Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> This patchset extends the nftables netlink API to support for anonymous
> non-base chains. Anonymous non-base chains have two properties:
>
> 1) The kernel dynamically allocates the (internal) chain name.
> 2) If the rule that refers to the anonymous chain is removed, then the
> anonymous chain and its content is also released.
>
> This new infrastructure allows for the following syntax from userspace:
>
> table inet x {
> chain y {
> type filter hook input priority 0;
> tcp dport 22 chain {
> ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept
> ip6 saddr ::1/128 accept;
> }
> }
> }
What about goto semantics?
Would it make sense to change this to
tcp dport 22 jump chain {
...
so this could be changed to support 'tcp dport 22 goto chain {' as well?
