On 23 August 2017 at 20:51, Jeff Kletsky <netfilter@xxxxxxxxxxxx> wrote: > Thanks, yes, a define at the top-level can be accessed throughout. > > I chose to select an approach to declare the set in a file that can be > "included" within any table. > As sets are per-table, this is not possible unless you use the variable trick I mentioned in the previous email. > The question about atomic changes comes from my familiarity with and use of > FreeBSD's ipfw > and its support for atomic operations on only *parts* of a rule set, such > as: > great, then I hope you find nftables better than ipfw regarding this :-) > > As an example of an application of this, consider that there are two > possible packet flows that need to be "switched" between. > > /---- path A ----\ > ---X Y---> > \---- path B ----/ > > To provide uninterrupted flow, the "switch" point at Y needs to be > simultaneously changed with that at X > > If I understand well and X, Y are the same box/firewall, then atomic replacement using 'nft -f' is the way to go. In case they are different boxes/firewalls, we have a tool in mind (nft-sync) which is under (slow-)development to handle cases like this. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
