Hi Amish
Le 06/12/2021 à 14:30, Amish a écrit :
On 06/12/21 18:41, Pablo Neira Ayuso wrote:
On Sun, Dec 05, 2021 at 05:25:29PM +0530, Amish wrote:
Hello,
nftables wiki [1] mentions this:
Note: There are plans to support rule deletion by passing:
% nft delete rule filter output ip saddr 192.168.1.1 counter
Any idea when will this happen? Because I thought it was very important
feature. (unless I missed an alternate way to do it)
I want to migrate from iptables to nftables (from many years) but
deleting a
rule via script is not as easy as in case of iptables.
Obtaining the handle first and then deleting it is difficult
programmatically.
You can use --echo and --handle options to fetch the rule handle.
# nft -e -a add rule x y counter
add rule ip x y counter packets 0 bytes 0 # handle 3
# new generation 5 by process 91190 (nft)
Well then I need to keep recording each rule addition somewhere so
that I can delete by handle in future.
Some rules are added manually, some added by scripts. Scripts may want
to remove manually added rule.
So its not as easy like in iptables.
In a script you can use eg
myhandle=$(echo `$nft -sa list chain ip mangle prerouting |grep -F "ct
state new counter jump MAIN"|grep -oP '(# handle ).*'`|cut -d " " -f 3)
$fwtables delete rule ip mangle prerouting handle $myhandle
and you're done. ip, mangle prerouting and rule to delete could be
sended as parameters in a bash function for instance.
[...]
--
Daniel