On Sat, Oct 19, 2024 at 08:35:36PM +0100, Kerin Millar wrote: > On Sat, 19 Oct 2024, at 5:35 PM, Telbat Diordna wrote: > > CAP_NET_ADMIN opens the door ways to wide, while the older iptables > > method allowed access-limitations/permissions per directory (=ruleset) > > If you cannot bring yourself to trust a homebrew BINFMT_ELF > executable with the CAP_NET_ADMIN capability, another option would > be to write a simple shell script to wrap nft(8) then compose a > suitable policy for use with sudo(8). The paradox would be that sudo > opens the door wider initially, on account of having the setuid bit > be enabled. > > > Can I read your answer in that way, that I still have to use iptables > > and can't migrate to nftables, when I wish to use this feature? > > Yes, for the following reasons. > > - no procfs interface exists to modify a ruleset or its objects > - nftables cannot integrate with xtables extensions unless using iptables-nft > - the procfs interface you are using is implemented by an xtables extension (xt_recent) For the record: We have absolutely **no** plans to provide a procfs interface to populate sets.
