当前系统:
- 发行版:Ubuntu 20.04
- 内核:5.4.0-124-generic
- nft:nftables v0.9.3(Topsy)
我是新手,正在学习 nftables,这是我目前的 nft 规则集:
$sudo nft list ruleset taxmd-dh016d-02: Wed Sep 21 12:09:08 2022
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
type filter hook output priority filter; policy accept;
ip daddr 192.168.0.1 drop
}
}
我想ip daddr 192.168.0.1 drop从输出链中删除。我尝试了以下方法:
sudo nft del rule inet filter output ip daddr 192.168.0.1 drop
sudo nft delete rule inet filter output ip daddr
sudo nft 'delete element ip daddr 192.168.0.1 drop'
sudo nft 'delete element ip'
sudo nft delete rule filter output ip daddr 192.168.0.1 drop
但没有任何效果,我不断收到此错误:
Error: syntax error, unexpected inet
delete inet filter chain output ip daddr 192.168.0.1 drop
^^^^
为什么我无法删除特定元素?我认为这很简单,但我错过了一些东西。
答案1
这维基百科说你所尝试的尚未实施:您必须获取句柄才能删除规则。例子是:
$ sudo nft -a list table inet filter
table inet filter {
...
chain output {
type filter hook output priority 0;
ip daddr 192.168.1.1 counter packets 1 bytes 84 # handle 5
}
}
显示-a分配的句柄“5”作为注释,因此您可以
$ sudo nft delete rule filter output handle 5