S Egbert <s.egbert@xxxxxxxxxxxxx> wrote:
[ cc -devel ]
> During my vim syntax highlight unit testing... I noticed a behavior of 'nft'
> with regard to repeated adding/deleting same two sets of chains 5x.
>
> Running latest nft v1.1.4, Debian 13, Linux 6.12.41+deb13-amd64,
>
> add table netdev T
>
> add chain netdev T A { type filter hook ingress priority -500; policy
> accept; };
> delete chain netdev T A { type filter hook ingress priority -500; policy
> accept; };
>
> add chain netdev T A { type filter hook ingress device eno2 priority
> -500; policy accept; };
> delete chain netdev T A { type filter hook ingress device eno2 priority
> -500; policy accept; };
>
> add chain netdev T A { type filter hook ingress priority -500; policy
> accept; };
> delete chain netdev T A { type filter hook ingress priority -500; policy
> accept; };
Thats unrelated to the add/del below.
> add chain netdev T A { type filter hook egress device eno2 priority
> -500; policy accept; };
> delete chain netdev T A { type filter hook egress device eno2 priority
> -500; policy accept; };
This adds empty egress chain for egress, not hooked to any device.
> add chain netdev T A { type filter hook egress device eno2 priority
> -500; policy accept; }; # ERROR IS HERE
This asks to update the empty egress chain and add "eno2" as new device
hook.
> delete chain netdev T A { type filter hook egress device eno2 priority
> -500; policy accept; };
This delete will fail because the previous update request (add a hook for
netdev chain for "eno2" device) is still pending and not committed yet, so
the device name isn't found when searching the basechains hook list.
Trying to support "add X/undo X" patterns has led to dozens of bugs
already.
I don't think we should support this, the logic is complicated enough
as-is.
