Re: nft table flags documentation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 18 Dec 2024, at 12:09 PM, Jan Kasprzak wrote:
> Hello, netfilter users,
>
> I am in a (long overdue) process of converting my iptables-based scripts
> on my servers to nftables. I am also looking at what setup other users have
> - I examined e.g. the configuration created by firewalld, and there are
> some parts which I cannot understand from either nft(8) or nftables wiki:
>
>> $ nft list ruleset
>> ...
>> table inet firewalld { # progname firewalld
>>         flags owner,persist
>
> - where can I find what these flags mean, and what other flags are supported?
> nft(8) lists only a "dormant" flag in the TABLES section, but not owner
> nor persist.

https://git.netfilter.org/nftables/diff/doc/nft.txt?id=4955ae1a81b73f9a61b7fbf1a73e11544513548e

For your convenience, below is a textual rendition of the relevant section of the man page, as of nftables v1.1.1.

       Table 4. Table flags
       ┌─────────┬─────────────────────────┐
       │ Flag    │ Description             │
       ├─────────┼─────────────────────────┤
       │         │                         │
       │ dormant │ table is not evaluated  │
       │         │ any more (base chains   │
       │         │ are unregistered).      │
       ├─────────┼─────────────────────────┤
       │         │                         │
       │ owner   │ table is owned by the   │
       │         │ creating process.       │
       ├─────────┼─────────────────────────┤
       │         │                         │
       │ persist │ table shall outlive the │
       │         │ owning process.         │
       └─────────┴─────────────────────────┘

       Creating a table with flag owner excludes other processes from
       manipulating it or its contents. By default, it will be removed
       when the process exits. Setting flag persist will prevent this
       and the resulting orphaned table will accept a new owner, e.g. a
       restarting daemon maintaining the table.

Also, https://forums.rockylinux.org/t/rocky-9-5-breaks-netfilter/16551/5.

-- 
Kerin Millar





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux