From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [IPv6:2a0a:51c0:0:237:300::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5DEABF3 for ; Wed, 13 Dec 2023 08:45:58 -0800 (PST) Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1rDSMs-0001Q6-2q; Wed, 13 Dec 2023 17:45:54 +0100 Date: Wed, 13 Dec 2023 17:45:54 +0100 From: Florian Westphal To: Thomas Haller Cc: Pablo Neira Ayuso , Phil Sutter , Eric Garver , netfilter-devel@vger.kernel.org, Florian Westphal Subject: Re: [nf-next PATCH] netfilter: nf_tables: Support updating table's owner flag Message-ID: <20231213164554.GE27081@breakpoint.cc> References: <20231208130103.26931-1-phil@nwl.cc> <17fbf1879c790d2dd59ec6367d01002b5d3b5f3a.camel@redhat.com> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <17fbf1879c790d2dd59ec6367d01002b5d3b5f3a.camel@redhat.com> User-Agent: Mutt/1.10.1 (2018-07-13) Thomas Haller wrote: > Isn't the problem to solve that `nft flush ruleset` deletes tables > owned by somebody else (firewalld)? If they are 'owned', then no, they are not flushed, thats one of the points of the owner thing. > A "persist" flag sounds like a good solution. It would just have > informational value (for user space) to be skipped by `nft flush > ruleset`. 'flush' doesn't pass the to-be deleted tables to the kernel, so this cannot be implemented via informational tags in userspace.