On Sat, 19 Oct 2024, at 5:35 PM, Telbat Diordna wrote: > CAP_NET_ADMIN opens the door ways to wide, while the older iptables > method allowed access-limitations/permissions per directory (=ruleset) If you cannot bring yourself to trust a homebrew BINFMT_ELF executable with the CAP_NET_ADMIN capability, another option would be to write a simple shell script to wrap nft(8) then compose a suitable policy for use with sudo(8). The paradox would be that sudo opens the door wider initially, on account of having the setuid bit be enabled. > Can I read your answer in that way, that I still have to use iptables > and can't migrate to nftables, when I wish to use this feature? Yes, for the following reasons. - no procfs interface exists to modify a ruleset or its objects - nftables cannot integrate with xtables extensions unless using iptables-nft - the procfs interface you are using is implemented by an xtables extension (xt_recent) -- Kerin Millar
