Manage netfilter updates instead of deleting a table and applying a new table

[nerdalert]

Currently if a security group rule gets updated, the old table is deleted and the new table is applied. This leaves a small gap in coverage and runs the risk of a failed table application of the new tules.

Some thoughts:

• I could argue if rules don't successfully get applied nexd should exit.
• An easy solution is to apply the new rules in a table under with a new table name before deleting the old table.
• One issue is the summarization that can take place by nftables. Let's say two rules overlap, only one rule will get applied. I'm sure there is a way to reconcile it but may be easier via netfilter/netlink which is pretty involved.

[russellb]

I could argue if rules don't successfully get applied nexd should exit.

If it exits, then it prevents it from having a chance to recover by continuing to attempt to reconcile. Maybe you mean take down the wireguard interface? That might make sense. If security policy has been specified but we can’t apply it, we could decide it’s better to allow no traffic than to allow all traffic, including the parts that should be blocked.