netfilter buglog - Jul 2024 - [Bug 1759] New: flush and delete nft commands need an option to ignore non-existant objects

https://bugzilla.netfilter.org/show_bug.cgi?id=1759

            Bug ID: 1759
           Summary: flush and delete nft commands need an option to ignore
                    non-existant objects
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Ubuntu
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: hadmut at danisch.de

Hi,

I found that it is impossible to make sure in a ruleset to just ensure that a
particular table/chain/whatever does not exist or is flushed, since the nft
delete and flush commands fail if the object does not exist. 

e.g. 


nft delete table sometests 

works if the table sometests existed, but aborts (and thus does not execute
other commands in a script like /etc/nfstables.conf) with an error if it does
not exist. 

Therefore, it is more or less useless, since it cannot be used in a script
because of the risk to break the script. 

It should be default or at least an option to have it succeed if the object
does not exist, i.e.

nft delete table sometests 

should ensure that the table sometests does not exist afterwards, no matter
whether it existed before. 

regards

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240713/ec83ea2e/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1759

Phil Sutter <phil at nwl.cc> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WORKSFORME
             Status|NEW                         |RESOLVED
                 CC|                            |phil at nwl.cc

--- Comment #1 from Phil Sutter <phil at nwl.cc> ---
Hi,

Recent versions of nftables gained the 'destroy' command to "delete
if
existing". 
An alternative which is compatible to older binaries is to add and delete in a
single transaction.

Cheers, Phil

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240715/e3f8f635/attachment.html>