Re: delete matching rule like it can be done in case of iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi there,

On Wed, 8 Dec 2021, Jozsef Kadlecsik wrote:

On Wed, 8 Dec 2021, G.W. Haywood wrote:
On Tue, 7 Dec 2021, Daniel wrote:

myhandle=$(echo `$nft -sa list chain $1 $2 $3 |grep -F $4|grep -oP '(#
handle ).*'`|cut -d " " -f 3)

To me, quite apart from the reliance on a bunch of system utilities
which I'd really prefer to avoid in an operation of this kind, that
looks unnecessarily complex and rather fragile.

This whole discussion suggests that something is missing from nft.

I know not all kind of rulesets can be managed thus, but I suggest to rely
heavily on sets, maps in nft. In lots of cases one can achieve technically
static rules while the ruleset is fully dynamic, because all the
modifications happen in the sets/maps.

With your help, as you know, I already do that using ipsets - but the few
'technically static' rules are all iptables rules.  I have tried very hard
to find a reason to switch from iptables to nft, but so far I have failed
(a) fully to grasp the nft syntax and (b) to find that (e|i)llusive reason. :)

--

73,
Ged.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux