* [PATCH v5 0/6] doc/netlink: Expand nftables specification
@ 2025-11-20 15:18 Remy D. Farley
2025-11-20 15:18 ` [PATCH v5 1/6] doc/netlink: netlink-raw: Add max check Remy D. Farley
` (5 more replies)
0 siblings, 6 replies; 10+ messages in thread
From: Remy D. Farley @ 2025-11-20 15:18 UTC (permalink / raw)
To: Donald Hunter, Jakub Kicinski, netdev
Cc: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
Phil Sutter, netfilter-devel, coreteam, Remy D. Farley
Getting out some changes I've accumulated while making nftables work
with Rust netlink-bindings. Hopefully, this will be useful upstream.
v5:
- Fix docgen warnings in enums (avoid interleaving strings and attrsets in a list).
- Remove "# defined in ..." comments in favor of explicit "header" tag.
- Split into smaller commits.
v4: https://lore.kernel.org/netdev/cover.1763574466.git.one-d-wide@protonmail.com/
- Move changes to netlink-raw.yaml into a separate commit.
v3: https://lore.kernel.org/netdev/20251009203324.1444367-1-one-d-wide@protonmail.com/
- Fill out missing attributes in each operation (removing todo comments from v1).
- Add missing annotations: dump ops, byte-order, checks.
- Add max check to netlink-raw specification (suggested by Donald Hunter).
- Revert changes to ynl_gen_rst.py.
v2: https://lore.kernel.org/netdev/20251003175510.1074239-1-one-d-wide@protonmail.com/
- Handle empty request/reply attributes in ynl_gen_rst.py script.
v1: https://lore.kernel.org/netdev/20251002184950.1033210-1-one-d-wide@protonmail.com/
- Add missing byte order annotations.
- Fill out attributes in some operations.
- Replace non-existent "name" attribute with todo comment.
- Add some missing sub-messages (and associated attributes).
- Add (copy over) documentation for some attributes / enum entries.
- Add "getcompat" operation.
Remy D. Farley (6):
doc/netlink: netlink-raw: Add max check
doc/netlink: nftables: Add definitions
doc/netlink: nftables: Update attribute sets
doc/netlink: nftables: Add sub-messages
doc/netlink: nftables: Add getcompat operation
doc/netlink: nftables: Fill out operation attributes
Documentation/netlink/netlink-raw.yaml | 11 +-
Documentation/netlink/specs/nftables.yaml | 687 ++++++++++++++++++++--
2 files changed, 647 insertions(+), 51 deletions(-)
--
2.50.1
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH v5 1/6] doc/netlink: netlink-raw: Add max check
2025-11-20 15:18 [PATCH v5 0/6] doc/netlink: Expand nftables specification Remy D. Farley
@ 2025-11-20 15:18 ` Remy D. Farley
2025-11-21 10:03 ` Donald Hunter
2025-11-20 15:19 ` [PATCH v5 2/6] doc/netlink: nftables: Add definitions Remy D. Farley
` (4 subsequent siblings)
5 siblings, 1 reply; 10+ messages in thread
From: Remy D. Farley @ 2025-11-20 15:18 UTC (permalink / raw)
To: Donald Hunter, Jakub Kicinski, netdev
Cc: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
Phil Sutter, netfilter-devel, coreteam, Remy D. Farley
Suggested-by: Donald Hunter <donald.hunter@gmail.com>
Signed-off-by: Remy D. Farley <one-d-wide@protonmail.com>
---
Documentation/netlink/netlink-raw.yaml | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/Documentation/netlink/netlink-raw.yaml b/Documentation/netlink/netlink-raw.yaml
index 0166a7e4a..dd98dda55 100644
--- a/Documentation/netlink/netlink-raw.yaml
+++ b/Documentation/netlink/netlink-raw.yaml
@@ -19,6 +19,12 @@ $defs:
type: [ string, integer ]
pattern: ^[0-9A-Za-z_-]+( - 1)?$
minimum: 0
+ len-or-limit:
+ # literal int, const name, or limit based on fixed-width type
+ # e.g. u8-min, u16-max, etc.
+ type: [ string, integer ]
+ pattern: ^[0-9A-Za-z_-]+$
+ minimum: 0
# Schema for specs
title: Protocol
@@ -270,7 +276,10 @@ properties:
type: string
min:
description: Min value for an integer attribute.
- type: integer
+ $ref: '#/$defs/len-or-limit'
+ max:
+ description: Max value for an integer attribute.
+ $ref: '#/$defs/len-or-limit'
min-len:
description: Min length for a binary attribute.
