Trent W. Buck <trentbuck@xxxxxxxxx> wrote:
> In nftables, I can have comments on a rule,
> just like the old "iptables -m comment --help":
>
> table x {
> chain y {
> ct state vmap @z comment "quickly allow known flows"
> }
> }
>
> I want to add comments to the chain itself, e.g.
Not possible, comments are attached to rules.
> table x {
> chain y {
> comment "input and filter chains call this first,"
> comment "to quickly deal with packets we should always allow."
> comment "this comment lines are NOPs that never match"
> ct state ...
> ...
> }
> }
>
> But the parser doesn't like this.
Its not enough to extend the parser, we will need to add
NFTA_CHAIN_COMMENT, extend the parser so it can understand that
chain foo {
comment bar
comment foo baz
ct ...
means it should pass 'bar\nfoo baz' as a string to the kernel via
new NFTA_CHAIN_COMMENT attribute.
Then, we'll also need to extend delinarization so nft can display
the comment back to the user.
> ...but obviously that's undesirable.
> Are there "always true" and "always false" matchers, like this?
>
> false comment "input and filter chains call this first,"
>
> I couldn't see one in parser_bison.y.
No, you will need to use an actual rule, e.g. meta iifname "wontmatch"
or similar.
