[PATCH nft 1/3] src: expose table flags

[PATCH nft 1/3] src: expose table flags

[Pablo Neira Ayuso]

The nf_tables kernel API provides a way to disable a table using the
dormant flag. This patch adds the missing code to expose this feature
through nft.

Basically, if you want to disable a table and all its chains from seen
any traffic, you have to type:

 nft add table filter { flags dormant\; }

to re-enable the table, you have to:

 nft add table filter

this clears the flags.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/netlink.h  |    2 +-
 include/rule.h     |    6 ++++++
 src/mnl.c          |    2 ++
 src/netlink.c      |   21 +++++++++++++++++----
 src/parser_bison.y |   13 +++++++++++++
 src/rule.c         |   30 ++++++++++++++++++++++++++++++
 6 files changed, 69 insertions(+), 5 deletions(-)

diff --git a/include/netlink.h b/include/netlink.h
index 4f79470..c1ff9c6 100644
--- a/include/netlink.h
+++ b/include/netlink.h
@@ -108,7 +108,7 @@ extern int netlink_delete_table(struct netlink_ctx *ctx, const struct handle *h,
 extern int netlink_list_tables(struct netlink_ctx *ctx, const struct handle *h,
 			       const struct location *loc);
 extern int netlink_get_table(struct netlink_ctx *ctx, const struct handle *h,
-			     const struct location *loc);
+			     const struct location *loc, struct table *table);
 extern int netlink_list_table(struct netlink_ctx *ctx, const struct handle *h,
 			      const struct location *loc);
 extern int netlink_flush_table(struct netlink_ctx *ctx, const struct handle *h,
diff --git a/include/rule.h b/include/rule.h
index 491411e..90836bc 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -63,6 +63,10 @@ extern void symbol_bind(struct scope *scope, const char *identifier,
 extern struct symbol *symbol_lookup(const struct scope *scope,
 				    const char *identifier);
 
+enum table_flags {
+	TABLE_F_DORMANT		= (1 << 0),
+};
+
 /**
  * struct table - nftables table
  *
@@ -71,6 +75,7 @@ extern struct symbol *symbol_lookup(const struct scope *scope,
  * @location:	location the table was defined at
  * @chains:	chains contained in the table
  * @sets:	sets contained in the table
+ * @flags:	table flags
  */
 struct table {
 	struct list_head	list;
@@ -79,6 +84,7 @@ struct table {
 	struct scope		scope;
 	struct list_head	chains;
 	struct list_head	sets;
+	enum table_flags 	flags;
 };
 
 extern struct table *table_alloc(void);
diff --git a/src/mnl.c b/src/mnl.c
index f48ead5..89c2bb5 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -707,6 +707,8 @@ int mnl_nft_table_get(struct mnl_socket *nf_sock, struct nft_table *nlt,
 	nlh = nft_table_nlmsg_build_hdr(buf, NFT_MSG_GETTABLE,
 					nft_table_attr_get_u32(nlt, NFT_TABLE_ATTR_FAMILY),
 					NLM_F_ACK, seq);
+	nft_table_nlmsg_build_payload(nlh, nlt);
+
 	return nft_mnl_talk(nf_sock, nlh, nlh->nlmsg_len, table_get_cb, nlt);
 }
 
diff --git a/src/netlink.c b/src/netlink.c
index 84d9d27..8c37ec5 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -800,6 +800,11 @@ static int netlink_add_table_batch(struct netlink_ctx *ctx,
 	int err;
 
 	nlt = alloc_nft_table(h);
+	if (table != NULL)
+		nft_table_attr_set_u32(nlt, NFT_TABLE_ATTR_FLAGS, table->flags);
+	else
+		nft_table_attr_set_u32(nlt, NFT_TABLE_ATTR_FLAGS, 0);
+
 	err = mnl_nft_table_batch_add(nlt, excl ? NLM_F_EXCL : 0,
 				      ctx->seqnum);
 	nft_table_free(nlt);
@@ -887,6 +892,8 @@ static struct table *netlink_delinearize_table(struct netlink_ctx *ctx,
 		nft_table_attr_get_u32(nlt, NFT_TABLE_ATTR_FAMILY);
 	table->handle.table  =
 		xstrdup(nft_table_attr_get_str(nlt, NFT_TABLE_ATTR_NAME));
+	table->flags	     =
+		nft_table_attr_get_u32(nlt, NFT_TABLE_ATTR_FLAGS);
 
 	return table;
 }
@@ -923,22 +930,28 @@ int netlink_list_tables(struct netlink_ctx *ctx, const struct handle *h,
 }
 
 int netlink_get_table(struct netlink_ctx *ctx, const struct handle *h,
-		      const struct location *loc)
+		      const struct location *loc, struct table *table)
 {
 	struct nft_table *nlt;
+	struct table *ntable;
 	int err;
 
 	nlt = alloc_nft_table(h);
 	err = mnl_nft_table_get(nf_sock, nlt, 0);
 	nft_table_free(nlt);
 
-	if (err < 0)
+	if (err < 0) {
 		netlink_io_error(ctx, loc,
 				 "Could not receive table from kernel: %s",
 				 strerror(errno));
-	return err;
-}
+		return err;
+	}
 
+	ntable = netlink_delinearize_table(ctx, nlt);
+	table->flags = ntable->flags;
+	xfree(ntable);
+	return 0;
+}
 
 int netlink_list_table(struct netlink_ctx *ctx, const struct handle *h,
 		       const struct location *loc)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index fd2407c..6fc834d 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -853,9 +853,22 @@ table_block_alloc	:	/* empty */
 			}
 			;
 
+table_options		:	FLAGS		STRING
+			{
+				if (strcmp($2, "dormant") == 0) {
+					$<table>0->flags = TABLE_F_DORMANT;
+				} else {
+					erec_queue(error(&@2, "unknown table option %s", $2),
+						   state->msgs);
+					YYERROR;
+				}
+			}
+			;
+
 table_block		:	/* empty */	{ $$ = $<table>-1; }
 			|	table_block	common_block
 			|	table_block	stmt_seperator
+			|	table_block	table_options	stmt_seperator
 			|	table_block	CHAIN		chain_identifier
 					chain_block_alloc	'{' 	chain_block	'}'
 					stmt_seperator
diff --git a/src/rule.c b/src/rule.c
index feafe26..3c92589 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -501,6 +501,32 @@ struct table *table_lookup(const struct handle *h)
 	return NULL;
 }
 
+#define TABLE_FLAGS_MAX 1
+
+const char *table_flags_name[TABLE_FLAGS_MAX] = {
+	"dormant",
+};
+
+static void table_print_options(const struct table *table, const char **delim)
+{
+	uint32_t flags = table->flags;
+	int i;
+
+	if (flags) {
+		printf("\tflags ");
+
+		for (i = 0; i < TABLE_FLAGS_MAX; i++) {
+			if (flags & 0x1)
+				printf("%s", table_flags_name[i]);
+			flags >>= 1;
+			if (flags)
+				printf(",");
+		}
+		printf("\n");
+		*delim = "\n";
+	}
+}
+
 static void table_print(const struct table *table)
 {
 	struct chain *chain;
@@ -509,6 +535,8 @@ static void table_print(const struct table *table)
 	const char *family = family2str(table->handle.family);
 
 	printf("table %s %s {\n", family, table->handle.table);
+	table_print_options(table, &delim);
+
 	list_for_each_entry(set, &table->sets, list) {
 		if (set->flags & SET_F_ANONYMOUS)
 			continue;
@@ -778,6 +806,8 @@ static int do_list_table(struct netlink_ctx *ctx, struct cmd *cmd,
 	struct rule *rule, *nrule;
 	struct chain *chain;
 
+	if (netlink_get_table(ctx, &cmd->handle, &cmd->location, table) < 0)
+		goto err;
 	if (do_list_sets(ctx, &cmd->location, table) < 0)
 		goto err;
 	if (netlink_list_chains(ctx, &cmd->handle, &cmd->location) < 0)
-- 
1.7.10.4

[PATCH nft 2/3] parser: allow to reorder chain options

[Pablo Neira Ayuso]

This allows all possible combinations to work:

 nft add chain filter input { type filter hook input priority 0 \; }
 nft add chain filter input { priority 0 type filter hook input \; }

