安全：nftables清空与删除

一，清空一个链下面的规则

清空前:

[root@fedora ~]# nft -a list chain inet firewalld filter_IN_FedoraWorkstation_allow
table inet firewalld {
        chain filter_IN_FedoraWorkstation_allow { # handle 52
                ip6 daddr fe80::/64 udp dport 546 accept # handle 56
                tcp dport 22 accept # handle 57
                udp dport 137 ct helper set "helper-netbios-ns-udp" # handle 59
                udp dport 137 accept # handle 60
                udp dport 138 accept # handle 61
                tcp dport 8081 accept # handle 337
                ip daddr 224.0.0.251 udp dport 5353 accept # handle 62
                ip6 daddr ff02::fb udp dport 5353 accept # handle 63
                udp dport 1025-65535 accept # handle 64
                tcp dport 1025-65535 accept # handle 65
        }
}

清空:

[root@fedora ~]# nft flush chain inet firewalld filter_IN_FedoraWorkstation_allow

清空后:

[root@fedora ~]# nft -a list chain inet firewalld filter_IN_FedoraWorkstation_allow
table inet firewalld {
        chain filter_IN_FedoraWorkstation_allow { # handle 52
        }
}

二，删除一个链

1,删除指定的链firewalld filter_IN_FedoraWorkstation_allow时报错,提示Device or resource busy

[root@fedora ~]# nft delete chain inet firewalld filter_IN_FedoraWorkstation_allow
Error: Could not process rule: Device or resource busy
delete chain inet firewalld filter_IN_FedoraWorkstation_allow
                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

因为我们使用的是firewalld的规则，不确定是否firewalld的原因

2, 我们自建一个表和链再测试:

创建表:

[root@fedora ~]# nft add table inet PubTable

查看表:

[root@fedora ~]# nft list table inet PubTable
table inet PubTable {
}

在表下创建链:

[root@fedora ~]# nft add chain inet PubTable pubchain_input '{type filter hook input priority 0; policy accept; }'

查看链:

[root@fedora ~]# nft list chain inet PubTable pubchain_input
table inet PubTable {
        chain pubchain_input {
                type filter hook input priority filter; policy accept;
        }
}

在链下创建规则:

[root@fedora ~]# nft add rule inet PubTable pubchain_input tcp dport 8080 accept

添加规则后再次查看链:

[root@fedora ~]# nft list chain inet PubTable pubchain_input
table inet PubTable {
        chain pubchain_input {
                type filter hook input priority filter; policy accept;
                tcp dport 8080 accept
        }
}

3, 这一次我们测试删除自建的链:

[root@fedora ~]# nft delete chain inet PubTable pubchain_input

删除成功了，我们再次查看链下规则:

因为链已不存在，所以报错:

[root@fedora ~]# nft list chain inet PubTable pubchain_input
Error: No such file or directory
list chain inet PubTable pubchain_input
                         ^^^^^^^^^^^^^^

查看表，表内已空:

[root@fedora ~]# nft list table inet PubTable
table inet PubTable {
}

三，清空一个表下面的规则

清空表内的规则

[root@fedora ~]# nft flush table inet firewalld

清空后查看，规则已被清空:

[root@fedora ~]# nft -a list table inet firewalld
table inet firewalld { # handle 12
        ct helper helper-netbios-ns-udp { # handle 58
                type "netbios-ns" protocol udp
                l3proto ip
        }

        chain mangle_PREROUTING { # handle 1
                type filter hook prerouting priority mangle + 10; policy accept;
        }

        chain mangle_PREROUTING_POLICIES { # handle 2
        }

        chain nat_PREROUTING { # handle 4
                type nat hook prerouting priority dstnat + 10; policy accept;
        }

        chain nat_PREROUTING_POLICIES { # handle 5
        } 
        ...

四，删除一个表

删除表

[root@fedora ~]# nft delete table inet firewalld

再次列出表下规则时已报错，因为表已不存在：

[root@fedora ~]# nft -a list table inet firewalld
Error: No such file or directory
list table inet firewalld
                ^^^^^^^^^

查看规则集时表已不存在:

[root@fedora ~]# nft list ruleset
[root@fedora ~]#