Server Fault Asked on November 14, 2021
I’m managing a number of hosts that rely on nft to manage the firewall. I need to insert a rule at the top of the INPUT chain on these hosts. Under iptables, this would be as simple as running, on every host:
iptables -I INPUT 1 ...
But nft relies on "handles" to insert a rule at a given position, which is fine when working on a single host, but complicates the process when managing multiple hosts, because there’s no guarantee that handles match across hosts.
For example, right now, at the beginning of the INPUT chain on two different hosts, I have on one host:
chain INPUT { # handle 1
type filter hook input priority 0; policy accept;
iifname "ovn-k8s-gw0" counter packets 977422 bytes 167040650 accept # handle 11
And on the other:
chain INPUT { # handle 1
type filter hook input priority 0; policy accept;
iifname "ovn-k8s-gw0" counter packets 55820 bytes 6735009 accept # handle 12
Note that the first rule on one host is handle 11 and on the other it’s 12.
I guess I could get the handle of the first rule with something like…
nft list chain filter INPUT -n -a | sed -n 4p | awk '{print $NF}'
…but that smells bad. Is there a way to instruct nft to insert a rule by absolute position rather than by handle?
This turned out to be simpler than I thought.
The nft insert rule command will by default insert a rule at the top of the chain if there is no position argument.
Answered by larsks on November 14, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP