I'm managing a number of hosts that rely on nft to manage the firewall. I need to insert a rule at the top of the INPUT chain on these hosts. Under iptables, this would be as simple as running, on every host:
iptables -I INPUT 1 ...
But nft relies on "handles" to insert a rule at a given position, which is fine when working on a single host, but complicates the process when managing multiple hosts, because there's no guarantee that handles match across hosts.
For example, right now, at the beginning of the INPUT chain on two different hosts, I have on one host:
chain INPUT { # handle 1
type filter hook input priority 0; policy accept;
iifname "ovn-k8s-gw0" counter packets 977422 bytes 167040650 accept # handle 11
And on the other:
chain INPUT { # handle 1
type filter hook input priority 0; policy accept;
iifname "ovn-k8s-gw0" counter packets 55820 bytes 6735009 accept # handle 12
Note that the first rule on one host is handle 11 and on the other it's 12.
I guess I could get the handle of the first rule with something like...
nft list chain filter INPUT -n -a | sed -n 4p | awk '{print $NF}'
...but that smells bad. Is there a way to instruct nft to insert a rule by absolute position rather than by handle?
