Re: Restoring rulesets containing dynamic sets with counters

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2020/03/10 10:14, Frank Myhr wrote:
On Mon, Mar 09, 2020 at 07:35:15PM -0400, Frank Myhr wrote:
I do want to keep the dynamically-added elements across reboot.
...
For now I'll stick with released & packaged (debian buster-backports) nft, and use sed 's/[ ]\+counter[^,\}]\+//g' on saved rulesets before restoring them.
...
For limits,
sed 's/[ ]\+limit[^,\}]\+//g' before restoring from saved ruleset works for me.

Thought I'd better follow up that I'm running these sed commands on ruleset fragments that each include a single dynamic set _only_. I then cat these together with other files that contain nftables chains and rules, then load the combined file using nft -f.

Just want to be clear that nobody should run those sed commands on a complete ruleset file; they will wipe out any counter and limit statements that occur anywhere in the file, not just in sets. For a complete ruleset file you would need to use some additional logic to distinguish whether or not the set & limit statements occur inside of a set.

Best regards,
Frank



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux