On Thu, Jul 03, 2025 at 02:39:47PM +0200, Florian Westphal wrote: > Phil Sutter <phil@xxxxxx> wrote: > > personally wouldn't care about as I find it similar to mis-typing an IP > > address or RHS to an iifname match. > > Good point. I think if performance isn't an issue then we can go ahead > without this flag. > > > If transparency of behaviour is a > > concern, I'd rather implement GETDEV message type and enable user space > > to print the list of currently bound interfaces (though it's partially > > redundant, 'nft list hooks' helps there although it does not show which > > flowtable/chain "owns" the hook). > > Do we need new query types for this? > nftables could just query via rtnetlink if the device exists or not > and then print a hint if its absent. Hey, that's a hack! :P Under normal circumstances, this should indeed suffice. The ruleset is per-netns, so the kernel's view matches nft's. The only downside I see is that we would not detect kernel bugs this way, e.g. if a new device slipped through and was not bound. Debatable if the GETDEV extra effort is justified for this "should not happen" situation, though. Cheers, Phil
