Re: delete matching rule like it can be done in case of iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Amish

Le 06/12/2021 à 14:30, Amish a écrit :
On 06/12/21 18:41, Pablo Neira Ayuso wrote:
On Sun, Dec 05, 2021 at 05:25:29PM +0530, Amish wrote:
Hello,

nftables wiki [1] mentions this:

Note: There are plans to support rule deletion by passing:
% nft delete rule filter output ip saddr 192.168.1.1 counter
Any idea when will this happen? Because I thought it was very important
feature. (unless I missed an alternate way to do it)

I want to migrate from iptables to nftables (from many years) but deleting a
rule via script is not as easy as in case of iptables.

Obtaining the handle first and then deleting it is difficult
programmatically.
You can use --echo and --handle options to fetch the rule handle.

  # nft -e -a  add rule x y counter
  add rule ip x y counter packets 0 bytes 0 # handle 3
  # new generation 5 by process 91190 (nft)

Well then I need to keep recording each rule addition somewhere so that I can delete by handle in future.

Some rules are added manually, some added by scripts. Scripts may want to remove manually added rule.

So its not as easy like in iptables.
In a script you can use eg

myhandle=$(echo `$nft -sa list chain ip mangle prerouting |grep -F "ct state new counter jump MAIN"|grep -oP '(# handle ).*'`|cut -d " " -f 3)
$fwtables delete rule ip mangle prerouting handle $myhandle

and you're done. ip, mangle prerouting and rule to delete could be sended as parameters in a bash function for instance.

[...]

--
Daniel



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux