FS#43401 - [nftables] Flush using ruleset

Attached to Project: Arch Linux
Opened by nfnty (nfnty) - Saturday, 10 January 2015, 13:16 GMT
Last edited by Sébastien Luttringer (seblu) - Tuesday, 17 February 2015, 00:32 GMT
Task Type Feature Request
Category Packages: Extra
Status Closed
Assigned To Sébastien Luttringer (seblu)
Architecture All
Severity Very Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

ExecStop and nftables-flush script can be replaced with:

ExecStop=/usr/bin/nft flush ruleset

http://wiki.nftables.org/wiki-nftables/index.php/Operations_at_ruleset_level
This task depends upon

Closed by  Sébastien Luttringer (seblu)
Tuesday, 17 February 2015, 00:32 GMT
Reason for closing:  Implemented
Comment by nfnty (nfnty) - Saturday, 10 January 2015, 13:24 GMT
May want to hold this for a while. linux-grsec kernel is crashing when flushing.
Comment by Sébastien Luttringer (seblu) - Monday, 12 January 2015, 10:55 GMT
"nft list ruleset" is working on <=3.18 kernel, where "nft flush ruleset" require at least a 3.18 kernel.

All tests I made on 3.18.0 were successful, maybe grsec hardening patch cause the crash.

3.18 is still in testing, so I will wait it reach core before improving this.
Comment by nfnty (nfnty) - Friday, 16 January 2015, 15:34 GMT
The kernel bug is present in linux 3.18.2-2 and linux-grsec 3.18.2.201501142325-1

Attached log from linux 3.18.2-2
   bug.log (4.7 KiB)
Comment by nfnty (nfnty) - Friday, 16 January 2015, 15:50 GMT
Reported upstream:

https://bugzilla.kernel.org/show_bug.cgi?id=91441
Comment by nfnty (nfnty) - Sunday, 18 January 2015, 15:11 GMT
A fix is coming in 3.19.

Also, an ExecReload rule should be added for atomic reloading with the following:

ExecReload=/usr/bin/nft -f /usr/lib/systemd/scripts/nftables-reload

Attached nftables-reload.
   nftables-reload (0.1 KiB)
Comment by Sébastien Luttringer (seblu) - Sunday, 18 January 2015, 15:35 GMT
What's the difference between the proposed reload and a classic restart?
Comment by nfnty (nfnty) - Sunday, 18 January 2015, 19:56 GMT
The proposed reload is atomic. Meaning everything is committed at the same time. Also all rules are checked before committing; if anything fails it won't commit anything. Whereas restarting flushes the table, making you vulnerable until it starts again and may not even start if it fails.

Read more about atomic reloading and iptables here:
http://www.tummy.com/blogs/2010/01/16/iptables-restore-is-in-the-atomic-age/

Someone added a section on the wiki for it:
https://wiki.archlinux.org/index.php/Nftables#Atomic_Reloading

Loading...