* [PATCH nft 00/12] move more keywords away from initial scope
@ 2021-03-11 13:23 Florian Westphal
2021-03-11 13:23 ` [PATCH nft 01/12] scanner: ct: move to own scope Florian Westphal
` (11 more replies)
0 siblings, 12 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
These patches move more keywords away from the initial flex scope.
Just like the preceding patches they follow the same pattern:
1. New scope is entered from flex when encountering a start token, e.g.
"ip".
2. Scope is left from bison once a complete expression has been parsed.
Unlike the initial patches which only did this for a few expressions
this series also covers tokens that can appear in object context.
Florian Westphal (12):
scanner: ct: move to own scope
scanner: ip: move to own scope
scanner: ip6: move to own scope
scanner: add fib scope
scanner: add ether scope
scanner: arp: move to own scope
scanner: remove saddr/daddr from initial state
scanner: vlan: move to own scope
scanner: limit: move to own scope
scanner: quota: move to own scope
scanner: move until,over,used keywords away from init state
scanner: secmark: move to own scope
include/parser.h | 10 +++
src/parser_bison.y | 176 ++++++++++++++++++++++++---------------------
src/scanner.l | 122 ++++++++++++++++++-------------
3 files changed, 177 insertions(+), 131 deletions(-)
--
2.26.2
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH nft 01/12] scanner: ct: move to own scope
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
2021-03-11 13:23 ` [PATCH nft 02/12] scanner: ip: " Florian Westphal
` (10 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
This allows moving multiple ct specific keywords out of INITIAL scope.
Next few patches follow same pattern:
1. add a scope_close_XXX rule
2. add a SCANSTATE_XXX & make flex switch to it when
encountering XXX keyword
3. make bison leave SCANSTATE_XXXX when it has seen the complete
expression.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 43 ++++++++++++++++++++++---------------------
src/scanner.l | 37 ++++++++++++++++++++-----------------
3 files changed, 43 insertions(+), 38 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index fd5006d35c0d..be29f400c023 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -28,6 +28,7 @@ struct parser_state {
enum startcond_type {
PARSER_SC_BEGIN,
+ PARSER_SC_CT,
PARSER_SC_EXPR_HASH,
PARSER_SC_EXPR_IPSEC,
PARSER_SC_EXPR_NUMGEN,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 2a8ac215a284..2d2563c823ea 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -861,6 +861,7 @@ opt_newline : NEWLINE
| /* empty */
;
+close_scope_ct : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CT); };
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
@@ -1038,15 +1039,15 @@ add_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_QUOTA, &$2, &@$, $3);
}
- | CT HELPER obj_spec ct_obj_alloc '{' ct_helper_block '}'
+ | CT HELPER obj_spec ct_obj_alloc '{' ct_helper_block '}' close_scope_ct
{
$$ = cmd_alloc_obj_ct(CMD_ADD, NFT_OBJECT_CT_HELPER, &$3, &@$, $4);
}
- | CT TIMEOUT obj_spec ct_obj_alloc '{' ct_timeout_block '}'