$ref: '#/$defs/len-or-define'
--
2.50.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v5 2/6] doc/netlink: nftables: Add definitions
2025-11-20 15:18 [PATCH v5 0/6] doc/netlink: Expand nftables specification Remy D. Farley
2025-11-20 15:18 ` [PATCH v5 1/6] doc/netlink: netlink-raw: Add max check Remy D. Farley
@ 2025-11-20 15:19 ` Remy D. Farley
2025-11-21 11:33 ` Donald Hunter
2025-11-20 15:19 ` [PATCH v5 3/6] doc/netlink: nftables: Update attribute sets Remy D. Farley
` (3 subsequent siblings)
5 siblings, 1 reply; 10+ messages in thread
From: Remy D. Farley @ 2025-11-20 15:19 UTC (permalink / raw)
To: Donald Hunter, Jakub Kicinski, netdev
Cc: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
Phil Sutter, netfilter-devel, coreteam, Remy D. Farley
New enums/flags:
- payload-base
- range-ops
- registers
- numgen-types
- log-level
- log-flags
Added missing enumerations:
- bitwise-ops
Annotated with a doc comment:
- bitwise-ops
Signed-off-by: Remy D. Farley <one-d-wide@protonmail.com>
---
Documentation/netlink/specs/nftables.yaml | 147 +++++++++++++++++++++-
1 file changed, 144 insertions(+), 3 deletions(-)
diff --git a/Documentation/netlink/specs/nftables.yaml b/Documentation/netlink/specs/nftables.yaml
index cce88819b..e0c25af1d 100644
--- a/Documentation/netlink/specs/nftables.yaml
+++ b/Documentation/netlink/specs/nftables.yaml
@@ -66,9 +66,23 @@ definitions:
name: bitwise-ops
type: enum
entries:
- - bool
- - lshift
- - rshift
+ -
+ name: mask-xor # aka bool (old name)
+ doc: |
+ mask-and-xor operation used to implement NOT, AND, OR and XOR
+ dreg = (sreg & mask) ^ xor
+ with these mask and xor values:
+ mask xor
+ NOT: 1 1
+ OR: ~x x
+ XOR: 1 x
+ AND: x 0
+ # Spinx docutils display warning when interleaving attrsets with strings
+ - name: lshift
+ - name: rshift
+ - name: and
+ - name: or
+ - name: xor
-
name: cmp-ops
type: enum
@@ -132,6 +146,12 @@ definitions:
- object
- concat
- expr
+ -
+ name: set-elem-flags
+ type: flags
+ entries:
+ - interval-end
+ - catchall
-
name: lookup-flags
type: flags
@@ -225,6 +245,127 @@ definitions:
- icmp-unreach
- tcp-rst
- icmpx-unreach
+ -
+ name: reject-inet-code
+ doc: These codes are mapped to real ICMP and ICMPv6 codes.
+ type: enum
+ entries:
+ - icmpx-no-route
+ - icmpx-port-unreach
+ - icmpx-host-unreach
+ - icmpx-admin-prohibited
+ -
+ name: payload-base
+ type: enum
+ entries:
+ - link-layer-header
+ - network-header
+ - transport-header
+ - inner-header
+ - tun-header
+ -
+ name: range-ops
+ doc: Range operator
+ type: enum
+ entries:
+ - eq
+ - neq
+ -
+ name: registers
+ doc: |
+ nf_tables registers.
+ nf_tables used to have five registers: a verdict register and four data
+ registers of size 16. The data registers have been changed to 16 registers
+ of size 4. For compatibility reasons, the NFT_REG_[1-4] registers still
+ map to areas of size 16, the 4 byte registers are addressed using
+ NFT_REG32_00 - NFT_REG32_15.
+ type: enum
+ entries:
+ # Spinx docutils display warning when interleaving attrsets and strings
+ - name: reg-verdict
+ - name: reg-1
+ - name: reg-2
+ - name: reg-3
+ - name: reg-4
+ - name: reg32-00
+ value: 8
+ - name: reg32-01
+ - name: reg32-02
+ - name: reg32-03
+ - name: reg32-04
+ - name: reg32-05
+ - name: reg32-06
+ - name: reg32-07
+ - name: reg32-08
+ - name: reg32-09
+ - name: reg32-10
+ - name: reg32-11
+ - name: reg32-12
+ - name: reg32-13
+ - name: reg32-14
+ - name: reg32-15
+ -
+ name: numgen-types
+ type: enum
+ entries:
+ - incremental
+ - random
+ -
+ name: log-level
+ doc: nf_tables log levels
+ type: enum
+ entries:
+ -
+ name: emerg
+ doc: system is unusable
+ -
+ name: alert
+ doc: action must be taken immediately
+ -
+ name: crit
+ doc: critical conditions
+ -
+ name: err
+ doc: error conditions
+ -
+ name: warning
+ doc: warning conditions
+ -
+ name: notice
+ doc: normal but significant condition
+ -
+ name: info
+ doc: informational
+ -
+ name: debug
+ doc: debug-level messages
+ -
+ name: audit
+ doc: enabling audit logging
+ -
+ name: log-flags
+ doc: nf_tables log flags
+ header: linux/netfilter/nf_log.h
+ type: flags
+ entries:
+ -
+ name: tcpseq
+ doc: Log TCP sequence numbers
+ -
+ name: tcpopt
+ doc: Log TCP options
+ -
+ name: ipopt
+ doc: Log IP options
+ -
+ name: uid
+ doc: Log UID owning local socket
+ -
+ name: nflog
+ doc: Unsupported, don't reuse
+ -
+ name: macdecode
+ doc: Decode MAC header
attribute-sets:
-
--
2.50.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v5 3/6] doc/netlink: nftables: Update attribute sets
2025-11-20 15:18 [PATCH v5 0/6] doc/netlink: Expand nftables specification Remy D. Farley
2025-11-20 15:18 ` [PATCH v5 1/6] doc/netlink: netlink-raw: Add max check Remy D. Farley
2025-11-20 15:19 ` [PATCH v5 2/6] doc/netlink: nftables: Add definitions Remy D. Farley
@ 2025-11-20 15:19 ` Remy D. Farley
2025-11-20 15:19 ` [PATCH v5 4/6] doc/netlink: nftables: Add sub-messages Remy D. Farley
` (2 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: Remy D. Farley @ 2025-11-20 15:19 UTC (permalink / raw)
To: Donald Hunter, Jakub Kicinski, netdev
Cc: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
Phil Sutter, netfilter-devel, coreteam, Remy D. Farley
