reject with icmp type 10
>         }

What is the original ruleset you loaded? This should not happen. Any
relevant information regarding your testbed?

>         chain forward {
>                  type filter hook forward priority 0;
>                  drop
>         }
> }
> 
> Looks like it dumps using numeric values, but crashes when trying to
> use those numeric values
> 
> root@vgoip:~# nft add rule filter input ct state { 4, 2} accept
> Segmentation fault (core dumped)
> 
> https://wiki.archlinux.org/index.php/nftables says that "nft -f" is
> not atomic. Is it wrong ?

Yes, I just fixed that and made a quick review to that wiki page.
Please, better look at the nftables wiki page:

http://wiki.nftables.org
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux