All clauses are identical, so instead of adding a third one for ASTERISK_STRING, use a single one for 'string' (which combines all three variants). Signed-off-by: Phil Sutter --- Changes since v3: - Cover interface wildcards in nft.8 --- doc/nft.txt | 30 ++++++++++++++++++++++++++---- src/parser_bison.y | 11 +---------- 2 files changed, 27 insertions(+), 14 deletions(-) diff --git a/doc/nft.txt b/doc/nft.txt index 8712981943d78..42cdd38a27b67 100644 --- a/doc/nft.txt +++ b/doc/nft.txt @@ -387,13 +387,19 @@ add table inet mytable CHAINS ------ [verse] -{*add* | *create*} *chain* ['family'] 'table' 'chain' [*{ type* 'type' *hook* 'hook' [*device* 'device'] *priority* 'priority' *;* [*policy* 'policy' *;*] [*comment* 'comment' *;*] *}*] +____ +{*add* | *create*} *chain* ['family'] 'table' 'chain' [*{ type* 'type' *hook* 'hook' ['DEVICE'] *priority* 'priority' *;* [*policy* 'policy' *;*] [*comment* 'comment' *;*] *}*] {*delete* | *destroy* | *list* | *flush*} *chain* ['family'] 'table' 'chain' *list chains* ['family'] *delete chain* ['family'] 'table' *handle* 'handle' *destroy chain* ['family'] 'table' *handle* 'handle' *rename chain* ['family'] 'table' 'chain' 'newname' +'DEVICE' := {*device* 'DEVICE_NAME' | *devices = {* 'DEVICE_LIST' *}*} +'DEVICE_LIST' := 'DEVICE_NAME' [*,* 'DEVICE_LIST'] +'DEVICE_NAME' := 'string' | 'string'*** +____ + Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule @@ -436,7 +442,7 @@ Apart from the special cases illustrated above (e.g. *nat* type not supporting * The netdev family supports merely two combinations, namely *filter* type with *ingress* hook and *filter* type with *egress* hook. Base chains in this - family also require the *device* parameter to be present since they exist per + family also require the 'DEVICE' parameter to be present since they exist per interface only. * The arp family supports only the *input* and *output* hooks, both in chains of type *filter*. @@ -449,7 +455,13 @@ Apart from the special cases illustrated above (e.g. *nat* type not supporting The *device* parameter accepts a network interface name as a string, and is required when adding a base chain that filters traffic on the ingress or egress hooks. Any ingress or egress chains will only filter traffic from the -interface specified in the *device* parameter. +interface specified in the *device* parameter. The same base chain may be used +for multiple devices by using the *devices* parameter instead. + +With newer kernels there is also basic support for wildcards in 'DEVICE_NAME' +by specifying an asterisk suffix. The chain will apply to all interfaces +matching the given prefix. Use the *list hooks* command to see the current +status. The *priority* parameter accepts a signed integer value or a standard priority name which specifies the order in which chains with the same *hook* value are @@ -763,11 +775,16 @@ per element comment field FLOWTABLES ----------- [verse] -{*add* | *create*} *flowtable* ['family'] 'table' 'flowtable' *{ hook* 'hook' *priority* 'priority' *; devices = {* 'device'[*,* ...] *} ; }* +____ +{*add* | *create*} *flowtable* ['family'] 'table' 'flowtable' *{ hook* 'hook' *priority* 'priority' *; devices = {* 'DEVICE_LIST' *} ; }* *list flowtables* ['family'] ['table'] {*delete* | *destroy* | *list*} *flowtable* ['family'] 'table' 'flowtable' *delete* *flowtable* ['family'] 'table' *handle* 'handle' +'DEVICE_LIST' := 'DEVICE_NAME' [*,* 'DEVICE_LIST'] +'DEVICE_NAME' := 'string' | 'string'*** +____ + Flowtables allow you to accelerate packet forwarding in software. Flowtables entries are represented through a tuple that is composed of the input interface, source and destination address, source and destination port; and layer 3/4 @@ -786,6 +803,11 @@ The *priority* can be a signed integer or *filter* which stands for 0. Addition and subtraction can be used to set relative priority, e.g. filter + 5 equals to 5. +With newer kernels there is basic support for wildcards in 'DEVICE_LIST' by +specifying an asterisk suffix. The flowtable will apply to all interfaces +matching the given prefix. Use the *list hooks* command to see the current +status. + [horizontal] *add*:: Add a new flowtable for the given family with the given name. *delete*:: Delete the specified flowtable. diff --git a/src/parser_bison.y b/src/parser_bison.y index 0b1ea699c6102..d665f2fa8c7c1 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -2473,16 +2473,7 @@ flowtable_list_expr : flowtable_expr_member | flowtable_list_expr COMMA opt_newline ; -flowtable_expr_member : QUOTED_STRING - { - struct expr *expr = ifname_expr_alloc(&@$, state->msgs, $1); - - if (!expr) - YYERROR; - - $$ = expr; - } - | STRING +flowtable_expr_member : string { struct expr *expr = ifname_expr_alloc(&@$, state->msgs, $1); -- 2.49.0