Re: Document anonymous chain creation

[Phil Sutter <phil@nwl.cc>]

[-- Attachment #1: Type: text/plain, Size: 685 bytes --]

On Wed, Jun 04, 2025 at 03:46:04PM -0000, Folsk Pratima wrote:
> On Wed, 4 Jun 2025 15:52:35 +0200
> Phil Sutter <phil@nwl.cc> wrote:
> >Did you try requesting a user account?
> Frankly, I do not know how.

Oh, indeed. The main page merely states to send "comments" to
netfilter@vger.kernel.org list. I guess you could send diffs to page
source, but it's indeed pretty cumbersome.

Pablo, can we have moderated users? Or was moderation just too much
trouble?

> >you could add the missing documentation to nft man page and submit a
> >patch
> See the attachment.

Thanks! I think we need to update the synopsis as well. What do you
think of my extra (attached) to yours?

Cheers, Phil

[-- Attachment #2: extra.diff --]
[-- Type: text/plain, Size: 1985 bytes --]

diff --git a/doc/statements.txt b/doc/statements.txt
index 79a01384660f6..6d9db011c3fa1 100644
--- a/doc/statements.txt
+++ b/doc/statements.txt
@@ -3,8 +3,12 @@ VERDICT STATEMENT
 The verdict statement alters control flow in the ruleset and issues policy decisions for packets.
 
 [verse]
+____
 {*accept* | *drop* | *queue* | *continue* | *return*}
-{*jump* | *goto*} 'chain'
+{*jump* | *goto*} 'CHAIN'
+
+'CHAIN' := 'chain_name' | *{* 'statement' ... *}*
+____
 
 *accept* and *drop* are absolute verdicts -- they terminate ruleset evaluation immediately.
 
@@ -26,15 +30,20 @@ resumes with the next base chain hook, not the rule following the queue verdict.
 *return*:: Return from the current chain and continue evaluation at the
  next rule in the last chain. If issued in a base chain, it is equivalent to the
  base chain policy.
-*jump* 'chain':: Continue evaluation at the first rule in 'chain'. The current
+*jump* 'CHAIN':: Continue evaluation at the first rule in 'CHAIN'. The current
  position in the ruleset is pushed to a call stack and evaluation will continue
  there when the new chain is entirely evaluated or a *return* verdict is issued.
  In case an absolute verdict is issued by a rule in the chain, ruleset evaluation
  terminates immediately and the specific action is taken.
-*goto* 'chain':: Similar to *jump*, but the current position is not pushed to the
+*goto* 'CHAIN':: Similar to *jump*, but the current position is not pushed to the
  call stack, meaning that after the new chain evaluation will continue at the last
  chain instead of the one containing the goto statement.
 
+Note that an alternative to specifying the name of an existing, regular chain
+in 'CHAIN' is to specify an anonymous chain ad-hoc. Like with anonymous sets,
+it can't be referenced from another rule and will be removed along with the
+rule containing it.
+
 .Using verdict statements
 -------------------
 # process packets from eth0 and the internal network in from_lan