On 11/02/2022 00:14, Pablo Neira Ayuso wrote:
>> Both the ability to flush the ruleset and replace it with the new one
>> atomically, without leaving an unprotected window, and the existence of named
>> sets and maps, that can be updated dynamically when e.g. interfaces or routes
>> are added and removed, are awesome features of nftables.
>>
>> The problem is, though, how to make these two features play nice with one
>> another. One use case that I have in mind is to replace the collection of rules
>> in chains with a new improved version, while keeping (or dumping and later
>> restoring) the contents of named maps and sets.
>
> So you would like to replace one chain and its rules by a new chain
> also containing new rules...
More like, potentially multiple chains changed / added / removed, but the new
chains continue to reference the same maps and sets (precisely because I want to
preserve dynamically accumulated state).
>> Saving the data from maps and sets with a separate command before
>> reload of the ruleset, and repopulating after leaves a window during
>> which dynamic updates may be lost, and a window during which the set
>> operates with unpopulated maps/sets.
>
> ... and you would like that sets/maps remain in the kernel while this
> chain replacement operation happens.
yes, either that, or dumped "somewhere" and loaded back after reload, all in the
same transaction.
>> What would be the recommended way to solve this problem?
>
> If what I describe above is accurate, then you could run a batch like this:
>
> # nft -f update.nft
> flush chain x y
> chain x y {
> ... # new rules here
> }
Yes, actually this should work! I can dump the ruleset, find all chains, and
construct a batch that flushes them all, and then loads the new configuration on
top of remaining maps and sets. I little complicated, but should work.
What potentially could help for such use case is a command like
flush chain * * *
i.e. flush all chains in the ruleset, but keep other named objects. I could put
it in /etc/nftables.conf instead of `flush ruleset` and stop worrying :)
Thanks for the hint!
Eugene
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
