Re: [nft PATCH v5 2/3] parser_bison: Accept ASTERISK_STRING in flowtable_expr_member

[Phil Sutter <phil@nwl.cc>]

On Thu, Sep 04, 2025 at 05:20:50PM +0200, Pablo Neira Ayuso wrote:
> Hi Phil,
> 
> On Fri, Aug 01, 2025 at 12:29:44AM +0200, Phil Sutter wrote:
> > All clauses are identical, so instead of adding a third one for
> > ASTERISK_STRING, use a single one for 'string' (which combines all three
> > variants).
> > 
> > Signed-off-by: Phil Sutter <phil@nwl.cc>
> > ---
> > Changes since v3:
> > - Cover interface wildcards in nft.8
> > ---
> >  doc/nft.txt        | 30 ++++++++++++++++++++++++++----
> >  src/parser_bison.y | 11 +----------
> >  2 files changed, 27 insertions(+), 14 deletions(-)
> > 
> > diff --git a/doc/nft.txt b/doc/nft.txt
> > index 8712981943d78..42cdd38a27b67 100644
> > --- a/doc/nft.txt
> > +++ b/doc/nft.txt
> > @@ -387,13 +387,19 @@ add table inet mytable
> >  CHAINS
> >  ------
> >  [verse]
> > -{*add* | *create*} *chain* ['family'] 'table' 'chain' [*{ type* 'type' *hook* 'hook' [*device* 'device'] *priority* 'priority' *;* [*policy* 'policy' *;*] [*comment* 'comment' *;*] *}*]
> > +____
> > +{*add* | *create*} *chain* ['family'] 'table' 'chain' [*{ type* 'type' *hook* 'hook' ['DEVICE'] *priority* 'priority' *;* [*policy* 'policy' *;*] [*comment* 'comment' *;*] *}*]
> >  {*delete* | *destroy* | *list* | *flush*} *chain* ['family'] 'table' 'chain'
> >  *list chains* ['family']
> >  *delete chain* ['family'] 'table' *handle* 'handle'
> >  *destroy chain* ['family'] 'table' *handle* 'handle'
> >  *rename chain* ['family'] 'table' 'chain' 'newname'
> >  
> > +'DEVICE' := {*device* 'DEVICE_NAME' | *devices = {* 'DEVICE_LIST' *}*}
> > +'DEVICE_LIST' := 'DEVICE_NAME' [*,* 'DEVICE_LIST']
> > +'DEVICE_NAME' := 'string' | 'string'***
> > +____
> > +
> >  Chains are containers for rules. They exist in two kinds, base chains and
> >  regular chains. A base chain is an entry point for packets from the networking
> >  stack, a regular chain may be used as jump target and is used for better rule
> > @@ -436,7 +442,7 @@ Apart from the special cases illustrated above (e.g. *nat* type not supporting
> >  
> >  * The netdev family supports merely two combinations, namely *filter* type with
> >    *ingress* hook and *filter* type with *egress* hook. Base chains in this
> > -  family also require the *device* parameter to be present since they exist per
> > +  family also require the 'DEVICE' parameter to be present since they exist per
> >    interface only.
> >  * The arp family supports only the *input* and *output* hooks, both in chains of type
> >    *filter*.
> > @@ -449,7 +455,13 @@ Apart from the special cases illustrated above (e.g. *nat* type not supporting
> >  The *device* parameter accepts a network interface name as a string, and is
> >  required when adding a base chain that filters traffic on the ingress or
> >  egress hooks. Any ingress or egress chains will only filter traffic from the
> > -interface specified in the *device* parameter.
> > +interface specified in the *device* parameter. The same base chain may be used
> > +for multiple devices by using the *devices* parameter instead.
> > +
> > +With newer kernels there is also basic support for wildcards in 'DEVICE_NAME'
> > +by specifying an asterisk suffix. The chain will apply to all interfaces
> > +matching the given prefix. Use the *list hooks* command to see the current
> > +status.
> 
> Maybe explain here too that newer kernels also allow to pre-register a
> match on unexisting devices (specify version), while old kernel fail
> with ENOENT?

ACK, will do!

> >  The *priority* parameter accepts a signed integer value or a standard priority
> >  name which specifies the order in which chains with the same *hook* value are
> > @@ -763,11 +775,16 @@ per element comment field
> >  FLOWTABLES
> >  -----------
> >  [verse]
> > -{*add* | *create*} *flowtable* ['family'] 'table' 'flowtable' *{ hook* 'hook' *priority* 'priority' *; devices = {* 'device'[*,* ...] *} ; }*
> > +____
> > +{*add* | *create*} *flowtable* ['family'] 'table' 'flowtable' *{ hook* 'hook' *priority* 'priority' *; devices = {* 'DEVICE_LIST' *} ; }*
> >  *list flowtables* ['family'] ['table']
> >  {*delete* | *destroy* | *list*} *flowtable* ['family'] 'table' 'flowtable'
> >  *delete* *flowtable* ['family'] 'table' *handle* 'handle'
> >  
> > +'DEVICE_LIST' := 'DEVICE_NAME' [*,* 'DEVICE_LIST']
> > +'DEVICE_NAME' := 'string' | 'string'***
> > +____
> > +
> >  Flowtables allow you to accelerate packet forwarding in software. Flowtables
> >  entries are represented through a tuple that is composed of the input interface,
> >  source and destination address, source and destination port; and layer 3/4
> > @@ -786,6 +803,11 @@ The *priority* can be a signed integer or *filter* which stands for 0. Addition
> >  and subtraction can be used to set relative priority, e.g. filter + 5 equals to
> >  5.
> >  
> > +With newer kernels there is basic support for wildcards in 'DEVICE_LIST' by
> > +specifying an asterisk suffix. The flowtable will apply to all interfaces
> > +matching the given prefix. Use the *list hooks* command to see the current
> > +status.
> 
>                                                         ... to see the
> hooks that are that registered per device that match on the wildcard
> device.

LGTM!

Thanks, Phil