+ | CT TIMEOUT obj_spec ct_obj_alloc '{' ct_timeout_block '}' close_scope_ct
{
$$ = cmd_alloc_obj_ct(CMD_ADD, NFT_OBJECT_CT_TIMEOUT, &$3, &@$, $4);
}
- | CT EXPECTATION obj_spec ct_obj_alloc '{' ct_expect_block '}'
+ | CT EXPECTATION obj_spec ct_obj_alloc '{' ct_expect_block '}' close_scope_ct
{
$$ = cmd_alloc_obj_ct(CMD_ADD, NFT_OBJECT_CT_EXPECT, &$3, &@$, $4);
}
@@ -1147,15 +1148,15 @@ create_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_QUOTA, &$2, &@$, $3);
}
- | CT HELPER obj_spec ct_obj_alloc '{' ct_helper_block '}'
+ | CT HELPER obj_spec ct_obj_alloc '{' ct_helper_block '}' close_scope_ct
{
$$ = cmd_alloc_obj_ct(CMD_CREATE, NFT_OBJECT_CT_HELPER, &$3, &@$, $4);
}
- | CT TIMEOUT obj_spec ct_obj_alloc '{' ct_timeout_block '}'
+ | CT TIMEOUT obj_spec ct_obj_alloc '{' ct_timeout_block '}' close_scope_ct
{
$$ = cmd_alloc_obj_ct(CMD_CREATE, NFT_OBJECT_CT_TIMEOUT, &$3, &@$, $4);
}
- | CT EXPECTATION obj_spec ct_obj_alloc '{' ct_expect_block '}'
+ | CT EXPECTATION obj_spec ct_obj_alloc '{' ct_expect_block '}' close_scope_ct
{
$$ = cmd_alloc_obj_ct(CMD_CREATE, NFT_OBJECT_CT_EXPECT, &$3, &@$, $4);
}
@@ -1242,7 +1243,7 @@ delete_cmd : TABLE table_or_id_spec
{
$$ = cmd_alloc(CMD_DELETE, CMD_OBJ_QUOTA, &$2, &@$, NULL);
}
- | CT ct_obj_type obj_spec ct_obj_alloc
+ | CT ct_obj_type obj_spec ct_obj_alloc close_scope_ct
{
$$ = cmd_alloc_obj_ct(CMD_DELETE, $2, &$3, &@$, $4);
}
@@ -1390,11 +1391,11 @@ list_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_LIST, CMD_OBJ_MAP, &$2, &@$, NULL);
}
- | CT ct_obj_type obj_spec
+ | CT ct_obj_type obj_spec close_scope_ct
{
$$ = cmd_alloc_obj_ct(CMD_LIST, $2, &$3, &@$, NULL);
}
- | CT ct_cmd_type TABLE table_spec
+ | CT ct_cmd_type TABLE table_spec close_scope_ct
{
$$ = cmd_alloc(CMD_LIST, $2, &$4, &@$, NULL);
}
@@ -1631,7 +1632,7 @@ table_block : /* empty */ { $$ = $<table>-1; }
list_add_tail(&$4->list, &$1->objs);
$$ = $1;
}
- | table_block CT HELPER obj_identifier obj_block_alloc '{' ct_helper_block '}' stmt_separator
+ | table_block CT HELPER obj_identifier obj_block_alloc '{' ct_helper_block '}' close_scope_ct stmt_separator
{
$5->location = @4;
$5->type = NFT_OBJECT_CT_HELPER;
@@ -1640,7 +1641,7 @@ table_block : /* empty */ { $$ = $<table>-1; }
list_add_tail(&$5->list, &$1->objs);
$$ = $1;
}
- | table_block CT TIMEOUT obj_identifier obj_block_alloc '{' ct_timeout_block '}' stmt_separator
+ | table_block CT TIMEOUT obj_identifier obj_block_alloc '{' ct_timeout_block '}' close_scope_ct stmt_separator
{
$5->location = @4;
$5->type = NFT_OBJECT_CT_TIMEOUT;
@@ -1649,7 +1650,7 @@ table_block : /* empty */ { $$ = $<table>-1; }
list_add_tail(&$5->list, &$1->objs);
$$ = $1;
}
- | table_block CT EXPECTATION obj_identifier obj_block_alloc '{' ct_expect_block '}' stmt_separator
+ | table_block CT EXPECTATION obj_identifier obj_block_alloc '{' ct_expect_block '}' close_scope_ct stmt_separator
{
$5->location = @4;
$5->type = NFT_OBJECT_CT_EXPECT;
@@ -2756,12 +2757,12 @@ verdict_map_list_member_expr: opt_newline set_elem_expr COLON verdict_expr opt_n
}
;
-connlimit_stmt : CT COUNT NUM
+connlimit_stmt : CT COUNT NUM close_scope_ct
{
$$ = connlimit_stmt_alloc(&@$);