Wrt. error reporting, this also improves interaction with humans a bit:

 # nft add chain filter input { type filter hook input \; }
 <cmdline>:1:24-49: Error: missing chain priority
 add chain filter input { type filter hook input ; }
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^

 # nft add chain filter input { type filter hook input priority 0 hook input \; }
 <cmdline>:1:65-69: Error: you cannot set chain hook twice
 add chain filter input { type filter hook input priority 0 hook input ; }
                                                            ^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/rule.h     |   11 +++++++++++
 src/evaluate.c     |   11 ++++++++++-
 src/parser_bison.y |   54 ++++++++++++++++++++++++++++++++++++----------------
 3 files changed, 59 insertions(+), 17 deletions(-)

diff --git a/include/rule.h b/include/rule.h
index 90836bc..b0ea1ba 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -92,6 +92,15 @@ extern void table_free(struct table *table);
 extern void table_add_hash(struct table *table);
 extern struct table *table_lookup(const struct handle *h);
 
+enum chain_obj_flags {
+	CHAIN_OBJ_F_HOOK	= (1 << 0),
+	CHAIN_OBJ_F_TYPE	= (1 << 1),
+	CHAIN_OBJ_F_PRIO	= (1 << 2),
+	CHAIN_OBJ_F_BASE	= (CHAIN_OBJ_F_HOOK |
+				   CHAIN_OBJ_F_TYPE |
+				   CHAIN_OBJ_F_PRIO),
+};
+
 /**
  * enum chain_flags - chain flags
  *
@@ -112,6 +121,7 @@ enum chain_flags {
  * @hooknum:	hook number (base chains)
  * @priority:	hook priority (base chains)
  * @type:	chain type
+ * @obj_flags:	internal object flags (indicates structure field is set)
  * @rules:	rules contained in the chain
  */
 struct chain {
@@ -123,6 +133,7 @@ struct chain {
 	unsigned int		hooknum;
 	int			priority;
 	const char		*type;
+	uint32_t		obj_flags;
 	struct scope		scope;
 	struct list_head	rules;
 };
diff --git a/src/evaluate.c b/src/evaluate.c
index a3484c6..79c49ae 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1804,7 +1804,16 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
 {
 	struct rule *rule;
 
-	if (chain->flags & CHAIN_F_BASECHAIN) {
+	if (chain->flags & CHAIN_OBJ_F_BASE) {
+		if (!(chain->obj_flags & CHAIN_OBJ_F_HOOK))
+			return chain_error(ctx, chain, "missing chain hook");
+		if (!(chain->obj_flags & CHAIN_OBJ_F_PRIO))
+			return chain_error(ctx, chain, "missing chain priority");
+		if (!(chain->obj_flags & CHAIN_OBJ_F_TYPE))
+			return chain_error(ctx, chain, "missing chain type");
+	}
+
+	if (chain->obj_flags & CHAIN_OBJ_F_HOOK) {
 		chain->hooknum = str2hooknum(chain->handle.family,
 					     chain->hookstr);
 		if (chain->hooknum == NF_INET_NUMHOOKS)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 6fc834d..6fa201d 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1034,39 +1034,61 @@ type_identifier		:	identifier
 			}
 			;
 
-hook_spec		:	TYPE		STRING		HOOK		STRING		PRIORITY	NUM
+hook_spec		:	hook_options
+			;
+
+hook_options		:	hook_options	hook_option
+			|	hook_option
 			{
-				$<chain>0->type		= chain_type_name_lookup($2);
-				if ($<chain>0->type == NULL) {
-					erec_queue(error(&@2, "unknown chain type %s", $2),
+				$<stmt>$	= $<stmt>0;
+			}
+			;
+
+hook_option		:	TYPE		STRING
+			{
+				if ($<chain>0->flags & CHAIN_OBJ_F_TYPE) {
+					erec_queue(error(&@$, "you cannot set chain type twice"),
 						   state->msgs);
 					YYERROR;
 				}
-				$<chain>0->hookstr	= chain_hookname_lookup($4);
-				if ($<chain>0->hookstr == NULL) {
-					erec_queue(error(&@4, "unknown chain hook %s", $4),
+				$<chain>0->type		= chain_type_name_lookup($2);
+				if ($<chain>0->type == NULL) {
+					erec_queue(error(&@2, "unknown chain type %s", $2),
 						   state->msgs);
 					YYERROR;
 				}
-				$<chain>0->priority	= $6;
-				$<chain>0->flags	|= CHAIN_F_BASECHAIN;
+				$<chain>0->obj_flags	|= CHAIN_OBJ_F_TYPE;
 			}
-			|	TYPE		STRING		HOOK		STRING		PRIORITY	DASH	NUM
+			|	HOOK		STRING
 			{
-				$<chain>0->type		= chain_type_name_lookup($2);
-				if ($<chain>0->type == NULL) {
-					erec_queue(error(&@2, "unknown type name %s", $2),
+				if ($<chain>0->flags & CHAIN_OBJ_F_HOOK) {
+					erec_queue(error(&@$, "you cannot set chain hook twice"),
 						   state->msgs);
 					YYERROR;
 				}
-				$<chain>0->hookstr	= chain_hookname_lookup($4);
+				$<chain>0->hookstr	= chain_hookname_lookup($2);
 				if ($<chain>0->hookstr == NULL) {
-					erec_queue(error(&@4, "unknown hook name %s", $4),
+					erec_queue(error(&@2, "unknown hook name %s", $2),
 						   state->msgs);
 					YYERROR;
 				}
-				$<chain>0->priority	= -$7;
 				$<chain>0->flags	|= CHAIN_F_BASECHAIN;
+				$<chain>0->obj_flags	|= CHAIN_OBJ_F_HOOK;
+			}
+			|	PRIORITY	NUM
+			{
+				if ($<chain>0->flags & CHAIN_OBJ_F_PRIO) {
+					erec_queue(error(&@$, "you cannot set chain priority twice"),
+						   state->msgs);
+					YYERROR;
+				}
+				$<chain>0->priority	= $2;
+				$<chain>0->obj_flags	|= CHAIN_OBJ_F_PRIO;
+			}
+			|	PRIORITY	DASH	NUM
+			{
+				$<chain>0->priority	= -$3;
+				$<chain>0->obj_flags	|= CHAIN_OBJ_F_PRIO;
 			}
 			;
 
-- 
1.7.10.4

[PATCH nft 3/3] src: allow to specify the default policy for base chains

[Pablo Neira Ayuso]

The new syntax is:

 nft add chain filter input { hook input type filter priority 0 policy accept\; }

but the previous syntax is still allowed:

 nft add chain filter input { hook input type filter priority 0\; }

this assumes default policy to accept.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
I have discovered a bug in newchain() in the nf_tables kernel API that forces
us to specify the hook when changing the policy for an existing chain, please
see follow up patch to address this problem.

 include/rule.h     |    3 +++
 src/netlink.c      |   13 ++++++++++++-
 src/parser_bison.y |   20 ++++++++++++++++++++
 src/rule.c         |   21 +++++++++++++++++----
 4 files changed, 52 insertions(+), 5 deletions(-)

diff --git a/include/rule.h b/include/rule.h
index b0ea1ba..5161787 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -99,6 +99,7 @@ enum chain_obj_flags {
 	CHAIN_OBJ_F_BASE	= (CHAIN_OBJ_F_HOOK |
 				   CHAIN_OBJ_F_TYPE |
 				   CHAIN_OBJ_F_PRIO),
+	CHAIN_OBJ_F_POLICY	= (1 << 3),
 };
 
 /**
@@ -120,6 +121,7 @@ enum chain_flags {
  * @hookstr:	unified and human readable hook name (base chains)
  * @hooknum:	hook number (base chains)
  * @priority:	hook priority (base chains)
+ * @policy:	default chain policy (base chains)
  * @type:	chain type
  * @obj_flags:	internal object flags (indicates structure field is set)
  * @rules:	rules contained in the chain
@@ -133,6 +135,7 @@ struct chain {
 	unsigned int		hooknum;
 	int			priority;
 	const char		*type;
+	uint32_t		policy;
 	uint32_t		obj_flags;
 	struct scope		scope;
 	struct list_head	rules;
diff --git a/src/netlink.c b/src/netlink.c
index 8c37ec5..fd4a11b 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -508,6 +508,10 @@ static int netlink_add_chain_compat(struct netlink_ctx *ctx,
 		nft_chain_attr_set_str(nlc, NFT_CHAIN_ATTR_TYPE,
 				       chain->type);
 	}
+	if (chain->obj_flags & CHAIN_OBJ_F_POLICY)
+		nft_chain_attr_set_u32(nlc, NFT_CHAIN_ATTR_POLICY,
+				       chain->policy);
+
 	netlink_dump_chain(nlc);
 	err = mnl_nft_chain_add(nf_sock, nlc, excl ? NLM_F_EXCL : 0);
 	nft_chain_free(nlc);
@@ -535,6 +539,10 @@ static int netlink_add_chain_batch(struct netlink_ctx *ctx,
 		nft_chain_attr_set_str(nlc, NFT_CHAIN_ATTR_TYPE,
 				       chain->type);
 	}
+	if (chain->obj_flags & CHAIN_OBJ_F_POLICY)
+		nft_chain_attr_set_u32(nlc, NFT_CHAIN_ATTR_POLICY,
+				       chain->policy);
+
 	netlink_dump_chain(nlc);
 	err = mnl_nft_chain_batch_add(nlc, excl ? NLM_F_EXCL : 0,
 				      ctx->seqnum);
@@ -665,13 +673,16 @@ static struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx,
 
 	if (nft_chain_attr_is_set(nlc, NFT_CHAIN_ATTR_HOOKNUM) &&
 	    nft_chain_attr_is_set(nlc, NFT_CHAIN_ATTR_PRIO) &&
-	    nft_chain_attr_is_set(nlc, NFT_CHAIN_ATTR_TYPE)) {
+	    nft_chain_attr_is_set(nlc, NFT_CHAIN_ATTR_TYPE) &&
+	    nft_chain_attr_is_set(nlc, NFT_CHAIN_ATTR_POLICY)) {
 		chain->hooknum       =
 			nft_chain_attr_get_u32(nlc, NFT_CHAIN_ATTR_HOOKNUM);
 		chain->priority      =
 			nft_chain_attr_get_s32(nlc, NFT_CHAIN_ATTR_PRIO);
 		chain->type          =
 			xstrdup(nft_chain_attr_get_str(nlc, NFT_CHAIN_ATTR_TYPE));
+		chain->policy          =
+			nft_chain_attr_get_u32(nlc, NFT_CHAIN_ATTR_POLICY);
 		chain->flags        |= CHAIN_F_BASECHAIN;
 	}
 
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 6fa201d..c7b0c17 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1090,6 +1090,26 @@ hook_option		:	TYPE		STRING
 				$<chain>0->priority	= -$3;
 				$<chain>0->obj_flags	|= CHAIN_OBJ_F_PRIO;
 			}
+			|	POLICY		ACCEPT
+			{
+				if ($<chain>0->flags & CHAIN_OBJ_F_POLICY) {
+					erec_queue(error(&@$, "you cannot set chain policy twice"),
+						   state->msgs);
+					YYERROR;
+				}
+				$<chain>0->policy	= NF_ACCEPT;
+				$<chain>0->obj_flags	|= CHAIN_OBJ_F_POLICY;
+			}
+			|	POLICY		DROP
+			{
+				if ($<chain>0->flags & CHAIN_OBJ_F_POLICY) {
+					erec_queue(error(&@$, "you cannot set chain policy twice"),
+						   state->msgs);
+					YYERROR;
+				}
+				$<chain>0->policy	= NF_DROP;
+				$<chain>0->obj_flags	|= CHAIN_OBJ_F_POLICY;
+			}
 			;
 
 identifier		:	STRING
diff --git a/src/rule.c b/src/rule.c
index 3c92589..5224f80 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -425,15 +425,27 @@ static const char *hooknum2str(unsigned int family, unsigned int hooknum)
 	return "unknown";
 }
 
