Rule Handle not updated after InsertRule even using Flush.

[Bayroom]

I am using nftables.go v1.0.0 and I am trying to prepare a script to use nftables.
I want simply to add a rule, get that rule's handle and then delete the rule.
Here is my script which does not do the wanted behavior:

package main

import (
	"fmt"
	"os"

	"github.com/google/nftables"
	"github.com/google/nftables/expr"
)

func main() {

	nftClient, err := nftables.New()
	if err != nil {
		fmt.Printf("error while initializing nftables connexion %+v", err)
	}

	natTable := &nftables.Table{
		Name:   "nat",
		Family: nftables.TableFamilyIPv4,
	}

	nftClient.AddTable(natTable)

	prerouting := &nftables.Chain{
		Name:     "prerouting",
		Table:    natTable,
		Type:     nftables.ChainTypeRoute,
		Hooknum:  nftables.ChainHookOutput,
		Priority: nftables.ChainPriorityNATDest,
	}

	nftClient.AddChain(prerouting)

	myRule := &nftables.Rule{
		Table: natTable,
		Chain: prerouting,
		Exprs: []expr.Any{
			&expr.Verdict{
				Kind: expr.VerdictAccept,
			},
		},
	}

	nftClient.InsertRule(myRule)
	if err := nftClient.Flush(); err != nil {
		fmt.Println(err)
	}

	rules, err := nftClient.GetRules(natTable, prerouting)
	if err != nil {
		fmt.Println("error while reading rules", err)
		os.Exit(1)
	}

	for i, r := range rules {
		fmt.Println("Index, handle", i, r.Handle)
	}

	// This delete works just fine
	// #################################
	// nftClient.DelRule(&nftables.Rule{
	// Table:  natTable,
	// Chain:  prerouting,
	// Handle: rules[0].Handle,
	// })

	nftClient.DelRule(&nftables.Rule{
		Table:  natTable,
		Chain:  prerouting,
		Handle: myRule.Handle,
	})

	if err := nftClient.Flush(); err != nil {
		fmt.Println("error while reading rules", err)
		os.Exit(1)
	}

	fmt.Println("Deletion executed\n ")

	ruless, err := nftClient.GetRules(natTable, prerouting)
	if err != nil {
		fmt.Println("error while reading rules", err)
		os.Exit(1)
	}

	for i, r := range ruless {
		fmt.Println("Index, handle", i, r.Handle)
	}
}

I am sorry if this topic is duplicated but other issues did not help me

[stapelberg]

I am using nftables.go v1.0.0

That tag does not exist. You mean v0.1.0, I assume.

Can you try if upgrading to main helps?

[Bayroom]

That tag does not exist. You mean v0.1.0, I assume.

Can you try if upgrading to main helps?

Yes my bad I meant v0.1.0 and No upgrading to main does not help.

github.com/google/nftables v0.1.1-0.20230614181015-8f2d395e1089

Also what I think is also a real problem.. is that when Flush a rule, the handler of the rule stays 0 and never gets the real handle of the rule

[stapelberg]

Oh, now I see what you mean.

InsertRule serializes the provided rule into a buffer and Flush sends that buffer to nftables. The provided rule is neither retained nor updated. I don’t know off the top of my head if the nftables acknowledgement contains enough data to fill in ids at all, but it’s at least not currently implemented.

So, yes, you’ll need to do a GetRule to obtain a handle you can use for deletion.

[Bayroom]

Thank you. I am closing this issue