Hi Phil,
On Fri, Aug 01, 2025 at 12:29:44AM +0200, Phil Sutter wrote:
> All clauses are identical, so instead of adding a third one for
> ASTERISK_STRING, use a single one for 'string' (which combines all three
> variants).
>
> Signed-off-by: Phil Sutter <phil@xxxxxx>
> ---
> Changes since v3:
> - Cover interface wildcards in nft.8
> ---
> doc/nft.txt | 30 ++++++++++++++++++++++++++----
> src/parser_bison.y | 11 +----------
> 2 files changed, 27 insertions(+), 14 deletions(-)
>
> diff --git a/doc/nft.txt b/doc/nft.txt
> index 8712981943d78..42cdd38a27b67 100644
> --- a/doc/nft.txt
> +++ b/doc/nft.txt
> @@ -387,13 +387,19 @@ add table inet mytable
> CHAINS
> ------
> [verse]
> -{*add* | *create*} *chain* ['family'] 'table' 'chain' [*{ type* 'type' *hook* 'hook' [*device* 'device'] *priority* 'priority' *;* [*policy* 'policy' *;*] [*comment* 'comment' *;*] *}*]
> +____
> +{*add* | *create*} *chain* ['family'] 'table' 'chain' [*{ type* 'type' *hook* 'hook' ['DEVICE'] *priority* 'priority' *;* [*policy* 'policy' *;*] [*comment* 'comment' *;*] *}*]
> {*delete* | *destroy* | *list* | *flush*} *chain* ['family'] 'table' 'chain'
> *list chains* ['family']
> *delete chain* ['family'] 'table' *handle* 'handle'
> *destroy chain* ['family'] 'table' *handle* 'handle'
> *rename chain* ['family'] 'table' 'chain' 'newname'
>
> +'DEVICE' := {*device* 'DEVICE_NAME' | *devices = {* 'DEVICE_LIST' *}*}
> +'DEVICE_LIST' := 'DEVICE_NAME' [*,* 'DEVICE_LIST']
> +'DEVICE_NAME' := 'string' | 'string'***
> +____
> +
> Chains are containers for rules. They exist in two kinds, base chains and
> regular chains. A base chain is an entry point for packets from the networking
> stack, a regular chain may be used as jump target and is used for better rule
> @@ -436,7 +442,7 @@ Apart from the special cases illustrated above (e.g. *nat* type not supporting
>
> * The netdev family supports merely two combinations, namely *filter* type with
> *ingress* hook and *filter* type with *egress* hook. Base chains in this
> - family also require the *device* parameter to be present since they exist per
> + family also require the 'DEVICE' parameter to be present since they exist per
> interface only.
> * The arp family supports only the *input* and *output* hooks, both in chains of type
> *filter*.
> @@ -449,7 +455,13 @@ Apart from the special cases illustrated above (e.g. *nat* type not supporting
> The *device* parameter accepts a network interface name as a string, and is
> required when adding a base chain that filters traffic on the ingress or
> egress hooks. Any ingress or egress chains will only filter traffic from the
> -interface specified in the *device* parameter.
> +interface specified in the *device* parameter. The same base chain may be used
> +for multiple devices by using the *devices* parameter instead.
> +
> +With newer kernels there is also basic support for wildcards in 'DEVICE_NAME'
> +by specifying an asterisk suffix. The chain will apply to all interfaces
> +matching the given prefix. Use the *list hooks* command to see the current
> +status.
Maybe explain here too that newer kernels also allow to pre-register a
match on unexisting devices (specify version), while old kernel fail
with ENOENT?
> The *priority* parameter accepts a signed integer value or a standard priority
> name which specifies the order in which chains with the same *hook* value are
> @@ -763,11 +775,16 @@ per element comment field
> FLOWTABLES
> -----------
> [verse]
> -{*add* | *create*} *flowtable* ['family'] 'table' 'flowtable' *{ hook* 'hook' *priority* 'priority' *; devices = {* 'device'[*,* ...] *} ; }*
> +____
> +{*add* | *create*} *flowtable* ['family'] 'table' 'flowtable' *{ hook* 'hook' *priority* 'priority' *; devices = {* 'DEVICE_LIST' *} ; }*
> *list flowtables* ['family'] ['table']
> {*delete* | *destroy* | *list*} *flowtable* ['family'] 'table' 'flowtable'
> *delete* *flowtable* ['family'] 'table' *handle* 'handle'
>
> +'DEVICE_LIST' := 'DEVICE_NAME' [*,* 'DEVICE_LIST']
> +'DEVICE_NAME' := 'string' | 'string'***
> +____
> +
> Flowtables allow you to accelerate packet forwarding in software. Flowtables
> entries are represented through a tuple that is composed of the input interface,
> source and destination address, source and destination port; and layer 3/4
> @@ -786,6 +803,11 @@ The *priority* can be a signed integer or *filter* which stands for 0. Addition
> and subtraction can be used to set relative priority, e.g. filter + 5 equals to
> 5.
>
> +With newer kernels there is basic support for wildcards in 'DEVICE_LIST' by
> +specifying an asterisk suffix. The flowtable will apply to all interfaces
> +matching the given prefix. Use the *list hooks* command to see the current
> +status.
... to see the
hooks that are that registered per device that match on the wildcard
device.