$$->connlimit.count = $3;
}
- | CT COUNT OVER NUM
+ | CT COUNT OVER NUM close_scope_ct
{
$$ = connlimit_stmt_alloc(&@$);
$$->connlimit.count = $4;
@@ -4925,15 +4926,15 @@ rt_key : CLASSID { $$ = NFT_RT_CLASSID; }
| IPSEC close_scope_ipsec { $$ = NFT_RT_XFRM; }
;
-ct_expr : CT ct_key
+ct_expr : CT ct_key close_scope_ct
{
$$ = ct_expr_alloc(&@$, $2, -1);
}
- | CT ct_dir ct_key_dir
+ | CT ct_dir ct_key_dir close_scope_ct
{
$$ = ct_expr_alloc(&@$, $3, $2);
}
- | CT ct_dir ct_key_proto_field
+ | CT ct_dir ct_key_proto_field close_scope_ct
{
$$ = ct_expr_alloc(&@$, $3, $2);
}
@@ -5001,7 +5002,7 @@ list_stmt_expr : symbol_stmt_expr COMMA symbol_stmt_expr
}
;
-ct_stmt : CT ct_key SET stmt_expr
+ct_stmt : CT ct_key SET stmt_expr close_scope_ct
{
switch ($2) {
case NFT_CT_HELPER:
@@ -5014,20 +5015,20 @@ ct_stmt : CT ct_key SET stmt_expr
break;
}
}
- | CT TIMEOUT SET stmt_expr
+ | CT TIMEOUT SET stmt_expr close_scope_ct
{
$$ = objref_stmt_alloc(&@$);
$$->objref.type = NFT_OBJECT_CT_TIMEOUT;
$$->objref.expr = $4;
}
- | CT EXPECTATION SET stmt_expr
+ | CT EXPECTATION SET stmt_expr close_scope_ct
{
$$ = objref_stmt_alloc(&@$);
$$->objref.type = NFT_OBJECT_CT_EXPECT;
$$->objref.expr = $4;
}
- | CT ct_dir ct_key_dir_optional SET stmt_expr
+ | CT ct_dir ct_key_dir_optional SET stmt_expr close_scope_ct
{
$$ = ct_stmt_alloc(&@$, $3, $2, $5);
}
diff --git a/src/scanner.l b/src/scanner.l
index 6a909e928bf4..1358f9d01d6a 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -196,6 +196,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%option nodefault
%option warn
%option stack
+%s SCANSTATE_CT
%s SCANSTATE_EXPR_HASH
%s SCANSTATE_EXPR_IPSEC
%s SCANSTATE_EXPR_NUMGEN
@@ -337,7 +338,6 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"name" { return NAME; }
"packets" { return PACKETS; }
"bytes" { return BYTES; }
-"avgpkt" { return AVGPKT; }
"counters" { return COUNTERS; }
"quotas" { return QUOTAS; }
@@ -544,22 +544,25 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"nexthop" { return NEXTHOP; }
}
-"ct" { return CT; }
-"l3proto" { return L3PROTOCOL; }
-"proto-src" { return PROTO_SRC; }
-"proto-dst" { return PROTO_DST; }
-"zone" { return ZONE; }
-"original" { return ORIGINAL; }
-"reply" { return REPLY; }
-"direction" { return DIRECTION; }
-"event" { return EVENT; }
-"expectation" { return EXPECTATION; }
-"expiration" { return EXPIRATION; }
-"helper" { return HELPER; }
-"helpers" { return HELPERS; }
-"label" { return LABEL; }
-"state" { return STATE; }
-"status" { return STATUS; }
+"ct" { scanner_push_start_cond(yyscanner, SCANSTATE_CT); return CT; }
+<SCANSTATE_CT>{
+ "avgpkt" { return AVGPKT; }
+ "l3proto" { return L3PROTOCOL; }
+ "proto-src" { return PROTO_SRC; }
+ "proto-dst" { return PROTO_DST; }
+ "zone" { return ZONE; }
+ "original" { return ORIGINAL; }
+ "reply" { return REPLY; }
+ "direction" { return DIRECTION; }
+ "event" { return EVENT; }
+ "expectation" { return EXPECTATION; }
+ "expiration" { return EXPIRATION; }
+ "helper" { return HELPER; }
+ "helpers" { return HELPERS; }
+ "label" { return LABEL; }
+ "state" { return STATE; }
+ "status" { return STATUS; }
+}
"numgen" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_NUMGEN); return NUMGEN; }
<SCANSTATE_EXPR_NUMGEN>{
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH nft 02/12] scanner: ip: move to own scope
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
2021-03-11 13:23 ` [PATCH nft 01/12] scanner: ct: move to own scope Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
2021-03-11 13:23 ` [PATCH nft 03/12] scanner: ip6: " Florian Westphal
` (9 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Move the ip option names (rr, lsrr, ...) out of INITIAL scope.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 23 ++++++++++++-----------
src/scanner.l | 17 ++++++++++-------
3 files changed, 23 insertions(+), 18 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index be29f400c023..a778cb59c2c9 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -29,6 +29,7 @@ struct parser_state {
enum startcond_type {
PARSER_SC_BEGIN,
PARSER_SC_CT,
+ PARSER_SC_IP,
PARSER_SC_EXPR_HASH,
PARSER_SC_EXPR_IPSEC,
PARSER_SC_EXPR_NUMGEN,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 2d2563c823ea..ba15366cb3db 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -863,6 +863,7 @@ opt_newline : NEWLINE
close_scope_ct : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CT); };
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
+close_scope_ip : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP); };
close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
@@ -2424,7 +2425,7 @@ family_spec : /* empty */ { $$ = NFPROTO_IPV4; }
| family_spec_explicit
;
-family_spec_explicit : IP { $$ = NFPROTO_IPV4; }
+family_spec_explicit : IP close_scope_ip { $$ = NFPROTO_IPV4; }
| IP6 { $$ = NFPROTO_IPV6; }
| INET { $$ = NFPROTO_INET; }
| ARP { $$ = NFPROTO_ARP; }
@@ -3004,7 +3005,7 @@ log_flags : TCP log_flags_tcp
{
$$ = $2;
}
- | IP OPTIONS
+ | IP OPTIONS close_scope_ip
{
$$ = NF_LOG_IPOPT;
}
@@ -4537,7 +4538,7 @@ boolean_expr : boolean_keys
;
keyword_expr : ETHER { $$ = symbol_value(&@$, "ether"); }
- | IP { $$ = symbol_value(&@$, "ip"); }
+ | IP close_scope_ip { $$ = symbol_value(&@$, "ip"); }
| IP6 { $$ = symbol_value(&@$, "ip6"); }
| VLAN { $$ = symbol_value(&@$, "vlan"); }
| ARP { $$ = symbol_value(&@$, "arp"); }
@@ -4892,7 +4893,7 @@ hash_expr : JHASH expr MOD NUM SEED NUM offset_opt close_scope_hash
}
;
-nf_key_proto : IP { $$ = NFPROTO_IPV4; }
+nf_key_proto : IP close_scope_ip { $$ = NFPROTO_IPV4; }
| IP6 { $$ = NFPROTO_IPV6; }
;
@@ -4972,8 +4973,8 @@ ct_key_dir : SADDR { $$ = NFT_CT_SRC; }
| ct_key_dir_optional
;
-ct_key_proto_field : IP SADDR { $$ = NFT_CT_SRC_IP; }
- | IP DADDR { $$ = NFT_CT_DST_IP; }
+ct_key_proto_field : IP SADDR close_scope_ip { $$ = NFT_CT_SRC_IP; }
+ | IP DADDR close_scope_ip { $$ = NFT_CT_DST_IP; }
| IP6 SADDR { $$ = NFT_CT_SRC_IP6; }
| IP6 DADDR { $$ = NFT_CT_DST_IP6; }
;
@@ -5113,19 +5114,19 @@ arp_hdr_field : HTYPE { $$ = ARPHDR_HRD; }
| OPERATION { $$ = ARPHDR_OP; }
| SADDR ETHER { $$ = ARPHDR_SADDR_ETHER; }
| DADDR ETHER { $$ = ARPHDR_DADDR_ETHER; }
- | SADDR IP { $$ = ARPHDR_SADDR_IP; }
- | DADDR IP { $$ = ARPHDR_DADDR_IP; }
+ | SADDR IP close_scope_ip { $$ = ARPHDR_SADDR_IP; }
