* [RFC][PATCH] nftables: add slash to chain syntax
@ 2013-11-30 23:20 Phil Oester
2013-11-30 23:22 ` Phil Oester
0 siblings, 1 reply; 4+ messages in thread
From: Phil Oester @ 2013-11-30 23:20 UTC (permalink / raw)
To: netfilter-devel
The current syntax when handling chains seems counterintuitive to me. I would
expect that "add chain" would have the name of the chain directly after the
keyword "chain". But instead, the name of the table is there, with the chain
after. I think a better syntax might be this:
add chain <table>/<chain>
which seems clearer to me. And it has the added benefit of following the
"everything is a file" paradigm. Who knows - maybe someday we can add a sysfs
interface for nftables, and this will fit nicely within a tree:
nftables
tables
chains
rules
Thoughts? Attached patch is a general proof of concept.
Phil
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [RFC][PATCH] nftables: add slash to chain syntax
2013-11-30 23:20 [RFC][PATCH] nftables: add slash to chain syntax Phil Oester
@ 2013-11-30 23:22 ` Phil Oester
2013-12-04 14:05 ` Pablo Neira Ayuso
0 siblings, 1 reply; 4+ messages in thread
From: Phil Oester @ 2013-11-30 23:22 UTC (permalink / raw)
To: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 709 bytes --]
<v2: attach the patch this time...>
The current syntax when handling chains seems counterintuitive to me. I would
expect that "add chain" would have the name of the chain directly after the
keyword "chain". But instead, the name of the table is there, with the chain
after. I think a better syntax might be this:
add chain <table>/<chain>
which seems clearer to me. And it has the added benefit of following the
"everything is a file" paradigm. Who knows - maybe someday we can add a sysfs
interface for nftables, and this will fit nicely within a tree:
nftables
tables
chains
rules
Thoughts? Attached patch is a general proof of concept.
Phil
[-- Attachment #2: patch-nft-slash_chain --]
[-- Type: text/plain, Size: 706 bytes --]
diff --git a/src/parser.y b/src/parser.y
index a49e5c2..5f6fed0 100644
--- a/src/parser.y
+++ b/src/parser.y
@@ -833,10 +833,10 @@ tables_spec : family_spec
}
;
-chain_spec : table_spec identifier
+chain_spec : table_spec SLASH identifier
{
$$ = $1;
- $$.chain = $2;
+ $$.chain = $3;
}
;
diff --git a/src/scanner.l b/src/scanner.l
index cee6aa6..ba1dcdf 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -111,7 +111,7 @@ decstring {digit}+
hexstring 0[xX]{hexdigit}+
range ({decstring}?:{decstring}?)
letter [a-zA-Z]
-string ({letter})({letter}|{digit}|[/\-_\.])*
+string ({letter})({letter}|{digit}|[\-_\.])*
quotedstring \"[^"]*\"
comment #.*$
slash \/
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [RFC][PATCH] nftables: add slash to chain syntax
2013-11-30 23:22 ` Phil Oester
@ 2013-12-04 14:05 ` Pablo Neira Ayuso
2013-12-04 15:16 ` Arturo Borrero Gonzalez
0 siblings, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2013-12-04 14:05 UTC (permalink / raw)
To: Phil Oester; +Cc: netfilter-devel
On Sat, Nov 30, 2013 at 03:22:48PM -0800, Phil Oester wrote:
> <v2: attach the patch this time...>
>
> The current syntax when handling chains seems counterintuitive to me. I would
> expect that "add chain" would have the name of the chain directly after the
> keyword "chain". But instead, the name of the table is there, with the chain
> after. I think a better syntax might be this:
>
> add chain <table>/<chain>
Frankly, I prefer to leave the syntax as is in that regard.
But there are a couple of syntax aspect that would be worth discussing
before this is set in stone, eg. the `=>' in verdict maps.
The > symbol in the bash shell, if not escaped, results in a
redirection. We could replace it by ':', so the maps will look like:
add rule ip filter OUTPUT tcp dport vmap { \
22 : jump chain1, \
23 : jump chain2, \
}
Just in case we consider it worth to make it easier to run nft
commands from the bash shell.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [RFC][PATCH] nftables: add slash to chain syntax
2013-12-04 14:05 ` Pablo Neira Ayuso
@ 2013-12-04 15:16 ` Arturo Borrero Gonzalez
0 siblings, 0 replies; 4+ messages in thread
From: Arturo Borrero Gonzalez @ 2013-12-04 15:16 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Phil Oester, Netfilter Development Mailing list
On 4 December 2013 15:05, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> The > symbol in the bash shell, if not escaped, results in a
> redirection. We could replace it by ':', so the maps will look like:
>
> add rule ip filter OUTPUT tcp dport vmap { \
> 22 : jump chain1, \
> 23 : jump chain2, \
> }
>
> Just in case we consider it worth to make it easier to run nft
> commands from the bash shell.
I totally like this approach.
Why not to ease the life of bash users? I guess they are many :-)
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-12-04 15:16 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-11-30 23:20 [RFC][PATCH] nftables: add slash to chain syntax Phil Oester
2013-11-30 23:22 ` Phil Oester
2013-12-04 14:05 ` Pablo Neira Ayuso
2013-12-04 15:16 ` Arturo Borrero Gonzalez
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).