[nft PATCH v5 0/3] Support wildcard netdev hooks

Phil Sutter <phil@xxxxxx> · Fri, 1 Aug 2025 00:29:42 +0200

Changes since v4:
- Adjust code to NFTA_HOOK_PREFIX attribute

Changes since v3:
- Unrelated patch 1 pushed out separately
- Fixed variable types and function prefix in patch 1
- Document interface wildcard support in nft.8

Changes since v2:
- New patch 1 fixing for excessive mnl_attr_nest_end() calls
- Introduce a helper function in patch 2 which also sanity-checks an
  array index - this is a copy of libnftnl's function for the same
  purpose, but we rather get rid of the dupicated calling code instead
  of exposing (and thus maintaining in future) the function from
  libnftnl

This is the remaining needed code change to support wildcard hook specs.
Patch 3 also adds shell test cases to cover the functionality. The
flowtable variant is skipped if 'nft list hooks' does not provide
flowtable information as this requires NFNL_HOOK_TYPE_NFT_FLOWTABLE in
kernel.

Phil Sutter (3):
  mnl: Support simple wildcards in netdev hooks
  parser_bison: Accept ASTERISK_STRING in flowtable_expr_member
  tests: shell: Test ifname-based hooks

 doc/nft.txt                                   | 30 +++++++++++--
 include/linux/netfilter/nf_tables.h           |  2 +
 src/mnl.c                                     | 26 +++++++++--
 src/parser_bison.y                            | 11 +----
 .../features/list_hooks_flowtable_info.sh     |  7 +++
 .../netdev_chain_name_based_hook_0.json-nft   | 34 ++++++++++++++
 .../dumps/netdev_chain_name_based_hook_0.nft  |  5 +++
 .../chains/netdev_chain_name_based_hook_0     | 44 ++++++++++++++++++
 .../testcases/flowtable/0016name_based_hook_0 | 45 +++++++++++++++++++
 .../dumps/0016name_based_hook_0.json-nft      | 32 +++++++++++++
 .../flowtable/dumps/0016name_based_hook_0.nft |  6 +++
 11 files changed, 225 insertions(+), 17 deletions(-)
 create mode 100755 tests/shell/features/list_hooks_flowtable_info.sh
 create mode 100644 tests/shell/testcases/chains/dumps/netdev_chain_name_based_hook_0.json-nft
 create mode 100644 tests/shell/testcases/chains/dumps/netdev_chain_name_based_hook_0.nft
 create mode 100755 tests/shell/testcases/chains/netdev_chain_name_based_hook_0
 create mode 100755 tests/shell/testcases/flowtable/0016name_based_hook_0
 create mode 100644 tests/shell/testcases/flowtable/dumps/0016name_based_hook_0.json-nft
 create mode 100644 tests/shell/testcases/flowtable/dumps/0016name_based_hook_0.nft

-- 
2.49.0