+ | DADDR IP close_scope_ip { $$ = ARPHDR_DADDR_IP; }
;
-ip_hdr_expr : IP ip_hdr_field
+ip_hdr_expr : IP ip_hdr_field close_scope_ip
{
$$ = payload_expr_alloc(&@$, &proto_ip, $2);
}
- | IP OPTION ip_option_type ip_option_field
+ | IP OPTION ip_option_type ip_option_field close_scope_ip
{
$$ = ipopt_expr_alloc(&@$, $3, $4, 0);
}
- | IP OPTION ip_option_type
+ | IP OPTION ip_option_type close_scope_ip
{
$$ = ipopt_expr_alloc(&@$, $3, IPOPT_FIELD_TYPE, 0);
$$->exthdr.flags = NFT_EXTHDR_F_PRESENT;
diff --git a/src/scanner.l b/src/scanner.l
index 1358f9d01d6a..262945064e80 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -197,6 +197,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%option warn
%option stack
%s SCANSTATE_CT
+%s SCANSTATE_IP
%s SCANSTATE_EXPR_HASH
%s SCANSTATE_EXPR_IPSEC
%s SCANSTATE_EXPR_NUMGEN
@@ -408,7 +409,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"plen" { return PLEN; }
"operation" { return OPERATION; }
-"ip" { return IP; }
+"ip" { scanner_push_start_cond(yyscanner, SCANSTATE_IP); return IP; }
"version" { return HDRVERSION; }
"hdrlength" { return HDRLENGTH; }
"dscp" { return DSCP; }
@@ -419,13 +420,15 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"protocol" { return PROTOCOL; }
"checksum" { return CHECKSUM; }
-"lsrr" { return LSRR; }
-"rr" { return RR; }
-"ssrr" { return SSRR; }
-"ra" { return RA; }
+<SCANSTATE_IP>{
+ "lsrr" { return LSRR; }
+ "rr" { return RR; }
+ "ssrr" { return SSRR; }
+ "ra" { return RA; }
-"value" { return VALUE; }
-"ptr" { return PTR; }
+ "ptr" { return PTR; }
+ "value" { return VALUE; }
+}
"echo" { return ECHO; }
"eol" { return EOL; }
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH nft 03/12] scanner: ip6: move to own scope
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
2021-03-11 13:23 ` [PATCH nft 01/12] scanner: ct: move to own scope Florian Westphal
2021-03-11 13:23 ` [PATCH nft 02/12] scanner: ip: " Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
2021-03-11 13:23 ` [PATCH nft 04/12] scanner: add fib scope Florian Westphal
` (8 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
move flowlabel and hoplimit.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 21 +++++++++++----------
src/scanner.l | 9 ++++++---
3 files changed, 18 insertions(+), 13 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index a778cb59c2c9..586a984875c4 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -30,6 +30,7 @@ enum startcond_type {
PARSER_SC_BEGIN,
PARSER_SC_CT,
PARSER_SC_IP,
+ PARSER_SC_IP6,
PARSER_SC_EXPR_HASH,
PARSER_SC_EXPR_IPSEC,
PARSER_SC_EXPR_NUMGEN,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index ba15366cb3db..9ef2602e22bd 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -864,6 +864,7 @@ opt_newline : NEWLINE
close_scope_ct : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CT); };
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
close_scope_ip : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP); };
+close_scope_ip6 : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP6); };
close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
