Hi Pablo, > You can dynamically add/delete devices to/from flowtables since Linux > kernel 5.8 Are you referring to this patch ?: https://www.spinics.net/lists/netfilter-devel/msg67310.html I tried with Fedora 33 (5.8.17-300.fc33.x86_64) and this file: [root@localhost ~]# cat /etc/nftables/firewall.nft flush ruleset table inet x { flowtable f { hook ingress priority 0; } chain y { type filter hook forward priority 0; policy accept; ip protocol tcp flow offload @f counter packets 0 bytes 0 } } and indeed it does load without error, although I had to compile the latest version of nft (v0.9.7) as v0.9.3 (which comes with Fedora 33) was giving me this error: [root@localhost ~]# nft -f /etc/nftables/firewall.nft /etc/nftables/firewall.nft:4:12-12: Error: Unbound flowtable not allowed (must specify devices) flowtable f { ^ Once I added my br0 interface wih 'ip link add br0 type bridge' I was able to run 'nft add flowtable inet x f { devices = { br0 } \; }' without error. However, if I run 'nft -f /etc/nftables/firewall.nft' again and then 'nft list ruleset', br0 is gone. Does this mean that it is no longer bound to a flow table? The way I have been handling rule changes so far is to modify a single '/etc/nftables/firewall.nft' file every time I need to modify rules and then run 'nft -f /etc/nftables/firewall.nft' to reload and apply those changes (I don't tend to run single nft commands to update things here and there -- I prefer to modify a single file as the source of truth and then reload the ruleset completely). Running something like 'nft add flowtable inet x f { devices = { br0 } \; }' once upon boot up when a logical interface comes up is fine, but does my workflow require that I then run 'nft add flowtable inet x f { devices = { br0 } \; }' after every time I run 'nft -f /etc/nftables/firewall.nft'? Is my workflow wrong? It is based on my experience with pf/pf.conf from OpenBSD/FreeBSD where all changes to rules are made in one file which is then reloaded atomically. Has my familiarity with OpenBSD steered me wrong with regards to nftables? Thanks, -Martin
