[PATCH nft 1/2] parser_bison: dismiss anonymous meters

[PATCH nft 1/2] parser_bison: dismiss anonymous meters

[Pablo Neira Ayuso]

The former 'flow table' syntax allows flow tables with no name:

 # nft add rule x y flow { ip saddr counter }

However, when listing, it leaks the name that it is autoallocating.

 # nft list ruleset
 table ip x {
        chain y {
                flow table __mt0 { ip saddr counter}
        }
 }

Which is odd since then restoring will use such a name.

Remove anonymous flow table/meters, so everyone needs to specify a name.

There is no way to fix this, given anonymous flag tells us that the set
behind this meter is bound to a rule, hence, released once the rule is
going - the term "anonymous" was not good choice as a flag in first
place. Only possibility is to strcmp for __ft to identify this is a
nameless meter, which is a hack.

Moreover, having no name means you cannot flush the set behind this
meter, which criples this feature for no reason.

On top of it, the wiki only documents named meters, and we have a record
of users complaining on this behaviour.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/evaluate.c     |  3 +--
 src/expression.c   | 10 +++-------
 src/parser_bison.y |  7 -------
 3 files changed, 4 insertions(+), 16 deletions(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index f30543f822e0..b0ce9f63e6c0 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2042,8 +2042,7 @@ static int stmt_evaluate_meter(struct eval_ctx *ctx, struct stmt *stmt)
 	if (key->timeout)
 		set->set_flags |= NFT_SET_TIMEOUT;
 
-	setref = implicit_set_declaration(ctx, stmt->meter.name ?: "__mt%d",
-					  key, set);
+	setref = implicit_set_declaration(ctx, stmt->meter.name, key, set);
 
 	stmt->meter.set = setref;
 
diff --git a/src/expression.c b/src/expression.c
index 273038e62d2e..dae475921476 100644
--- a/src/expression.c
+++ b/src/expression.c
@@ -930,14 +930,10 @@ struct expr *map_expr_alloc(const struct location *loc, struct expr *arg,
 
 static void set_ref_expr_print(const struct expr *expr, struct output_ctx *octx)
 {
-	if (expr->set->flags & NFT_SET_ANONYMOUS) {
-		if (expr->set->flags & NFT_SET_EVAL)
-			nft_print(octx, "%s", expr->set->handle.set);
-		else
-			expr_print(expr->set->init, octx);
-	} else {
+	if (expr->set->flags & NFT_SET_ANONYMOUS)
+		expr_print(expr->set->init, octx);
+	else
 		nft_print(octx, "@%s", expr->set->handle.set);
-	}
 }
 
 static void set_ref_expr_clone(struct expr *new, const struct expr *expr)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 6610b9dccc3c..d2673173bd27 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2489,13 +2489,6 @@ meter_stmt		:	meter_stmt_alloc		meter_stmt_opts	'{' meter_key_expr stmt '}'
 				$$->location  = @$;
 				$$ = $1;
 			}
-			|	meter_stmt_alloc		'{' meter_key_expr stmt '}'
-			{
-				$1->meter.key  = $3;
-				$1->meter.stmt = $4;
-				$$->location  = @$;
-				$$ = $1;
-			}
 			;
 
 meter_stmt_alloc	:	FLOW
-- 
2.11.0

[PATCH nft 2/2] parser_bison: no need for 'name' token for meters

[Pablo Neira Ayuso]

Rework grammar to skip the 'name' token after 'meter' for named meters.
For consistency with sets and maps in terms of syntax.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/parser_bison.y                                 | 36 +++++++++++++++-------
 tests/py/ip/flowtable.t                            |  2 +-
 tests/py/ip/flowtable.t.payload                    |  2 +-
 tests/py/ip6/flowtable.t                           |  4 +--
 tests/py/ip6/flowtable.t.payload                   |  4 +--
 .../testcases/sets/0022type_selective_flush_0      |  4 +--
 6 files changed, 33 insertions(+), 19 deletions(-)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index d2673173bd27..c7b9f71e3be4 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -557,8 +557,8 @@ int nft_lex(void *, void *, void *);
 %type <stmt>			set_stmt
 %destructor { stmt_free($$); }	set_stmt
 %type <val>			set_stmt_op
-%type <stmt>			meter_stmt meter_stmt_alloc
-%destructor { stmt_free($$); }	meter_stmt meter_stmt_alloc
+%type <stmt>			meter_stmt meter_stmt_alloc flow_stmt_legacy_alloc
+%destructor { stmt_free($$); }	meter_stmt meter_stmt_alloc flow_stmt_legacy_alloc
 
 %type <expr>			symbol_expr verdict_expr integer_expr variable_expr
 %destructor { expr_free($$); }	symbol_expr verdict_expr integer_expr variable_expr
@@ -2482,33 +2482,30 @@ set_stmt_op		:	ADD	{ $$ = NFT_DYNSET_OP_ADD; }
 			|	UPDATE	{ $$ = NFT_DYNSET_OP_UPDATE; }
 			;
 
-meter_stmt		:	meter_stmt_alloc		meter_stmt_opts	'{' meter_key_expr stmt '}'
+meter_stmt		:	flow_stmt_legacy_alloc		flow_stmt_opts	'{' meter_key_expr stmt '}'
 			{
 				$1->meter.key  = $4;
 				$1->meter.stmt = $5;
 				$$->location  = @$;
 				$$ = $1;
 			}
+			|	meter_stmt_alloc		{ $$ = $1; }
 			;
 
-meter_stmt_alloc	:	FLOW
-			{
-				$$ = meter_stmt_alloc(&@$);
-			}
-			|	METER
+flow_stmt_legacy_alloc	:	FLOW
 			{
 				$$ = meter_stmt_alloc(&@$);
 			}
 			;
 
-meter_stmt_opts		:	meter_stmt_opt
+flow_stmt_opts		:	flow_stmt_opt
 			{
 				$<stmt>$	= $<stmt>0;
 			}
-			|	meter_stmt_opts		meter_stmt_opt
+			|	flow_stmt_opts		flow_stmt_opt
 			;
 
-meter_stmt_opt		:	TABLE			identifier
+flow_stmt_opt		:	TABLE			identifier
 			{
 				$<stmt>0->meter.name = $2;
 			}
@@ -2518,6 +2515,23 @@ meter_stmt_opt		:	TABLE			identifier
 			}
 			;
 
+meter_stmt_alloc	:	METER	identifier		'{' meter_key_expr stmt '}'
+			{
+				$$ = meter_stmt_alloc(&@$);
+				$$->meter.name = $2;
+				$$->meter.key  = $4;
+				$$->meter.stmt = $5;
+				$$->location  = @$;
+			}
+			|	METER	'{' meter_key_expr stmt '}'
+			{
+				$$ = meter_stmt_alloc(&@$);
+				$$->meter.key  = $3;
+				$$->meter.stmt = $4;
+				$$->location  = @$;
+			}
+			;
+
 match_stmt		:	relational_expr
 			{
 				$$ = expr_stmt_alloc(&@$, $1);
diff --git a/tests/py/ip/flowtable.t b/tests/py/ip/flowtable.t
index 7eaf5731ea22..4427fab88eb8 100644
--- a/tests/py/ip/flowtable.t
+++ b/tests/py/ip/flowtable.t
@@ -2,4 +2,4 @@
 
 *ip;test-ip;input
 
-meter name xyz { ip saddr timeout 30s counter};ok
+meter xyz { ip saddr timeout 30s counter};ok
diff --git a/tests/py/ip/flowtable.t.payload b/tests/py/ip/flowtable.t.payload
index 4dbd03d01926..34a584994b64 100644
--- a/tests/py/ip/flowtable.t.payload
+++ b/tests/py/ip/flowtable.t.payload
@@ -1,4 +1,4 @@
-# meter name xyz { ip saddr timeout 30s counter}
+# meter xyz { ip saddr timeout 30s counter}
 xyz test-ip 31
 xyz test-ip 0
 ip test-ip input 
diff --git a/tests/py/ip6/flowtable.t b/tests/py/ip6/flowtable.t
index 7a53f31aa67e..5c048935d726 100644
--- a/tests/py/ip6/flowtable.t
+++ b/tests/py/ip6/flowtable.t
@@ -2,5 +2,5 @@
 
