trentbuck@gmail.com (Trent W. Buck) writes:

> Duncan Roe <duncan_roe@optusnet.com.au> writes:
>
>> On Wed, Apr 22, 2020 at 12:34:26PM -0400, Martin Gignac wrote:
>>> > You can simply put "list ruleset" at the bottom of the foo.nft file.
>>> > However in my experience this routinely gives outright wrong rulesets
>>> > (as at nftables 0.9.1), so I don't trust it.
>>
>> "list ruleset" at the bottom of an nft script is completely accurate.
>> The command "nft list ruleset" discards portions of rules that are implicit, in the
>> interests of brevity.
>
> Sorry, I don't have a testable example.
> If I run into this again, I'll try to keep proper records so I can file
> a proper bug report!

Hooray, I got one (attached).

You can see "list ruleset" inside /etc/nftables.conf ends with

    table inet my_filter {
    }

where running "nft list ruleset" immediately afterwards, it shows all
the chains and rules that are actually there:

    table inet my_filter {
            chain my_input {
                    type filter hook input priority filter; policy drop;
                    jump my_prologue comment "deal with boring conntrack/loopback/ICMP/ICMPv6"
                    tcp dport 22 accept
                    jump my_epilogue
            }
    [...]
    }

It happens reliably if I run "nft delete table inet my_filter" before "/etc/nftables.conf",
but NOT if I run  "/etc/nftables.conf" before "/etc/nftables.conf".

To me this feels like "list ruleset" is sometimes running before the block
immediately before it.