InsideDarkWeb.com

nft vs iptables: inserting a rule at the top of a chain on multiple hosts

I’m managing a number of hosts that rely on nft to manage the firewall. I need to insert a rule at the top of the INPUT chain on these hosts. Under iptables, this would be as simple as running, on every host:

iptables -I INPUT 1 ...

But nft relies on "handles" to insert a rule at a given position, which is fine when working on a single host, but complicates the process when managing multiple hosts, because there’s no guarantee that handles match across hosts.

For example, right now, at the beginning of the INPUT chain on two different hosts, I have on one host:

        chain INPUT { # handle 1
                type filter hook input priority 0; policy accept;
                iifname "ovn-k8s-gw0"  counter packets 977422 bytes 167040650 accept # handle 11

And on the other:

        chain INPUT { # handle 1
                type filter hook input priority 0; policy accept;
                iifname "ovn-k8s-gw0"  counter packets 55820 bytes 6735009 accept # handle 12

Note that the first rule on one host is handle 11 and on the other it’s 12.

I guess I could get the handle of the first rule with something like…

nft list chain filter INPUT -n -a | sed -n 4p | awk '{print $NF}'

…but that smells bad. Is there a way to instruct nft to insert a rule by absolute position rather than by handle?

Server Fault Asked on November 14, 2021

1 Answers

One Answer

This turned out to be simpler than I thought.

The nft insert rule command will by default insert a rule at the top of the chain if there is no position argument.

Answered by larsks on November 14, 2021

Add your own answers!

Related Questions

Apache Link to PHP run application/x-httpd-php *

1  Asked on February 28, 2021 by wobbo

     

uwsgi, multiple environment variables

2  Asked on February 25, 2021 by user204088

       

Virtualbox shared clipboard string size limit

1  Asked on February 23, 2021 by kshitiz-sharma

 

Where is WSGI installed on Centos?

2  Asked on February 21, 2021 by petey

         

Enabling X-Spam-Report in SpamAssassin

0  Asked on February 19, 2021 by letmesothat4u

   

graphite queries and confusion around time

1  Asked on February 19, 2021 by aditya-patawari

   

Ask a Question

Get help from others!

© 2021 InsideDarkWeb.com. All rights reserved.