From: Pablo Neira Ayuso <pablo@netfilter.org>
To: leroy christophe <christophe.leroy@c-s.fr>
Cc: netfilter@vger.kernel.org
Subject: Re: issue with nftable - goto : Operation not supported
Date: Wed, 26 Nov 2014 19:13:12 +0100 [thread overview]
Message-ID: <20141126181312.GA25447@salvia> (raw)
In-Reply-To: <5476152E.8010400@c-s.fr>
On Wed, Nov 26, 2014 at 07:00:14PM +0100, leroy christophe wrote:
>
> Le 26/11/2014 18:47, Pablo Neira Ayuso a écrit :
> >Use 'nft -f file' to load your ruleset instead of scripts.
> >Otherwise the rule-set is not loaded atomically, and it will also
> >take longer to load your ruleset. Please, help spread the word,
> >people should use nft -f.
>
> I wanted to use 'nft -f' at the begining but I faced some issues.
>
> How is 'nft -f' to be used ? Does it takes as input the output of
> 'nft list table filter' ?
Yes.
> I tried it, it adds rules but doesn't remove the previous ones. How
> can I replace previous rules in one go with 'nft -f' ?
You have to prepend:
flush table filter
to the output of 'nft list table filter'.
Since 3.18, you can also use:
flush ruleset
that removes everything, including the existing table and chain
configuration.
http://wiki.nftables.org/wiki-nftables/index.php/Operations_at_ruleset_level
> How can it interpret the below output which seems buggy ?
>
> root@vgoip:~# nft list table filter
> table ip filter {
> chain input {
> type filter hook input priority 0;
> oifname "lo" accept
> ip protocol icmp accept
> ct state 8 unknown unknown 0x16 [invalid type] accept
> ct state { 4, 2} accept
> reject with icmp type 10
> }
What is the original ruleset you loaded? This should not happen. Any
relevant information regarding your testbed?
> chain forward {
> type filter hook forward priority 0;
> drop
> }
> }
>
> Looks like it dumps using numeric values, but crashes when trying to
> use those numeric values
>
> root@vgoip:~# nft add rule filter input ct state { 4, 2} accept
> Segmentation fault (core dumped)
>
> https://wiki.archlinux.org/index.php/nftables says that "nft -f" is
> not atomic. Is it wrong ?
Yes, I just fixed that and made a quick review to that wiki page.
Please, better look at the nftables wiki page:
http://wiki.nftables.org
next prev parent reply other threads:[~2014-11-26 18:13 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-25 17:29 issue with nftable - goto : Operation not supported leroy christophe
2014-11-26 13:00 ` Pablo Neira Ayuso
2014-11-26 17:15 ` leroy christophe
2014-11-26 17:47 ` Pablo Neira Ayuso
2014-11-26 18:00 ` leroy christophe
2014-11-26 18:13 ` Pablo Neira Ayuso [this message]
2014-11-26 21:45 ` stoffl4ever
2014-11-27 10:25 ` Arturo Borrero Gonzalez
2014-11-27 12:31 ` leroy christophe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141126181312.GA25447@salvia \
--to=pablo@netfilter.org \
--cc=christophe.leroy@c-s.fr \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.