On 07/12/21 14:02, Daniel wrote:
Amish
Le 07/12/2021 à 06:29, Amish a écrit :
On 06/12/21 19:17, Daniel wrote:
Hi Amish
Le 06/12/2021 à 14:30, Amish a écrit :
On 06/12/21 18:41, Pablo Neira Ayuso wrote:
On Sun, Dec 05, 2021 at 05:25:29PM +0530, Amish wrote:
Hello,
nftables wiki [1] mentions this:
Note: There are plans to support rule deletion by passing:
% nft delete rule filter output ip saddr 192.168.1.1 counter
Any idea when will this happen? Because I thought it was very
important
feature. (unless I missed an alternate way to do it)
I want to migrate from iptables to nftables (from many years) but
deleting a
rule via script is not as easy as in case of iptables.
Obtaining the handle first and then deleting it is difficult
programmatically.
You can use --echo and --handle options to fetch the rule handle.
# nft -e -a add rule x y counter
add rule ip x y counter packets 0 bytes 0 # handle 3
# new generation 5 by process 91190 (nft)
Well then I need to keep recording each rule addition somewhere so
that I can delete by handle in future.
Some rules are added manually, some added by scripts. Scripts may
want to remove manually added rule.
So its not as easy like in iptables.
In a script you can use eg
myhandle=$(echo `$nft -sa list chain ip mangle prerouting |grep -F
"ct state new counter jump MAIN"|grep -oP '(# handle ).*'`|cut -d "
" -f 3)
$fwtables delete rule ip mangle prerouting handle $myhandle
and you're done. ip, mangle prerouting and rule to delete could be
sended as parameters in a bash function for instance.
[...]
Hi Daniel
Thank you for your reply.
This actually is my basic problem. Rules are complex. They are not as
simple as above example.
Hence the parsing (grepping) is not straight forward like in above
example.
state may not always be "new". (can be established or related or both)
There may not always be counter in rule.
Some rules may have anonymous sets.
Some rules may have TCP port redirection.
So on ...
I can not write a script for each and every combination to detect the
handle.
In case of iptables I can delete the rule by giving exact same
expression except instead of giving -A, I just have to give -D.
You don't understand the purpose of the abvoe exemple. More clear:
#!/bin/bash
MyFct {
myhandle=$(echo `$nft -sa list chain $1 $2 $3 |grep -F $4|grep -oP '(#
handle ).*'`|cut -d " " -f 3)
$fwtables delete rule $1 $2 $3 handle $myhandle
}
MyFct ip mangle prerouting "ct state new counter jump MAIN"
or
MyFct ip6 filter input "iif \"lan\" ct state invalid drop"
or whatever rule you want to delete
Thank you but problem with this is that you need to know order of
strings in nft output.
i.e. if ct state will be first or iif "lan" will be first. What will be
quoted and what will not be quoted?
In above examples it looks easy to grep but when your rule gets complex
(src, dst, ports etc. multiple checks), you dont really know the exact
output order is expected when grepping the full string.
What if nft changes output format (order) slightly in future, all my
scripts will start breaking.
Hence this approach is not an elegant one.
Regards,
Amish.