New attribute sets:
- log-attrs
- numgen-attrs
- range-attrs
- compat-target-attrs
- compat-match-attrs
- compat-attrs
Added missing attributes:
- table-attrs (pad, owner)
- set-attrs (type, count)
Added missing checks:
- range-attrs
- expr-bitwise-attrs
- compat-target-attrs
- compat-match-attrs
- compat-attrs
Annotated with a doc comment or an enum:
- batch-attrs
- verdict-attrs
- expr-payload-attrs
Fixed byte order:
- nft-counter-attrs
- expr-counter-attrs
- rule-compat-attrs
Signed-off-by: Remy D. Farley <one-d-wide@protonmail.com>
---
Documentation/netlink/specs/nftables.yaml | 208 +++++++++++++++++++++-
1 file changed, 203 insertions(+), 5 deletions(-)
diff --git a/Documentation/netlink/specs/nftables.yaml b/Documentation/netlink/specs/nftables.yaml
index e0c25af1d..01f44da90 100644
--- a/Documentation/netlink/specs/nftables.yaml
+++ b/Documentation/netlink/specs/nftables.yaml
@@ -369,16 +369,100 @@ definitions:
attribute-sets:
-
- name: empty-attrs
+ name: log-attrs
+ doc: log expression netlink attributes
attributes:
+ # Mentioned in nft_log_init()
-
- name: name
+ name: group
+ doc: netlink group to send messages to
+ type: u16
+ byte-order: big-endian
+ -
+ name: prefix
+ doc: prefix to prepend to log messages
type: string
+ -
+ name: snaplen
+ doc: length of payload to include in netlink message
+ type: u32
+ byte-order: big-endian
+ -
+ name: qthreshold
+ doc: queue threshold
+ type: u16
+ byte-order: big-endian
+ -
+ name: level
+ doc: log level
+ type: u32
+ enum: log-level
+ byte-order: big-endian
+ -
+ name: flags
+ doc: logging flags
+ type: u32
+ enum: log-flags
+ byte-order: big-endian
+ -
+ name: numgen-attrs
+ doc: nf_tables number generator expression netlink attributes
+ attributes:
+ -
+ name: dreg
+ doc: destination register
+ type: u32
+ enum: registers
+ -
+ name: modulus
+ doc: maximum counter value
+ type: u32
+ byte-order: big-endian
+ -
+ name: type
+ doc: operation type
+ type: u32
+ byte-order: big-endian
+ enum: numgen-types
+ -
+ name: offset
+ doc: offset to be added to the counter
+ type: u32
+ byte-order: big-endian
+ -
+ name: range-attrs
+ attributes:
+ # Mentioned in net/netfilter/nft_range.c
+ -
+ name: sreg
+ doc: source register of data to compare
+ type: u32
+ byte-order: big-endian
+ enum: registers
+ -
+ name: op
+ doc: cmp operation
+ type: u32
+ byte-order: big-endian
+ enum: range-ops
+ checks:
+ max: 256
+ -
+ name: from-data
+ doc: data range from
+ type: nest
+ nested-attributes: data-attrs
+ -
+ name: to-data
+ doc: data range to
+ type: nest
+ nested-attributes: data-attrs
-
name: batch-attrs
attributes:
-
name: genid
+ doc: generation ID for this changeset
type: u32
byte-order: big-endian
-
@@ -405,10 +489,18 @@ attribute-sets:
type: u64
byte-order: big-endian
doc: numeric handle of the table
+ -
+ name: pad
+ type: pad
-
name: userdata
type: binary
doc: user data
+ -
+ name: owner
+ type: u32
+ byte-order: big-endian
+ doc: owner of this table through netlink portID
-
name: chain-attrs
attributes:
@@ -512,9 +604,11 @@ attribute-sets:
-
name: bytes
type: u64
+ byte-order: big-endian
-
name: packets
type: u64
+ byte-order: big-endian
-
name: rule-attrs
attributes:
@@ -584,15 +678,18 @@ attribute-sets:
selector: name
doc: type specific data
-
+ # Mentioned in nft_parse_compat() in net/netfilter/nft_compat.c
name: rule-compat-attrs
attributes:
-
name: proto
- type: binary
+ type: u32
+ byte-order: big-endian
doc: numeric value of the handled protocol
-
name: flags
- type: binary
+ type: u32
+ byte-order: big-endian
doc: bitmask of flags
-
name: set-attrs
@@ -681,6 +778,15 @@ attribute-sets:
type: nest
nested-attributes: set-list-attrs
doc: list of expressions
+ -
+ name: type
+ type: string
+ doc: set backend type
+ -
+ name: count
+ type: u32
+ byte-order: big-endian
+ doc: number of set elements
-
name: set-desc-attrs
attributes:
@@ -934,6 +1040,8 @@ attribute-sets:
type: u32
byte-order: big-endian
enum: bitwise-ops
+ checks:
+ max: 255
-
name: data
type: nest
@@ -970,25 +1078,31 @@ attribute-sets:
attributes:
-
name: code
+ doc: nf_tables verdict
type: u32
byte-order: big-endian
enum: verdict-code
-
name: chain
+ doc: jump target chain name
type: string
-
name: chain-id
+ doc: jump target chain ID
type: u32
+ byte-order: big-endian
-
name: expr-counter-attrs
attributes:
-
name: bytes
type: u64
+ byte-order: big-endian
doc: Number of bytes
-
name: packets
type: u64
+ byte-order: big-endian
doc: Number of packets
-
name: pad
@@ -1056,7 +1170,7 @@ attribute-sets:
type: string
doc: Name of set to use
-
- name: set id
+ name: set-id
type: u32
byte-order: big-endian
doc: ID of set to use
@@ -1073,6 +1187,25 @@ attribute-sets:
type: u32
byte-order: big-endian
enum: lookup-flags
+ -
+ name: expr-masq-attrs
+ attributes:
+ -
+ name: flags
+ type: u32
+ byte-order: big-endian
+ enum: nat-range-flags
+ enum-as-flags: true
+ -
+ name: reg-proto-min
+ type: u32
+ byte-order: big-endian
+ enum: registers
+ -
+ name: reg-proto-max
+ type: u32
+ byte-order: big-endian
+ enum: registers
-
name: expr-meta-attrs
attributes:
@@ -1124,37 +1257,49 @@ attribute-sets:
enum-as-flags: true
-
name: expr-payload-attrs
