From 0173cc75f99d0f589c91b26a752d9f2b558bff25 Mon Sep 17 00:00:00 2001
From: ange <ange@yw5n.com>
Date: Wed, 18 Jun 2025 08:45:58 +0000
Subject: [PATCH] feat: nftables atomic update

---
 lib.sh            | 31 ++++++++++++++++---------------
 startnat.sh       | 25 ++++++++++---------------
 w11iotltsc/run.sh |  2 +-
 3 files changed, 27 insertions(+), 31 deletions(-)

diff --git a/lib.sh b/lib.sh
index 57f211b..ebe2d18 100644
--- a/lib.sh
+++ b/lib.sh
@@ -54,20 +54,21 @@ qemu() {
     local net; net="$(_getnet)"
 
     (set -x
-        qemu-system-x86_64 -accel kvm \
-            -monitor stdio \
-            -M q35 \
-            -bios /usr/share/edk2/x64/OVMF.4m.fd \
-            -cpu host \
-            -m "$ram,maxmem=$maxram" \
-            -vga virtio \
-            -audio pipewire,model=hda \
-            -drive if=virtio,file=hda.qcow2 \
-            -nic "model=virtio-net-pci,type=$net" \
-            -device qemu-xhci \
-            -object "memory-backend-ram,id=mem,size=$ram,share=on" \
-            -numa node,memdev=mem \
-            "${OPTS[@]}" \
-            "$@"
+    qemu-system-x86_64 \
+        -accel   kvm \
+        -M       q35 \
+        -bios    /usr/share/edk2/x64/OVMF.4m.fd \
+        -monitor stdio \
+        -cpu     host \
+        -m       "$ram,maxmem=$maxram" \
+        -vga     virtio \
+        -audio   pipewire,model=hda \
+        -nic     "model=virtio-net-pci,type=$net" \
+        -device  qemu-xhci \
+        -object  "memory-backend-ram,id=mem,size=$ram,share=on" \
+        -numa    node,memdev=mem \
+        -drive   if=virtio,file=hda.qcow2 \
+        "${OPTS[@]}" \
+        "$@"
     )
 }
diff --git a/startnat.sh b/startnat.sh
index 8238374..c8171d6 100755
--- a/startnat.sh
+++ b/startnat.sh
@@ -2,17 +2,14 @@
 DIR="$(dirname "${BASH_SOURCE[0]}")"
 
 fix_nft_drops() {
-    local j h chain
+    local j s='"add chain \(.family) \(.table) \(.name) { policy \(.policy); }"'
 
-    : > "$DIR/restore-nft.conf"
+    if [ -f "$DIR/restore-nft.conf" ]; then
+        nft -f "$DIR/restore-nft.conf"
+    fi
     j="$(nft -j list chains | jq '.[][].chain | select(.policy == "drop")')"
-    while read -r h; do
-        mapfile -t chain < <(jq -r "select(.policy != \"accept\" and .hook == \"$h\") | .family,.table,.name,.policy" <<< "$j")
-        if [ -n "${chain[0]}" ]; then
-            nft add chain "${chain[0]}" "${chain[1]}" "${chain[2]}" '{ policy accept; }'
-            echo "add chain ${chain[0]} ${chain[1]} ${chain[2]} { policy ${chain[3]}; }" >> "$DIR/restore-nft.conf"
-        fi
-    done < <(nft -j list chains | jq -r '.[][].chain | select(.table == "qemu") | .hook')
+    jq -r ".policy=\"accept\" | $s" <<< "$j"
+    jq -r "$s" <<< "$j" > "$DIR/restore-nft.conf"
 }
 
 command -V dnsmasq > /dev/null
@@ -36,15 +33,15 @@ ip address flush dev "$BRIDGE"
 ip address add 192.168.123.1/24 dev "$BRIDGE"
 
 nft -f- <<EOF
-destroy table ip qemu;
-table ip qemu {
+$(fix_nft_drops)
+destroy table ip qemu; table ip qemu {
 	chain input {
 		type filter hook input priority filter; policy accept;
-		iifname "$BRIDGE" counter
+		iifname "$BRIDGE" counter accept
 	}
 	chain forward {
 		type filter hook forward priority filter; policy accept;
-		iifname "$BRIDGE" counter
+		iifname "$BRIDGE" counter accept
 	}
 	chain postrouting {
 		type nat hook postrouting priority srcnat; policy accept;
@@ -53,8 +50,6 @@ table ip qemu {
 }
 EOF
 
-fix_nft_drops
-
 if ! pidof dnsmasq | grep -q "$(cat /var/run/dnsmasq-virbr0.pid)"; then
     dnsmasq -z \
         -i "$BRIDGE" \
diff --git a/w11iotltsc/run.sh b/w11iotltsc/run.sh
index 6d93cdb..8cc9e04 100755
--- a/w11iotltsc/run.sh
+++ b/w11iotltsc/run.sh
@@ -9,7 +9,7 @@ ISO=(
 )
 
 if ! [ -f hda.qcow2 ]; then
-    qemu-img create -f qcow2 hda.qcow2 40G
+    qemu-img create -f qcow2 hda.qcow2 64G
     download_isos
 fi