 *ip6;test-ip6;input
 
-meter name acct_out { meta iif . ip6 saddr timeout 600s counter };ok;meter name acct_out { iif . ip6 saddr timeout 10m counter}
-meter name acct_out { ip6 saddr . meta iif timeout 600s counter };ok;meter name acct_out { ip6 saddr . iif timeout 10m counter}
+meter acct_out { meta iif . ip6 saddr timeout 600s counter };ok;meter acct_out { iif . ip6 saddr timeout 10m counter}
+meter acct_out { ip6 saddr . meta iif timeout 600s counter };ok;meter acct_out { ip6 saddr . iif timeout 10m counter}
diff --git a/tests/py/ip6/flowtable.t.payload b/tests/py/ip6/flowtable.t.payload
index cf2de733ca42..a3f71b1304dc 100644
--- a/tests/py/ip6/flowtable.t.payload
+++ b/tests/py/ip6/flowtable.t.payload
@@ -1,4 +1,4 @@
-# meter name acct_out { meta iif . ip6 saddr timeout 600s counter }
+# meter acct_out { meta iif . ip6 saddr timeout 600s counter }
 acct_out test-ip6 31
 acct_out test-ip6 0
 ip6 test-ip6 input
@@ -6,7 +6,7 @@ ip6 test-ip6 input
   [ payload load 16b @ network header + 8 => reg 9 ]
   [ dynset update reg_key 1 set acct_out timeout 600000ms expr [ counter pkts 0 bytes 0 ] ]
 
-# meter name acct_out { ip6 saddr . meta iif timeout 600s counter }
+# meter acct_out { ip6 saddr . meta iif timeout 600s counter }
 acct_out test-ip6 31
 acct_out test-ip6 0
 ip6 test-ip6 input
diff --git a/tests/shell/testcases/sets/0022type_selective_flush_0 b/tests/shell/testcases/sets/0022type_selective_flush_0
index 87a4c7bc4393..659bf70c05bf 100755
--- a/tests/shell/testcases/sets/0022type_selective_flush_0
+++ b/tests/shell/testcases/sets/0022type_selective_flush_0
@@ -16,7 +16,7 @@ add table t
 add chain t c
 add set t s {type ipv4_addr;}
 add map t m {type ipv4_addr : inet_service;}
-add rule t c tcp dport 80 meter name f {ip saddr limit rate 10/second}
+add rule t c tcp dport 80 meter f {ip saddr limit rate 10/second}
 " >$tmpfile
 
 $NFT -f $tmpfile
@@ -26,7 +26,7 @@ $NFT -f $tmpfile
 declare -a cmds=(
 		"flush set t m" "flush set t f"
 		"flush map t s" "flush map t f"
-		"flush meter name t s" "flush meter name t m"
+		"flush meter t s" "flush meter t m"
 		)
 
 for i in "${cmds[@]}"
-- 
2.11.0

Re: [PATCH nft 1/2] parser_bison: dismiss anonymous meters

[Florian Westphal]

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> The former 'flow table' syntax allows flow tables with no name:
> 
>  # nft add rule x y flow { ip saddr counter }
> 
> However, when listing, it leaks the name that it is autoallocating.
> 
>  # nft list ruleset
>  table ip x {
>         chain y {
>                 flow table __mt0 { ip saddr counter}
>         }
>  }
> 
> Which is odd since then restoring will use such a name.

Right.

> Remove anonymous flow table/meters, so everyone needs to specify a name.

Acked-by: Florian Westphal <fw@strlen.de>

Re: [PATCH nft 2/2] parser_bison: no need for 'name' token for meters

[Pablo Neira Ayuso]

On Fri, Nov 24, 2017 at 02:29:00PM +0100, Pablo Neira Ayuso wrote:
> @@ -2518,6 +2515,23 @@ meter_stmt_opt		:	TABLE			identifier
>  			}
>  			;
>  
> +meter_stmt_alloc	:	METER	identifier		'{' meter_key_expr stmt '}'
> +			{
> +				$$ = meter_stmt_alloc(&@$);
> +				$$->meter.name = $2;
> +				$$->meter.key  = $4;
> +				$$->meter.stmt = $5;
> +				$$->location  = @$;
> +			}

I'm removing from here...

> +			|	METER	'{' meter_key_expr stmt '}'
> +			{
> +				$$ = meter_stmt_alloc(&@$);
> +				$$->meter.key  = $3;
> +				$$->meter.stmt = $4;
> +				$$->location  = @$;
> +			}

to there.

There's no point in nameless meters as we discussed, sorry, this just
slipped through.

Will be mangling this before pushing it out.