[elpa] externals/nftables-mode 9bc4a6f589 25/41: Don't do "flush ruleset

emacs-elpa-diffs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[elpa] externals/nftables-mode 9bc4a6f589 25/41: Don't do "flush ruleset

From:	Stefan Monnier
Subject:	[elpa] externals/nftables-mode 9bc4a6f589 25/41: Don't do "flush ruleset" (i.e. expect auxiliary tables w/ race conditions)
Date:	Mon, 23 May 2022 09:27:24 -0400 (EDT)

branch: externals/nftables-mode
commit 9bc4a6f589aa57fc14836386775fefeb6dac6837
Author: Trent W. Buck <trentbuck@gmail.com>
Commit: Trent W. Buck <trentbuck@gmail.com>

    Don't do "flush ruleset" (i.e. expect auxiliary tables w/ race conditions)
---
 nftables-router.nft | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/nftables-router.nft b/nftables-router.nft
index d3ed4f134d..f91bb7c583 100644
--- a/nftables-router.nft
+++ b/nftables-router.nft
@@ -169,7 +169,11 @@
 # FIXME: I tried that, and I got locked out of SSH!
 #        What it did was remove all the rules, but NOT the chains, so
 #        the default-deny policy dropped EVERYTHING!!!
-flush ruleset
+#flush ruleset
+
+# This seems to be a viable workaround (NOTE: must do this for each table):
+add table inet my_filter        # idempotent
+delete table inet my_filter     # not idempotent
 
 
 table inet my_filter {
@@ -648,6 +652,10 @@ table inet my_filter {
 #       If you have decent internet, you will probably want to give the iface 
a logical name,
 #       then match by that name (iifname/oifname "internet").
 #
+
+# NOTE: see "nft flush ruleset" comment at top of file.
+add table ip my_nat             # idempotent
+delete table ip my_nat          # not idempotent
 table ip my_nat {
     chain my_postrouting {
         type nat hook postrouting priority srcnat

[Prev in Thread]

Current Thread

[Next in Thread]

[elpa] externals/nftables-mode a207b02bd6 40/41: Lightly edited, adding some of the normal conventions for .el files, (continued)
- [elpa] externals/nftables-mode a207b02bd6 40/41: Lightly edited, adding some of the normal conventions for .el files, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 1817c43fb9 02/41: Initial example nftables ruleset, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 242fae1e71 11/41: limit ICMP by type, tweak notes, expand on iif vs iifname, document "flush table" gotcha, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 794a6e6774 10/41: limit ICMP by type, tweak notes, expand on iif vs iifname, document "flush table" gotcha, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 8fcd04379c 08/41: bugfix and tweak, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode f00cf640fb 15/41: nftables - glob gotcha; HOW to rename ifaces; gateway (-i/-o) policy; mail reputation protection, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 6e908b1d67 17/41: Got the IPS working at last (inc IPv6), mua ha ha!, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 16adfabcec 21/41: add reminder re IPv6 ranges for SSH IPS, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 34ffd618ac 19/41: fixup! Got the IPS working at last (inc IPv6), mua ha ha!, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 166b789260 22/41: old comments, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 9bc4a6f589 25/41: Don't do "flush ruleset" (i.e. expect auxiliary tables w/ race conditions), Stefan Monnier <=
- [elpa] externals/nftables-mode 94f54f52ec 28/41: reference nftables ruleset, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 3fd8b3f79e 26/41: comment tweaks, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 760486c219 27/41: update note from sshguard, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 70b0e577a6 31/41: Debian doesn't have "pptp" in /etc/services, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 20fa3d3a55 38/41: Oops, this was never under version control before., Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 869f14abf4 34/41: Initial import., Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 3a03651cda 39/41: Old changes that I forgot to commit, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 7b031a2014 36/41: Merge remote-tracking branch 'ansible/master', Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 05600129ee 41/41: Minor changes to follow more conventions, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 9058451303 09/41: correct for Towards a Perfect Ruleset number, Stefan Monnier, 2022/05/23

Prev by Date: [elpa] externals/nftables-mode 166b789260 22/41: old comments
Next by Date: [elpa] externals/nftables-mode 94f54f52ec 28/41: reference nftables ruleset
Previous by thread: [elpa] externals/nftables-mode 166b789260 22/41: old comments
Next by thread: [elpa] externals/nftables-mode 94f54f52ec 28/41: reference nftables ruleset
Index(es):
- Date
- Thread