+ doc: nf_tables payload expression netlink attributes
attributes:
-
name: dreg
+ doc: destination register to load data into
type: u32
byte-order: big-endian
+ enum: registers
-
name: base
+ doc: payload base
type: u32
+ enum: payload-base
byte-order: big-endian
-
name: offset
+ doc: payload offset relative to base
type: u32
byte-order: big-endian
-
name: len
+ doc: payload length
type: u32
byte-order: big-endian
-
name: sreg
+ doc: source register to load data from
type: u32
byte-order: big-endian
+ enum: registers
-
name: csum-type
+ doc: checksum type
type: u32
byte-order: big-endian
-
name: csum-offset
+ doc: checksum offset relative to base
type: u32
byte-order: big-endian
-
name: csum-flags
+ doc: checksum flags
type: u32
byte-order: big-endian
-
@@ -1220,6 +1365,59 @@ attribute-sets:
type: u32
byte-order: big-endian
doc: id of object map
+ -
+ name: compat-target-attrs
+ header: linux/netfilter/nf_tables_compat.h
+ attributes:
+ -
+ name: name
+ type: string
+ checks:
+ max-len: 32
+ -
+ name: rev
+ type: u32
+ byte-order: big-endian
+ -
+ name: info
+ type: binary
+ -
+ name: compat-match-attrs
+ header: linux/netfilter/nf_tables_compat.h
+ attributes:
+ -
+ name: name
+ type: string
+ checks:
+ max-len: 32
+ -
+ name: rev
+ type: u32
+ byte-order: big-endian
+ checks:
+ max: 255
+ -
+ name: info
+ type: binary
+ -
+ name: compat-attrs
+ header: linux/netfilter/nf_tables_compat.h
+ attributes:
+ -
+ name: name
+ type: string
+ checks:
+ max-len: 32
+ -
+ name: rev
+ type: u32
+ byte-order: big-endian
+ checks:
+ max: 255
+ -
+ name: type
+ type: u32
+ byte-order: big-endian
sub-messages:
-
--
2.50.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v5 4/6] doc/netlink: nftables: Add sub-messages
2025-11-20 15:18 [PATCH v5 0/6] doc/netlink: Expand nftables specification Remy D. Farley
` (2 preceding siblings ...)
2025-11-20 15:19 ` [PATCH v5 3/6] doc/netlink: nftables: Update attribute sets Remy D. Farley
@ 2025-11-20 15:19 ` Remy D. Farley
2025-11-21 11:40 ` Donald Hunter
2025-11-20 15:19 ` [PATCH v5 5/6] doc/netlink: nftables: Add getcompat operation Remy D. Farley
2025-11-20 15:19 ` [PATCH v5 6/6] doc/netlink: nftables: Fill out operation attributes Remy D. Farley
5 siblings, 1 reply; 10+ messages in thread
From: Remy D. Farley @ 2025-11-20 15:19 UTC (permalink / raw)
To: Donald Hunter, Jakub Kicinski, netdev
Cc: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
Phil Sutter, netfilter-devel, coreteam, Remy D. Farley
New sub-messsages:
- match
- range
- numgen
- log
Signed-off-by: Remy D. Farley <one-d-wide@protonmail.com>
---
Documentation/netlink/specs/nftables.yaml | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/Documentation/netlink/specs/nftables.yaml b/Documentation/netlink/specs/nftables.yaml
index 01f44da90..3cad6f857 100644
--- a/Documentation/netlink/specs/nftables.yaml
+++ b/Documentation/netlink/specs/nftables.yaml
@@ -1471,6 +1471,21 @@ sub-messages:
-
value: tproxy
attribute-set: expr-tproxy-attrs
+ -
+ value: match
+ attribute-set: compat-match-attrs
+ -
+ value: range
+ attribute-set: range-attrs
+ -
+ value: numgen
+ attribute-set: numgen-attrs
+ -
+ value: log
+ attribute-set: log-attrs
+ # There're more sub-messages to go:
+ # grep -A10 nft_expr_type
+ # and look for .name\s*=\s*"..."
-
name: obj-data
formats:
--
2.50.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v5 5/6] doc/netlink: nftables: Add getcompat operation
2025-11-20 15:18 [PATCH v5 0/6] doc/netlink: Expand nftables specification Remy D. Farley
` (3 preceding siblings ...)
2025-11-20 15:19 ` [PATCH v5 4/6] doc/netlink: nftables: Add sub-messages Remy D. Farley
@ 2025-11-20 15:19 ` Remy D. Farley
2025-11-20 15:19 ` [PATCH v5 6/6] doc/netlink: nftables: Fill out operation attributes Remy D. Farley
5 siblings, 0 replies; 10+ messages in thread
From: Remy D. Farley @ 2025-11-20 15:19 UTC (permalink / raw)
To: Donald Hunter, Jakub Kicinski, netdev
Cc: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
Phil Sutter, netfilter-devel, coreteam, Remy D. Farley
Signed-off-by: Remy D. Farley <one-d-wide@protonmail.com>
---
Documentation/netlink/specs/nftables.yaml | 25 +++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/Documentation/netlink/specs/nftables.yaml b/Documentation/netlink/specs/nftables.yaml
index 3cad6f857..79a3b9a20 100644
--- a/Documentation/netlink/specs/nftables.yaml
+++ b/Documentation/netlink/specs/nftables.yaml
@@ -1499,6 +1499,31 @@ sub-messages:
operations:
enum-model: directional
list:
+ -
+ # Defined as nfnl_compat_subsys in net/netfilter/nft_compat.c
+ name: getcompat
+ attribute-set: compat-attrs
+ fixed-header: nfgenmsg
+ doc: Get / dump nft_compat info
+ do:
+ request:
+ value: 0xb00
+ attributes:
+ - name
+ - rev
+ - type
+ reply:
+ value: 0xb00
+ attributes:
+ - name
+ - rev
+ - type
+ dump:
+ reply:
+ attributes:
+ - name
+ - rev
+ - type
-
name: batch-begin
doc: Start a batch of operations
--
2.50.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v5 6/6] doc/netlink: nftables: Fill out operation attributes
2025-11-20 15:18 [PATCH v5 0/6] doc/netlink: Expand nftables specification Remy D. Farley
` (4 preceding siblings ...)
