From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: Jan Engelhardt <jengelh@inai.de>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH iptabes-nft] iptables-nft: allow removal of empty builtin chains
Date: Sun, 15 Aug 2021 16:27:34 +0200 [thread overview]
Message-ID: <20210815142734.GA31050@salvia> (raw)
In-Reply-To: <20210815141414.GJ607@breakpoint.cc>
On Sun, Aug 15, 2021 at 04:14:14PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > But we really do not need NLM_F_NONREC for this new feature, right? I
> > mean, a quick shortcut to remove the basechain and its content should
> > be fine.
>
> Would deviate a lot from iptables behaviour.
It's a new feature: you could still keep NLM_F_NONREC in place, and
only allow to remove one chain (with no rules) at a time if you
prefer, ie.
iptables-nft -K INPUT -t filter
or -X if you prefer to overload the existing command.
> > > No, I don't think so. I would prefer if
> > > iptables-nft -F -t filter
> > > iptables-nft -X -t filter
> > >
> > > ... would result in an empty "filter" table.
> >
> > Your concern is that this would change the default behaviour?
>
> Yes, maybe ok to change it though. After all, a "iptables-nft -A INPUT
> ..." will continue to work just fine (its auto-created again).
>
> We could check if policy is still set to accept before implicit
> removal in the "iptables-nft -X" case.
That's possible yes, but why force the user to change the policy from
DROP to ACCEPT to delete an empty basechain right thereafter?
next prev parent reply other threads:[~2021-08-15 14:27 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-14 17:46 [PATCH iptabes-nft] iptables-nft: allow removal of empty builtin chains Florian Westphal
2021-08-14 20:18 ` Jan Engelhardt
2021-08-14 20:53 ` Florian Westphal
2021-08-15 13:12 ` Pablo Neira Ayuso
2021-08-15 13:27 ` Florian Westphal
2021-08-15 13:49 ` Pablo Neira Ayuso
2021-08-15 14:14 ` Florian Westphal
2021-08-15 14:27 ` Pablo Neira Ayuso [this message]
2021-08-15 14:36 ` Florian Westphal
2021-09-13 15:46 ` Phil Sutter
2021-09-13 16:02 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210815142734.GA31050@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=jengelh@inai.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.