Hi,
I'm not using nft yet myself, but I do use bash scripting with iptables. What I to is that the bash script generates a iptables-save file which it submits at the end. This way I think it is atomic. Shouldn't it be possible to do the same with nft?
Regards
---- From: Mario V Guenzi <jclark@xxxxxxxxxx> -- Sent: 2020-08-18 - 07:12 ----
> Il 17/08/20 10:56, Pablo Neira Ayuso ha scritto:
>> Hi,
>
>> You can set default policy to drop wehn defining the chain (in the
>> same go), no need to call it twice, my suggestion for your ruleset is
>> to place this in ruleset.nft:
>>
>> add table inet firewall
>> add table inet nat
>> add table netdev noddos
>>
>> add chain inet firewall INPUT { type filter hook input priority 0; policy drop; }
>> add chain inet firewall OUTPUT { type filter hook output priority 0; policy drop; }
>> add chain inet firewall FORWARD { type filter hook forward priority 0; policy drop; }
>> ...
>>
>> my rules
>> my rules
>> my rules
>>
>
> At first many thanks.
> another question given your kindness,
> I can use bash only to define my variables eg
> EXTIF = "eth0"
> LAN = "192.168.2.0/24"
> etc
> use the variables defined in writing the rules.nft file as per your
> example and then write
> nft -f /path/rules.nft in my bash script?
> as usual I apologize for my terrible English.
>