2025-11-20 15:19 ` [PATCH v5 5/6] doc/netlink: nftables: Add getcompat operation Remy D. Farley
@ 2025-11-20 15:19 ` Remy D. Farley
5 siblings, 0 replies; 10+ messages in thread
From: Remy D. Farley @ 2025-11-20 15:19 UTC (permalink / raw)
To: Donald Hunter, Jakub Kicinski, netdev
Cc: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
Phil Sutter, netfilter-devel, coreteam, Remy D. Farley
Filled out operation attributes:
- newtable
- gettable
- deltable
- destroytable
- newchain
- getchain
- delchain
- destroychain
- newrule
- getrule
- getrule-reset
- delrule
- destroyrule
- newset
- getset
- delset
- destroyset
- newsetelem
- getsetelem
- getsetelem-reset
- delsetelem
- destroysetelem
- getgen
- newobj
- getobj
- delobj
- destroyobj
- newflowtable
- getflowtable
- delflowtable
- destroyflowtable
Signed-off-by: Remy D. Farley <one-d-wide@protonmail.com>
---
Documentation/netlink/specs/nftables.yaml | 292 ++++++++++++++++++----
1 file changed, 250 insertions(+), 42 deletions(-)
diff --git a/Documentation/netlink/specs/nftables.yaml b/Documentation/netlink/specs/nftables.yaml
index 79a3b9a20..136b2502a 100644
--- a/Documentation/netlink/specs/nftables.yaml
+++ b/Documentation/netlink/specs/nftables.yaml
@@ -1557,7 +1557,10 @@ operations:
request:
value: 0xa00
attributes:
+ # Mentioned in nf_tables_newtable()
- name
+ - flags
+ - userdata
-
name: gettable
doc: Get / dump tables.
@@ -1567,11 +1570,21 @@ operations:
request:
value: 0xa01
attributes:
+ # Mentioned in nf_tables_gettable()
- name
reply:
value: 0xa00
- attributes:
+ attributes: &get-table
+ # Mentioned in nf_tables_fill_table_info()
- name
+ - use
+ - handle
+ - flags
+ - owner
+ - userdata
+ dump:
+ reply:
+ attributes: *get-table
-
name: deltable
doc: Delete an existing table.
@@ -1580,8 +1593,10 @@ operations:
do:
request:
value: 0xa02
- attributes:
+ attributes: &del-table
+ # Mentioned in nf_tables_deltable()
- name
+ - handle
-
name: destroytable
doc: |
@@ -1592,8 +1607,7 @@ operations:
do:
request:
value: 0xa1a
- attributes:
- - name
+ attributes: *del-table
-
name: newchain
doc: Create a new chain.
@@ -1603,7 +1617,23 @@ operations:
request:
value: 0xa03
attributes:
+ # Mentioned in nf_tables_newchain()
+ - table
+ - handle
+ - policy
+ - flags
+ # Mentioned in nf_tables_updchain()
+ - hook
- name
+ - counters
+ - policy
+ # Mentioned in nf_tables_addchain()
+ - hook
+ - name
+ - counters
+ - userdata
+ # Mentioned in nft_chain_parse_hook()
+ - type
-
name: getchain
doc: Get / dump chains.
@@ -1613,11 +1643,27 @@ operations:
request:
value: 0xa04
attributes:
+ # Mentioned in nf_tables_getchain()
+ - table
- name
reply:
value: 0xa03
- attributes:
+ attributes: &get-chain
+ # Mentioned in nf_tables_fill_chain_info()
+ - table
- name
+ - handle
+ - hook
+ - policy
+ - type
+ - flags
+ - counters
+ - id
+ - use
+ - userdata
+ dump:
+ reply:
+ attributes: *get-chain
-
name: delchain
doc: Delete an existing chain.
@@ -1626,8 +1672,12 @@ operations:
do:
request:
value: 0xa05
- attributes:
+ attributes: &del-chain
+ # Mentioned in nf_tables_delchain()
+ - table
+ - handle
- name
+ - hook
-
name: destroychain
doc: |
@@ -1638,8 +1688,7 @@ operations:
do:
request:
value: 0xa1b
- attributes:
- - name
+ attributes: *del-chain
-
name: newrule
doc: Create a new rule.
@@ -1649,7 +1698,16 @@ operations:
request:
value: 0xa06
attributes:
- - name
+ # Mentioned in nf_tables_newrule()
+ - table
+ - chain
+ - chain-id
+ - handle
+ - position
+ - position-id
+ - expressions
+ - userdata
+ - compat
-
name: getrule
doc: Get / dump rules.
