Created attachment 560342 [details, diff] Patch to add atomic updates Since kernel version 3.18 nftables provides support for flush ruleset which allows atomic updates as those done by iptables-restore. It also simplifies significantly the way in which rule clears can be done. Also kernel 3.14 and higher provide the inet table which allows filtering ipv4 and ipv6 packets at the same time. Taking into account this I have rewritten from scratch the nftables.sh file to provide the needed features and have written a new init.d file based on the current one in iptables.sh (and adding any functionality missing on the previous nftables one). I have also added an option to allow for "secure" shutdown of the nftables service. That is, ensuring the firewall won't just allow all traffic after stoping the service but instead will either block all packets or those coming from new connections. The enhancements can be found on https://github.com/gentoo/gentoo/pull/10772 or on the attached patch.