+static const char *policy2str(uint32_t policy)
+{
+	switch (policy) {
+	case NF_DROP:
+		return "drop";
+	case NF_ACCEPT:
+		return "accept";
+	}
+	return "unknown";
+}
+
 static void chain_print(const struct chain *chain)
 {
 	struct rule *rule;
 
 	printf("\tchain %s {\n", chain->handle.chain);
 	if (chain->flags & CHAIN_F_BASECHAIN) {
-		printf("\t\t type %s hook %s priority %d;\n", chain->type,
+		printf("\t\t type %s hook %s priority %d policy %s;\n",
+		       chain->type,
 		       hooknum2str(chain->handle.family, chain->hooknum),
-		       chain->priority);
+		       chain->priority, policy2str(chain->policy));
 	}
 	list_for_each_entry(rule, &chain->rules, list) {
 		printf("\t\t");
@@ -452,9 +464,10 @@ void chain_print_plain(const struct chain *chain)
 	       chain->handle.table, chain->handle.chain);
 
 	if (chain->flags & CHAIN_F_BASECHAIN) {
-		printf(" { type %s hook %s priority %d; }", chain->type,
+		printf(" { type %s hook %s priority %d policy %s; }",
+		       chain->type,
 		       hooknum2str(chain->handle.family, chain->hooknum),
-		       chain->priority);
+		       chain->priority, policy2str(chain->policy));
 	}
 
 	printf("\n");
-- 
1.7.10.4

Re: [PATCH nft 2/3] parser: allow to reorder chain options

[Patrick McHardy]

On 17.03, Pablo Neira Ayuso wrote:
> This allows all possible combinations to work:
> 
>  nft add chain filter input { type filter hook input priority 0 \; }
>  nft add chain filter input { priority 0 type filter hook input \; }


I don't object to being able to change the order of type and hook,
but priority logically belongs to the hook keyword, why change this?

Re: [PATCH nft 2/3] parser: allow to reorder chain options

[Pablo Neira Ayuso]

On Tue, Mar 17, 2015 at 12:15:14PM +0000, Patrick McHardy wrote:
> On 17.03, Pablo Neira Ayuso wrote:
> > This allows all possible combinations to work:
> > 
> >  nft add chain filter input { type filter hook input priority 0 \; }
> >  nft add chain filter input { priority 0 type filter hook input \; }
> 
> 
> I don't object to being able to change the order of type and hook,
> but priority logically belongs to the hook keyword, why change this?

When displaying the chain configuration, this shows in order.

But we're humans and I don't see a good reason why we should force
humans to order things in some specific way.

Re: [PATCH nft 2/3] parser: allow to reorder chain options

[Patrick McHardy]

On 17.03, Pablo Neira Ayuso wrote:
> On Tue, Mar 17, 2015 at 12:15:14PM +0000, Patrick McHardy wrote:
> > On 17.03, Pablo Neira Ayuso wrote:
> > > This allows all possible combinations to work:
> > > 
> > >  nft add chain filter input { type filter hook input priority 0 \; }
> > >  nft add chain filter input { priority 0 type filter hook input \; }
> > 
> > 
> > I don't object to being able to change the order of type and hook,
> > but priority logically belongs to the hook keyword, why change this?
> 
> When displaying the chain configuration, this shows in order.
> 
> But we're humans and I don't see a good reason why we should force
> humans to order things in some specific way.

I can see multiple reasons.

First one is, it logically belongs together since the priority is a
property of the hook, similar to that "prefix" belongs to "log" and
"rate" belongs to limit. We (I presume) agree that
"log rate limit 1/sec prefix bla" isn't something we want to support.
In fact this is just the mess that we had in iptables and which
created a lot of problems in the parser.

Which brings us to the second point, having a strict grammar makes
it easier to avoid conflicts in the grammar. I don't suppose we
will ever need a priority which is a property of the type, but
with this patch, it would be impossible.

Next is the confusion created by a loose grammar. If you consider
iproute2, if things don't work people start to google, they find
an example where a different, but equivalent keyword is used,
they get even more confused and start wasting their time be
reordering things or replacing keywords with equivalent ones.

And I simply don't see what we gain by doing this. In fact I don't
even buy that "human" argument, I think its easier to remember
a single well defined case than this exception, which is in fact
also an exception to what we do anywhere else in nftables.

My personal opinion is actually that type and hook should use a
stmt_seperator since they are two seperate things.