@@ -1658,12 +1716,30 @@ operations:
do:
request:
value: 0xa07
- attributes:
- - name
+ attributes: &get-rule-request
+ # Mentioned in nf_tables_getrule_single()
+ - table
+ - chain
+ - handle
reply:
value: 0xa06
+ attributes: &get-rule
+ # Mentioned in nf_tables_fill_rule_info()
+ - table
+ - chain
+ - handle
+ - position
+ - expressions
+ - userdata
+ dump:
+ request:
attributes:
- - name
+ # Mentioned in nf_tables_dump_rules_start()
+ - table
+ - chain
+ reply:
+ attributes: *get-rule
+
-
name: getrule-reset
doc: Get / dump rules and reset stateful expressions.
@@ -1672,12 +1748,15 @@ operations:
do:
request:
value: 0xa19
- attributes:
- - name
+ attributes: *get-rule-request
reply:
value: 0xa06
- attributes:
- - name
+ attributes: *get-rule
+ dump:
+ request:
+ attributes: *get-rule-request
+ reply:
+ attributes: *get-rule
-
name: delrule
doc: Delete an existing rule.
@@ -1686,8 +1765,11 @@ operations:
do:
request:
value: 0xa08
- attributes:
- - name
+ attributes: &del-rule
+ - table
+ - chain
+ - handle
+ - id
-
name: destroyrule
doc: |
@@ -1697,8 +1779,7 @@ operations:
do:
request:
value: 0xa1c
- attributes:
- - name
+ attributes: *del-rule
-
name: newset
doc: Create a new set.
@@ -1708,7 +1789,24 @@ operations:
request:
value: 0xa09
attributes:
+ # Mentioned in nf_tables_newset()
+ - table
- name
+ - key-len
+ - id
+ - key-type
+ - key-len
+ - flags
+ - data-type
+ - data-len
+ - obj-type
+ - timeout
+ - gc-interval
+ - policy
+ - desc
+ - table
+ - name
+ - userdata
-
name: getset
doc: Get / dump sets.
@@ -1718,11 +1816,35 @@ operations:
request:
value: 0xa0a
attributes:
+ # Mentioned in nf_tables_getset()
+ - table
- name
reply:
value: 0xa09
- attributes:
+ attributes: &get-set
+ # Mentioned in nf_tables_fill_set()
+ - table
- name
+ - handle
+ - flags
+ - key-len
+ - key-type
+ - data-type
+ - data-len
+ - obj-type
+ - gc-interval
+ - policy
+ - userdata
+ - desc
+ - expr
+ - expressions
+ dump:
+ request:
+ attributes:
+ # Mentioned in nf_tables_getset()
+ - table
+ reply:
+ attributes: *get-set
-
name: delset
doc: Delete an existing set.
@@ -1731,7 +1853,10 @@ operations:
do:
request:
value: 0xa0b
- attributes:
+ attributes: &del-set
+ # Mentioned in nf_tables_delset()
+ - table
+ - handle
- name
-
name: destroyset
@@ -1742,8 +1867,7 @@ operations:
do:
request:
value: 0xa1d
- attributes:
- - name
+ attributes: *del-set
-
name: newsetelem
doc: Create a new set element.
@@ -1753,7 +1877,11 @@ operations:
request:
value: 0xa0c
attributes:
- - name
+ # Mentioned in nf_tables_newsetelem()
+ - table
+ - set
+ - set-id
+ - elements
-
name: getsetelem
doc: Get / dump set elements.
@@ -1763,11 +1891,27 @@ operations:
request:
value: 0xa0d
attributes:
- - name
+ # Mentioned in nf_tables_getsetelem()
+ - table
+ - set
+ - elements
reply:
value: 0xa0c
attributes:
- - name
+ # Mentioned in nf_tables_fill_setelem_info()
+ - elements
+ dump:
+ request:
+ attributes: &dump-set-request
+ # Mentioned in nft_set_dump_ctx_init()
+ - table
+ - set
+ reply:
+ attributes: &dump-set
+ # Mentioned in nf_tables_dump_set()
+ - table
+ - set
+ - elements
-
name: getsetelem-reset
doc: Get / dump set elements and reset stateful expressions.
@@ -1777,11 +1921,20 @@ operations:
request:
value: 0xa21
attributes:
- - name
+ # Mentioned in nf_tables_getsetelem_reset()
+ - elements
reply:
value: 0xa0c
attributes:
- - name
+ # Mentioned in nf_tables_dumpreset_set()
+ - table
+ - set
+ - elements
+ dump:
+ request:
+ attributes: *dump-set-request
+ reply:
+ attributes: *dump-set
-
name: delsetelem
doc: Delete an existing set element.
@@ -1790,8 +1943,11 @@ operations:
do:
request:
value: 0xa0e
- attributes:
- - name
+ attributes: &del-setelem
+ # Mentioned in nf_tables_delsetelem()
+ - table
+ - set
+ - elements
-
name: destroysetelem
doc: Delete an existing set element with destroy semantics.
@@ -1800,8 +1956,7 @@ operations:
do:
request:
value: 0xa1e
- attributes:
- - name
+ attributes: *del-setelem
-
name: getgen
doc: Get / dump rule-set generation.
@@ -1810,12 +1965,16 @@ operations:
do:
request:
value: 0xa10
- attributes:
- - name
reply:
value: 0xa0f
- attributes:
- - name
+ attributes: &get-gen
+ # Mentioned in nf_tables_fill_gen_info()
+ - id
+ - proc-pid
+ - proc-name
+ dump:
+ reply:
+ attributes: *get-gen
-
name: newobj
doc: Create a new stateful object.
@@ -1825,7 +1984,12 @@ operations:
request:
value: 0xa12
attributes:
+ # Mentioned in nf_tables_newobj()
+ - type
- name
+ - data
+ - table
+ - userdata
-
name: getobj
doc: Get / dump stateful objects.
