Hi Phil,
NFTA_DEVICE_PREFIX is now available in net.git, let's pick up on this.
On Fri, Aug 01, 2025 at 12:29:43AM +0200, Phil Sutter wrote:
> When building NFTA_{FLOWTABLE_,}HOOK_DEVS attributes, detect trailing
> asterisks in interface names and transmit the leading part in a
> NFTA_DEVICE_PREFIX attribute.
>
> Deserialization (i.e., appending asterisk to interface prefixes returned
> in NFTA_DEVICE_PREFIX atributes happens in libnftnl.
>
> Signed-off-by: Phil Sutter <phil@xxxxxx>
> ---
> Changes since v4:
> - Introduce and use NFTA_DEVICE_PREFIX which contains a NUL-terminated
> string as well but signals the kernel to interpret it as a prefix to
> match interfaces on.
> - Do not send wildcards in NFTA_HOOK_DEV: On one hand, the kernel can't
> detect them anymore since they are NUL-terminated as well. On the
> other, it would defeat the purpose of having NFTA_DEVICE_PREFIX, which
> is to not crash old user space.
>
> Changes since v3:
> - Use uint16_t for 'attr' parameter and size_t for 'len' variable
> - Use mnl_nft_ prefix for the helper function
>
> Changes since v2:
> - Introduce mnl_attr_put_ifname() to perform the conditional
> mnl_attr_put() parameter adjustment
> - Sanity-check array index in above function to avoid out-of-bounds
> access
> ---
> include/linux/netfilter/nf_tables.h | 2 ++
> src/mnl.c | 26 +++++++++++++++++++++++---
> 2 files changed, 25 insertions(+), 3 deletions(-)
>
> diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
> index f57963e89fd16..b38d4780ae8c8 100644
> --- a/include/linux/netfilter/nf_tables.h
> +++ b/include/linux/netfilter/nf_tables.h
> @@ -1774,10 +1774,12 @@ enum nft_synproxy_attributes {
> * enum nft_device_attributes - nf_tables device netlink attributes
> *
> * @NFTA_DEVICE_NAME: name of this device (NLA_STRING)
> + * @NFTA_DEVICE_PREFIX: device name prefix, a simple wildcard (NLA_STRING)
> */
> enum nft_devices_attributes {
> NFTA_DEVICE_UNSPEC,
> NFTA_DEVICE_NAME,
> + NFTA_DEVICE_PREFIX,
> __NFTA_DEVICE_MAX
> };
> #define NFTA_DEVICE_MAX (__NFTA_DEVICE_MAX - 1)
> diff --git a/src/mnl.c b/src/mnl.c
> index 43229f2498e55..b532b8ff00c1e 100644
> --- a/src/mnl.c
> +++ b/src/mnl.c
> @@ -795,6 +795,26 @@ static void nft_dev_array_free(const struct nft_dev *dev_array)
> free_const(dev_array);
> }
>
> +static bool is_wildcard_str(const char *str)
> +{
> + size_t len = strlen(str);
> +
> + if (len < 1 || str[len - 1] != '*')
> + return false;
> + if (len < 2 || str[len - 2] != '\\')
> + return true;
> + /* XXX: ignore backslash escaping for now */
Is this comment here still valid?
> + return false;
> +}
> +
> +static void mnl_nft_attr_put_ifname(struct nlmsghdr *nlh, const char *ifname)
> +{
> + uint16_t attr = is_wildcard_str(ifname) ?
> + NFTA_DEVICE_PREFIX : NFTA_DEVICE_NAME;
> +
> + mnl_attr_put_strz(nlh, attr, ifname);
> +}
> +
> static void mnl_nft_chain_devs_build(struct nlmsghdr *nlh, struct cmd *cmd)
> {
> const struct expr *dev_expr = cmd->chain->dev_expr;
> @@ -803,14 +823,14 @@ static void mnl_nft_chain_devs_build(struct nlmsghdr *nlh, struct cmd *cmd)
> int i, num_devs = 0;
>
> dev_array = nft_dev_array(dev_expr, &num_devs);
> - if (num_devs == 1) {
> + if (num_devs == 1 && !is_wildcard_str(dev_array[0].ifname)) {
> cmd_add_loc(cmd, nlh, dev_array[0].location);
> mnl_attr_put_strz(nlh, NFTA_HOOK_DEV, dev_array[0].ifname);
> } else {
> nest_dev = mnl_attr_nest_start(nlh, NFTA_HOOK_DEVS);
> for (i = 0; i < num_devs; i++) {
> cmd_add_loc(cmd, nlh, dev_array[i].location);
> - mnl_attr_put_strz(nlh, NFTA_DEVICE_NAME, dev_array[i].ifname);
> + mnl_nft_attr_put_ifname(nlh, dev_array[i].ifname);
> }
> mnl_attr_nest_end(nlh, nest_dev);
> }
> @@ -2091,7 +2111,7 @@ static void mnl_nft_ft_devs_build(struct nlmsghdr *nlh, struct cmd *cmd)
> nest_dev = mnl_attr_nest_start(nlh, NFTA_FLOWTABLE_HOOK_DEVS);
> for (i = 0; i < num_devs; i++) {
> cmd_add_loc(cmd, nlh, dev_array[i].location);
> - mnl_attr_put_strz(nlh, NFTA_DEVICE_NAME, dev_array[i].ifname);
> + mnl_nft_attr_put_ifname(nlh, dev_array[i].ifname);
> }
>
> mnl_attr_nest_end(nlh, nest_dev);
> --
> 2.49.0
>
