Re: some questions on nft

[Christoph Anton Mitterer <calestyo@scientia.org>]

Hey Florian.

Thanks for taking your time on this :-)

On Wed, 2025-09-24 at 14:17 +0200, Florian Westphal wrote:
> Christoph Anton Mitterer <calestyo@scientia.org> wrote:
> > 1) I there any difference between e.g
> >       ct state established,related accept
> 
> You can use nft --netlink=debug, that should explain the difference.
> This is a bit-test, matches if either flag is set.

So you if mean either establishes, or related or both are set, right?

I assume it works always like this with "," and any bitfields?

My nft doesn't seem to recognise --netlink=debug. Do you mean
--debug=netlink? :-)


> >    and
> >       ct state {established,related} accept
> 
> matches when established is set but not related and vice versa.
> Given established and related are mutually exclusive, both do the
> same thing but the former is a bit faster.

I see. , good to know.


> 
> > 4) In principle I prefer the syntax as returned by nft list over
> > the
> >    one using single commands, like:
> >      add rule ...
> >    is there any documentation on how the block based syntax is
> >    merged when using include? Or is that even officially supported?
> 
> Its expected to work, yes.  Not aware of any documentation.

Such documentation would actually be quite helpful, cause I've seen
e.g. that "redefining" (or better updating) a table with that syntax
won't cause e.g. its comment to be updated.
But the policy of a chain will be overridden by a later one.


> >    But no idea how his would be done with sets, etc.?
> >    Or is this simply a: don't do such stupid things?
> 
> Well, its always a good idea to NOT do stupid things :)

Well from the documentation, both form seemed to be considered "equal",
so it's not necessarily obvious whether or not it's just stupid or
missing some docs ;-)


> 
> > 5) Many examples use:
> >      iif lo
> >    or
> >      iifname lo
> > 
> >    Now first, if I'd bring down lo and bring it up again (like it
> > may
> >    actually happen with eth0/wlan0 and others)... would it get a
> >    different id, and thus no longer be matched by iif?
> 
> No, lo is always 1.  For other devices, yes, might get different id.

And I assume this is really hardwired?

I.e. even if on would hack the system to bring up lo after e.g. eth0...
or if one would remove lo and bring it back?
Not sure whether this is even still possible.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/core/dev.c#n12926
seems to indicate that not.


> >    In particular for lo, wouldn't it anyway better to use
> >      iiftype loopback
> >    (which would simply match all loopbacks, regardless of their
> > name)
> >    or is there any disadvantage I can't see?)
> 
> Hmm, why would anyone add another loopback device?

Not that I want... but just to catch any stuff that co-admins might do
;-)


> > 7) Also not possible, AFAICS, but was it ever considered to allow
> >    using sets within (v)maps or even other sets?
> 
> No idea. I don't like it because it slows things down (need to
> iterate and then query several sets).

True. But I though more about the poor-man's way, where any referred
named set would have simply been resolved when being added.


Thanks... your answers were quite helpful. :-)


Cheers,
Chris.