@@ -1835,11 +1999,29 @@ operations:
request:
value: 0xa13
attributes:
+ # Mentioned in nf_tables_getobj_single()
- name
+ - type
+ - table
reply:
value: 0xa12
- attributes:
+ attributes: &obj-info
+ # Mentioned in nf_tables_fill_obj_info()
+ - table
- name
+ - type
+ - handle
+ - use
+ - data
+ - userdata
+ dump:
+ request:
+ attributes:
+ # Mentioned in nf_tables_dump_obj_start()
+ - table
+ - type
+ reply:
+ attributes: *obj-info
-
name: delobj
doc: Delete an existing stateful object.
@@ -1849,7 +2031,11 @@ operations:
request:
value: 0xa14
attributes:
+ # Mentioned in nf_tables_delobj()
+ - table
- name
+ - type
+ - handle
-
name: destroyobj
doc: Delete an existing stateful object with destroy semantics.
@@ -1859,7 +2045,11 @@ operations:
request:
value: 0xa1f
attributes:
+ # Mentioned in nf_tables_delobj()
+ - table
- name
+ - type
+ - handle
-
name: newflowtable
doc: Create a new flow table.
@@ -1869,7 +2059,11 @@ operations:
request:
value: 0xa16
attributes:
+ # Mentioned in nf_tables_newflowtable()
+ - table
- name
+ - hook
+ - flags
-
name: getflowtable
doc: Get / dump flow tables.
@@ -1879,11 +2073,22 @@ operations:
request:
value: 0xa17
attributes:
+ # Mentioned in nf_tables_getflowtable()
- name
+ - table
reply:
value: 0xa16
- attributes:
+ attributes: &flowtable-info
+ # Mentioned in nf_tables_fill_flowtable_info()
+ - table
- name
+ - handle
+ - use
+ - flags
+ - hook
+ dump:
+ reply:
+ attributes: *flowtable-info
-
name: delflowtable
doc: Delete an existing flow table.
@@ -1892,8 +2097,12 @@ operations:
do:
request:
value: 0xa18
- attributes:
+ attributes: &del-flowtable
+ # Mentioned in nf_tables_delflowtable()
+ - table
- name
+ - handle
+ - hook
-
name: destroyflowtable
doc: Delete an existing flow table with destroy semantics.
@@ -1902,8 +2111,7 @@ operations:
do:
request:
value: 0xa20
- attributes:
- - name
+ attributes: *del-flowtable
mcast-groups:
list:
--
2.50.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH v5 1/6] doc/netlink: netlink-raw: Add max check
2025-11-20 15:18 ` [PATCH v5 1/6] doc/netlink: netlink-raw: Add max check Remy D. Farley
@ 2025-11-21 10:03 ` Donald Hunter
0 siblings, 0 replies; 10+ messages in thread
From: Donald Hunter @ 2025-11-21 10:03 UTC (permalink / raw)
To: Remy D. Farley
Cc: Jakub Kicinski, netdev, Pablo Neira Ayuso, Jozsef Kadlecsik,
Florian Westphal, Phil Sutter, netfilter-devel, coreteam
"Remy D. Farley" <one-d-wide@protonmail.com> writes:
> Suggested-by: Donald Hunter <donald.hunter@gmail.com>
> Signed-off-by: Remy D. Farley <one-d-wide@protonmail.com>
Missing description, therwise, LGTM.
Reviewed-by: Donald Hunter <donald.hunter@gmail.com>
> ---
> Documentation/netlink/netlink-raw.yaml | 11 ++++++++++-
> 1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/netlink/netlink-raw.yaml b/Documentation/netlink/netlink-raw.yaml
> index 0166a7e4a..dd98dda55 100644
> --- a/Documentation/netlink/netlink-raw.yaml
> +++ b/Documentation/netlink/netlink-raw.yaml
> @@ -19,6 +19,12 @@ $defs:
> type: [ string, integer ]
> pattern: ^[0-9A-Za-z_-]+( - 1)?$
> minimum: 0
> + len-or-limit:
> + # literal int, const name, or limit based on fixed-width type
> + # e.g. u8-min, u16-max, etc.
> + type: [ string, integer ]
> + pattern: ^[0-9A-Za-z_-]+$
> + minimum: 0
>
> # Schema for specs
> title: Protocol
> @@ -270,7 +276,10 @@ properties:
> type: string
> min:
> description: Min value for an integer attribute.
> - type: integer
> + $ref: '#/$defs/len-or-limit'
> + max:
> + description: Max value for an integer attribute.
> + $ref: '#/$defs/len-or-limit'
> min-len:
> description: Min length for a binary attribute.
