On 11/6/2020 7:24 AM, Martin Gignac wrote:
I think I just answered my previous question:
Does prepending the "more destructive" 'flush ruleset' statement at
the very beginning of the 'firewall.nft' file still honor the
"atomicity" guarantee of running 'nft -f' again this file, or is this
guarantee only honored when prepending 'flush table' statements? In
other words, is there a minute period after running 'flush ruleset' in
my file where the node is unprotected?
According to https://wiki.nftables.org/wiki-nftables/index.php/Operations_at_ruleset_level:
BACKUP/RESTORE
You can combine these two commands above to backup your ruleset:
% echo "nft flush ruleset" > backup.nft
% nft list ruleset >> backup.nft
The above could also be condensed into a single line (assuming a
Bourne-based shell):
$ { echo 'nft flush ruleset'; nft list ruleset; } > backup.nft
Which can be useful for writing backup.nft in one go.
And load it atomically:
% nft -f backup.nft
I interpret this to mean that my original method of doing things is as
atomic as using 'flush table <tablename>', even if it is more
destructive. I guess going forward I will have to make sure to prepend
'flush table' statements for every individual table I refer to in my
'firewall.nft' file.
--
gfish
