A couple of documentation suggestions from a reader who is new to nftables: 1. Please document the slash syntax for matching on TCP flags. Coming from iptables, # iptables-translate -A INPUT -m tcp --syn -j RETURN nft add rule ip filter INPUT tcp flags syn / fin,syn,rst,ack counter return but https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_headers#Matching_TCP.2FUDP.2FUDPlite_traffic makes no mention of this syntax. This is especially confusing because nft automatically translates from the documented syntax to the undocumented one: nft> add rule myfilter output tcp flags & (syn|rst|ack|fin) == syn counter nft> list chain myfilter output table ip myfilter { chain output { tcp flags syn / fin,syn,rst,ack counter packets 0 bytes 0 } } I did eventually find an explanation in https://lore.kernel.org/all/20210514211035.5567-1-pablo@xxxxxxxxxxxxx/T/ but my last couple of work days would have been much more enjoyable if I hadn't had to look so hard. While we're at it, I suggest including a slash syntax example in https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Tcp 2. In general, please document all the available operators and their precedence. EXPRESSIONS in https://www.netfilter.org/projects/nftables/manpage.html#lbBD states "Expressions can be combined using binary, logical, relational and other types of expressions to form complex or relational (match) expressions.", and other bits of documentation allude to the same idea (e.g. "To match on TCP flags, you need to use a binary operation") but I have been unable to find a full list of these operations in either the man page or the wiki. https://wiki.nftables.org/wiki-nftables/index.php/Building_rules_through_expressions is a start, but doesn't currently mention `&`, `|`, or the slash syntax above (if indeed that syntax is more generally applicable than just tcp flags, which intuitively seems likely though I admit I'm still not certain), nor does it mention operator precedence and when parens might be necessary, or even state that parens are permitted. It may also be missing other things that I haven't personally tripped over yet. Thanks, David -- David Zych (he/him) Lead Network Service Engineer University of Illinois Urbana-Champaign Office of the Chief Information Officer Technology Services Under the Illinois Freedom of Information Act any written communication to or from university employees regarding university business is a public record and may be subject to public disclosure.