> $ref: '#/$defs/len-or-define'
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v5 2/6] doc/netlink: nftables: Add definitions
2025-11-20 15:19 ` [PATCH v5 2/6] doc/netlink: nftables: Add definitions Remy D. Farley
@ 2025-11-21 11:33 ` Donald Hunter
0 siblings, 0 replies; 10+ messages in thread
From: Donald Hunter @ 2025-11-21 11:33 UTC (permalink / raw)
To: Remy D. Farley
Cc: Jakub Kicinski, netdev, Pablo Neira Ayuso, Jozsef Kadlecsik,
Florian Westphal, Phil Sutter, netfilter-devel, coreteam
"Remy D. Farley" <one-d-wide@protonmail.com> writes:
> New enums/flags:
> - payload-base
> - range-ops
> - registers
> - numgen-types
> - log-level
> - log-flags
>
> Added missing enumerations:
> - bitwise-ops
>
> Annotated with a doc comment:
> - bitwise-ops
>
> Signed-off-by: Remy D. Farley <one-d-wide@protonmail.com>
> ---
> Documentation/netlink/specs/nftables.yaml | 147 +++++++++++++++++++++-
> 1 file changed, 144 insertions(+), 3 deletions(-)
>
> diff --git a/Documentation/netlink/specs/nftables.yaml b/Documentation/netlink/specs/nftables.yaml
> index cce88819b..e0c25af1d 100644
> --- a/Documentation/netlink/specs/nftables.yaml
> +++ b/Documentation/netlink/specs/nftables.yaml
> @@ -66,9 +66,23 @@ definitions:
> name: bitwise-ops
> type: enum
> entries:
> - - bool
> - - lshift
> - - rshift
> + -
> + name: mask-xor # aka bool (old name)
> + doc: |
> + mask-and-xor operation used to implement NOT, AND, OR and XOR
> + dreg = (sreg & mask) ^ xor
> + with these mask and xor values:
> + mask xor
> + NOT: 1 1
> + OR: ~x x
> + XOR: 1 x
> + AND: x 0
This does not render acceptably in the HTML docs and it deviates from
the way the text is presented in nf_tables.h - the description makes
sense in the context of the expression defined by expr-bitwise-attrs
which bitwise-ops is part of.
I suggest moving the doc to expr-bitwise-attrs, which has the advantage
that the ynl doc generator already handles preformatted text for attr
sets.
This diff should be sufficient; note the :: and block indentation:
diff --git a/Documentation/netlink/specs/nftables.yaml b/Documentation/netlink/specs/nftables.yaml
index 136b2502a811..23106a68512f 100644
--- a/Documentation/netlink/specs/nftables.yaml
+++ b/Documentation/netlink/specs/nftables.yaml
@@ -68,15 +68,9 @@ definitions:
entries:
-
name: mask-xor # aka bool (old name)
- doc: |
- mask-and-xor operation used to implement NOT, AND, OR and XOR
- dreg = (sreg & mask) ^ xor
- with these mask and xor values:
- mask xor
- NOT: 1 1
- OR: ~x x
- XOR: 1 x
- AND: x 0
+ doc: >-
+ mask-and-xor operation used to implement NOT, AND, OR and XOR boolean
+ operations
# Spinx docutils display warning when interleaving attrsets with strings
- name: lshift
- name: rshift
@@ -1014,6 +1008,22 @@ attribute-sets:
nested-attributes: hook-dev-attrs
-
name: expr-bitwise-attrs
+ doc: |
+ The bitwise expression supports boolean and shift operations. It
+ implements the boolean operations by performing the following
+ operation::
+
+ dreg = (sreg & mask) ^ xor
+
+ with these mask and xor values:
+
+ op mask xor
+ ---- ---- ---
+ NOT: 1 1
+ OR: ~x x
+ XOR: 1 x
+ AND: x 0
+
attributes:
-
name: sreg
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH v5 4/6] doc/netlink: nftables: Add sub-messages
2025-11-20 15:19 ` [PATCH v5 4/6] doc/netlink: nftables: Add sub-messages Remy D. Farley
@ 2025-11-21 11:40 ` Donald Hunter
0 siblings, 0 replies; 10+ messages in thread
From: Donald Hunter @ 2025-11-21 11:40 UTC (permalink / raw)
To: Remy D. Farley
Cc: Jakub Kicinski, netdev, Pablo Neira Ayuso, Jozsef Kadlecsik,
Florian Westphal, Phil Sutter, netfilter-devel, coreteam
"Remy D. Farley" <one-d-wide@protonmail.com> writes:
> New sub-messsages:
> - match
> - range
> - numgen
> - log
>
> Signed-off-by: Remy D. Farley <one-d-wide@protonmail.com>
> ---
> Documentation/netlink/specs/nftables.yaml | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
> diff --git a/Documentation/netlink/specs/nftables.yaml b/Documentation/netlink/specs/nftables.yaml
> index 01f44da90..3cad6f857 100644
> --- a/Documentation/netlink/specs/nftables.yaml
> +++ b/Documentation/netlink/specs/nftables.yaml
> @@ -1471,6 +1471,21 @@ sub-messages:
> -
> value: tproxy
> attribute-set: expr-tproxy-attrs
> + -
> + value: match
> + attribute-set: compat-match-attrs
Prefer to keep the sub-message list sorted please.
> + -
> + value: range
> + attribute-set: range-attrs
> + -
> + value: numgen
> + attribute-set: numgen-attrs
> + -
> + value: log
> + attribute-set: log-attrs
> + # There're more sub-messages to go:
> + # grep -A10 nft_expr_type
> + # and look for .name\s*=\s*"..."
> -
> name: obj-data
> formats:
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2025-11-21 11:55 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-20 15:18 [PATCH v5 0/6] doc/netlink: Expand nftables specification Remy D. Farley
2025-11-20 15:18 ` [PATCH v5 1/6] doc/netlink: netlink-raw: Add max check Remy D. Farley
2025-11-21 10:03 ` Donald Hunter
2025-11-20 15:19 ` [PATCH v5 2/6] doc/netlink: nftables: Add definitions Remy D. Farley
2025-11-21 11:33 ` Donald Hunter
2025-11-20 15:19 ` [PATCH v5 3/6] doc/netlink: nftables: Update attribute sets Remy D. Farley
2025-11-20 15:19 ` [PATCH v5 4/6] doc/netlink: nftables: Add sub-messages Remy D. Farley
2025-11-21 11:40 ` Donald Hunter
2025-11-20 15:19 ` [PATCH v5 5/6] doc/netlink: nftables: Add getcompat operation Remy D. Farley
2025-11-20 15:19 ` [PATCH v5 6/6] doc/netlink: nftables: Fill out operation attributes Remy D. Farley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.