Open nerdalert opened 1 year ago
I could argue if rules don't successfully get applied nexd should exit.
If it exits, then it prevents it from having a chance to recover by continuing to attempt to reconcile. Maybe you mean take down the wireguard interface? That might make sense. If security policy has been specified but we can’t apply it, we could decide it’s better to allow no traffic than to allow all traffic, including the parts that should be blocked.
Currently if a security group rule gets updated, the old table is deleted and the new table is applied. This leaves a small gap in coverage and runs the risk of a failed table application of the new tules.
Some thoughts: