On Thu, Jun 25, 2020 at 08:28:09PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > This patchset extends the nftables netlink API to support for anonymous
> > non-base chains. Anonymous non-base chains have two properties:
> >
> > 1) The kernel dynamically allocates the (internal) chain name.
> > 2) If the rule that refers to the anonymous chain is removed, then the
> > anonymous chain and its content is also released.
> >
> > This new infrastructure allows for the following syntax from userspace:
> >
> > table inet x {
> > chain y {
> > type filter hook input priority 0;
> > tcp dport 22 chain {
> > ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept
> > ip6 saddr ::1/128 accept;
> > }
> > }
> > }
>
> What about goto semantics?
>
> Would it make sense to change this to
>
> tcp dport 22 jump chain {
> ...
>
> so this could be changed to support 'tcp dport 22 goto chain {' as well?
Yes.
To expose goto, it should be possible to use this instead:
tcp dport 22 jump {
...
and
tcp dport 22 goto {
...
Thanks!