@@ -2426,11 +2427,11 @@ family_spec : /* empty */ { $$ = NFPROTO_IPV4; }
;
family_spec_explicit : IP close_scope_ip { $$ = NFPROTO_IPV4; }
- | IP6 { $$ = NFPROTO_IPV6; }
- | INET { $$ = NFPROTO_INET; }
- | ARP { $$ = NFPROTO_ARP; }
- | BRIDGE { $$ = NFPROTO_BRIDGE; }
- | NETDEV { $$ = NFPROTO_NETDEV; }
+ | IP6 close_scope_ip6 { $$ = NFPROTO_IPV6; }
+ | INET { $$ = NFPROTO_INET; }
+ | ARP { $$ = NFPROTO_ARP; }
+ | BRIDGE { $$ = NFPROTO_BRIDGE; }
+ | NETDEV { $$ = NFPROTO_NETDEV; }
;
table_spec : family_spec identifier
@@ -4539,7 +4540,7 @@ boolean_expr : boolean_keys
keyword_expr : ETHER { $$ = symbol_value(&@$, "ether"); }
| IP close_scope_ip { $$ = symbol_value(&@$, "ip"); }
- | IP6 { $$ = symbol_value(&@$, "ip6"); }
+ | IP6 close_scope_ip6 { $$ = symbol_value(&@$, "ip6"); }
| VLAN { $$ = symbol_value(&@$, "vlan"); }
| ARP { $$ = symbol_value(&@$, "arp"); }
| DNAT { $$ = symbol_value(&@$, "dnat"); }
@@ -4894,7 +4895,7 @@ hash_expr : JHASH expr MOD NUM SEED NUM offset_opt close_scope_hash
;
nf_key_proto : IP close_scope_ip { $$ = NFPROTO_IPV4; }
- | IP6 { $$ = NFPROTO_IPV6; }
+ | IP6 close_scope_ip6 { $$ = NFPROTO_IPV6; }
;
rt_expr : RT rt_key close_scope_rt
@@ -4975,8 +4976,8 @@ ct_key_dir : SADDR { $$ = NFT_CT_SRC; }
ct_key_proto_field : IP SADDR close_scope_ip { $$ = NFT_CT_SRC_IP; }
| IP DADDR close_scope_ip { $$ = NFT_CT_DST_IP; }
- | IP6 SADDR { $$ = NFT_CT_SRC_IP6; }
- | IP6 DADDR { $$ = NFT_CT_DST_IP6; }
+ | IP6 SADDR close_scope_ip6 { $$ = NFT_CT_SRC_IP6; }
+ | IP6 DADDR close_scope_ip6 { $$ = NFT_CT_DST_IP6; }
;
ct_key_dir_optional : BYTES { $$ = NFT_CT_BYTES; }
@@ -5187,7 +5188,7 @@ igmp_hdr_field : TYPE { $$ = IGMPHDR_TYPE; }
| GROUP { $$ = IGMPHDR_GROUP; }
;
-ip6_hdr_expr : IP6 ip6_hdr_field
+ip6_hdr_expr : IP6 ip6_hdr_field close_scope_ip6
{
$$ = payload_expr_alloc(&@$, &proto_ip6, $2);
}
diff --git a/src/scanner.l b/src/scanner.l
index 262945064e80..15d1beca601d 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -198,6 +198,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%option stack
%s SCANSTATE_CT
%s SCANSTATE_IP
+%s SCANSTATE_IP6
%s SCANSTATE_EXPR_HASH
%s SCANSTATE_EXPR_IPSEC
%s SCANSTATE_EXPR_NUMGEN
@@ -462,11 +463,13 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"igmp" { return IGMP; }
"mrt" { return MRT; }
-"ip6" { return IP6; }
+"ip6" { scanner_push_start_cond(yyscanner, SCANSTATE_IP6); return IP6; }
"priority" { return PRIORITY; }
-"flowlabel" { return FLOWLABEL; }
+<SCANSTATE_IP6>{
+ "flowlabel" { return FLOWLABEL; }
+ "hoplimit" { return HOPLIMIT; }
+}
"nexthdr" { return NEXTHDR; }
-"hoplimit" { return HOPLIMIT; }
"icmpv6" { return ICMP6; }
"param-problem" { return PPTR; }
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH nft 04/12] scanner: add fib scope
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
` (2 preceding siblings ...)
2021-03-11 13:23 ` [PATCH nft 03/12] scanner: ip6: " Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
2021-03-11 13:23 ` [PATCH nft 05/12] scanner: add ether scope Florian Westphal
` (7 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
makes no sense as-is because all keywords need to stay
in the INITIAL scope.
