> Sorry, I'm getting a bit lost regarding what the problem is at this > stage regarding the flowtable infrastructure. I think the confusion stems from the fact that I have set up an nftables workflow for myself that is "opinionated" and that doesn't currently fit "out-of-the-box" with the way nft and flowtables interact. I wrote a helper/wrapper program for myself that simplifies nftables rules management by offering show, edit, check, commit, diff and versioning functions to mimic the Juniper firewall behaviors that I am accustomed to and find very convenient. Some of these functions are plainly just front-ends to 'nft' commands, while some others (such as diff and versioning) require more work in order to allow diffs and versioning between both 'raw' /etc/nftables/firewall.nft files as well as the 'compiled' (pretty-printed, comments removed) result of running 'nft' on these files. This workflow relied on assumptions that I had made that my desire to integrate flow tables suddenly blew out of the water. The "destructive" nature of 'flush ruleset' (which I was using so far) was not an issue before, but with flow tables it suddenly became one simply because I had not understood its reach. Had I been using dynamic sets (which I hadn't so far) this likely would have presented some issues too. But the fact that 'flush table' statements _do_ exhibit the behavior that I had wrongly attributed to 'flush ruleset', I now know that I have a way to use my program with flow tables; I just need to code some logic to find out the existing table names and generate the required 'flush table' statements as part of my commit function. What also doesn't help is that I'm probably not explaining myself properly, and as a developer of nftables your intimate knowledge of it is at odds with my amateurish understanding of it. :o) Thanks to both of you for taking the time to answer, and for your work on nftables! Regards, -Martin
