Hi @Bodlux!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at cla@meta.com. Thanks!

Hi, thanks for your first contribution! ifindex is more suited for an interface index (number). I would suggest introducing iface= which would allow either an interface index or an interface name.

Thanks for the suggestion. I've renamed the option from ifindex= to iface= so it accepts either an interface name or index.

Thanks for the detailed feedback, @qdeslandes. I've reworked the PR along the lines you suggested and force-pushed a single, clean commit.

Summary of the new approach:

• ifindex= is preserved. It still accepts only a numeric index, so no existing ruleset, script or serialized chain breaks. It now emits a deprecation warning pointing users to iface=.
• A new iface= option is introduced. It accepts either an interface name (resolved via if_nametoindex, reusing the existing bf_if_index_from_str() helper from src/libbpfilter/if.c) or a numeric interface index.
• Both options share the same BF_HOOKOPTS_IFINDEX slot in used_opts. This means either one satisfies the XDP/TC requirement, and specifying both in the same chain (or either one twice) is rejected as a duplicate.
• The on-wire msgpack key stays "ifindex", so the serialization format is unchanged.
• doc/usage/bfcli.rst: the hook option table now documents iface=$INTERFACE as the preferred option and flags ifindex=$IFINDEX as deprecated.
• Added a new hookopts_parse_iface unit test covering numeric input, interface name (lo), invalid names, duplicate detection, and the ifindex= + iface= cross-duplicate case.
• Added e2e duplicate-detection cases in tests/e2e/cli/hookopts.sh for iface=,iface= and ifindex=,iface=.
• History squashed to a single commit (the retrigger-CLA commit is gone).

Let me know if you'd like any further adjustments.

Thanks for the review. Pushed a force-update with the requested changes:

• Removed the dedicated alias table; iface is now a regular entry in _bf_hookopts_ops with its own BF_HOOKOPTS_IFACE slot in enum bf_hookopts_type.
• _bf_hookopts_iface_parse first errors when BF_HOOKOPTS_IFACE is already set ("iface= is defined multiple times"), then when BF_HOOKOPTS_IFINDEX is set ("iface= can't be set when ifindex= is already defined"). On success it sets both bits, so the XDP/TC ifindex requirement in bf_hookopts_validate is still satisfied.
• _bf_hookopts_ifindex_parse first errors when BF_HOOKOPTS_IFACE is set, then when BF_HOOKOPTS_IFINDEX is already set.
• Unit tests now assert the expected BF_HOOKOPTS_IFACE / BF_HOOKOPTS_IFINDEX bit state in every path and add the reverse iface= then ifindex= rejection case; the e2e test gains the matching duplicate.

The msgpack key is still ifindex, so on-wire compatibility is unchanged.

@claude review

Claude review of PR #508 (ef4d564)

Must fix

• Doc columns swapped for iface= and ifindex= — doc/usage/bfcli.rst:384 — "Required by" and "Supported by" are transposed for both entries relative to what the code declares in _bf_hookopts_ops

Suggestions

• Missing INT_MAX bounds check — src/libbpfilter/hook.c:255 — _bf_hookopts_iface_parse casts uint32_t to int without the > INT_MAX guard present in the sibling _bf_hookopts_ifindex_parse
• Dual-bit side effects in print/dump — src/libbpfilter/hook.c:257 — Setting both IFACE and IFINDEX bits causes bfcli to round-trip iface=eth0 as ifindex=N and bf_hookopts_dump to print both entries
• Enum insertion shifts existing values — src/libbpfilter/include/bpfilter/hook.h:156 — Prepending BF_HOOKOPTS_IFACE changes all existing enum ordinals; appending before _BF_HOOKOPTS_MAX would avoid this
• Commit message format — hook: should be lib: hook: per project convention; title also describes modifying ifindex= rather than adding iface=

Nits

• Missing trailing newline — tests/e2e/cli/hookopts.sh — pre-existing, but since the file is being modified consider fixing it

Workflow run

Thanks for the bot review @qdeslandes. Pushed a force-update addressing all five points and rebased onto current main.

• doc/usage/bfcli.rst: swapped the Required by / Supported by columns for the iface= and ifindex= rows so the doc matches the code (iface= supports XDP/TC, ifindex= is required by XDP/TC).
• src/libbpfilter/hook.c _bf_hookopts_iface_parse: added the same INT_MAX guard the sibling _bf_hookopts_ifindex_parse has before narrowing uint32_t -> int, with -E2BIG.
• src/bfcli/print.c: when BF_HOOKOPTS_IFACE is set the round-trip now prints iface=N instead of ifindex=N; ifindex=N is still printed in the deprecated path when only BF_HOOKOPTS_IFINDEX is set.
• src/libbpfilter/hook.c _bf_hookopts_ifindex_dump: returns early when BF_HOOKOPTS_IFACE is also set, so bf_hookopts_dump no longer emits both iface: N and ifindex: N for the same value. A short comment explains the dual-bit invariant from _bf_hookopts_iface_parse.
• src/libbpfilter/include/bpfilter/hook.h: moved BF_HOOKOPTS_IFACE to the slot just before _BF_HOOKOPTS_MAX, so BF_HOOKOPTS_IFINDEX / CGPATH / FAMILY / PRIORITIES keep their original bit positions.
• tests/e2e/cli/hookopts.sh: added trailing newline.