Hi Phil, On Fri, May 03, 2024 at 09:50:40PM +0200, Phil Sutter wrote: > Currently, netdev-family chains and flowtables expect their interfaces > to exist at creation time. In practice, this bites users of virtual > interfaces if these happen to be created after the nftables service > starts up and loads the stored ruleset. > > Vice-versa, if an interface disappears at run-time (via module unloading > or 'ip link del'), it also disappears from the ruleset, along with the > chain and its rules which binds to it. This is at least problematic for > setups which store the running ruleset during system shutdown. > > This series attempts to solve these problems by effectively making > netdev hooks name-based: If no matching interface is found at hook > creation time, it will be inactive until a matching interface appears. > If a bound interface is renamed, a matching inactive hook is searched > for it. > > Ruleset dumps will stabilize in that regard. To still provide > information about which existing interfaces a chain/flowtable currently > binds to, new netlink attributes *_ACT_DEVS are introduced which are > filled from the active hooks only. > > This series is also prep work for a simple ildcard interface binding > similar to the wildcard interface matching in meta expression. It should > suffice to turn struct nft_hook::ops into an array of all matching > interfaces, but the respective code does not exist yet. Before taking a closer look: Would it be possible to have a torture test to exercise this path from userspace? Thanks!