This can be changed after all saddr/daddr users have been scoped.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 3 ++-
src/scanner.l | 3 ++-
3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 586a984875c4..e338713dad32 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -31,6 +31,7 @@ enum startcond_type {
PARSER_SC_CT,
PARSER_SC_IP,
PARSER_SC_IP6,
+ PARSER_SC_EXPR_FIB,
PARSER_SC_EXPR_HASH,
PARSER_SC_EXPR_IPSEC,
PARSER_SC_EXPR_NUMGEN,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 9ef2602e22bd..74ab69dd8820 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -862,6 +862,7 @@ opt_newline : NEWLINE
;
close_scope_ct : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CT); };
+close_scope_fib : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FIB); };
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
close_scope_ip : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP); };
close_scope_ip6 : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP6); };
@@ -3873,7 +3874,7 @@ primary_expr : symbol_expr { $$ = $1; }
| '(' basic_expr ')' { $$ = $2; }
;
-fib_expr : FIB fib_tuple fib_result
+fib_expr : FIB fib_tuple fib_result close_scope_fib
{
if (($2 & (NFTA_FIB_F_SADDR|NFTA_FIB_F_DADDR)) == 0) {
erec_queue(error(&@2, "fib: need either saddr or daddr"), state->msgs);
diff --git a/src/scanner.l b/src/scanner.l
index 15d1beca601d..c78f34b625c2 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -199,6 +199,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_CT
%s SCANSTATE_IP
%s SCANSTATE_IP6
+%s SCANSTATE_EXPR_FIB
%s SCANSTATE_EXPR_HASH
%s SCANSTATE_EXPR_IPSEC
%s SCANSTATE_EXPR_NUMGEN
@@ -588,7 +589,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"dup" { return DUP; }
"fwd" { return FWD; }
-"fib" { return FIB; }
+"fib" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_FIB); return FIB; }
"osf" { return OSF; }
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH nft 05/12] scanner: add ether scope
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
` (3 preceding siblings ...)
2021-03-11 13:23 ` [PATCH nft 04/12] scanner: add fib scope Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
2021-03-11 13:23 ` [PATCH nft 06/12] scanner: arp: move to own scope Florian Westphal
` (6 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
just like previous change: useless as-is, but prepares
for removal of saddr/daddr from INITIAL scope.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 11 ++++++-----
src/scanner.l | 3 ++-
3 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index e338713dad32..cdc5fd094af5 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -29,6 +29,7 @@ struct parser_state {
enum startcond_type {
PARSER_SC_BEGIN,
PARSER_SC_CT,
+ PARSER_SC_ETH,
PARSER_SC_IP,
PARSER_SC_IP6,
PARSER_SC_EXPR_FIB,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 74ab69dd8820..9cfa336643e5 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -862,6 +862,7 @@ opt_newline : NEWLINE
;
close_scope_ct : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CT); };
+close_scope_eth : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ETH); };
close_scope_fib : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FIB); };
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
close_scope_ip : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP); };
@@ -3015,7 +3016,7 @@ log_flags : TCP log_flags_tcp
{
$$ = NF_LOG_UID;
}
- | ETHER
+ | ETHER close_scope_eth
{
$$ = NF_LOG_MACDECODE;
}
@@ -4539,7 +4540,7 @@ boolean_expr : boolean_keys
}
;
-keyword_expr : ETHER { $$ = symbol_value(&@$, "ether"); }
+keyword_expr : ETHER close_scope_eth { $$ = symbol_value(&@$, "ether"); }
| IP close_scope_ip { $$ = symbol_value(&@$, "ip"); }
| IP6 close_scope_ip6 { $$ = symbol_value(&@$, "ip6"); }
| VLAN { $$ = symbol_value(&@$, "vlan"); }
@@ -5080,7 +5081,7 @@ payload_base_spec : LL_HDR { $$ = PROTO_BASE_LL_HDR; }
| TRANSPORT_HDR { $$ = PROTO_BASE_TRANSPORT_HDR; }
;
-eth_hdr_expr : ETHER eth_hdr_field
+eth_hdr_expr : ETHER eth_hdr_field close_scope_eth
{
$$ = payload_expr_alloc(&@$, &proto_eth, $2);
}
@@ -5114,8 +5115,8 @@ arp_hdr_field : HTYPE { $$ = ARPHDR_HRD; }
| HLEN { $$ = ARPHDR_HLN; }
| PLEN { $$ = ARPHDR_PLN; }
| OPERATION { $$ = ARPHDR_OP; }
- | SADDR ETHER { $$ = ARPHDR_SADDR_ETHER; }
- | DADDR ETHER { $$ = ARPHDR_DADDR_ETHER; }
+ | SADDR ETHER close_scope_eth { $$ = ARPHDR_SADDR_ETHER; }
+ | DADDR ETHER close_scope_eth { $$ = ARPHDR_DADDR_ETHER; }
| SADDR IP close_scope_ip { $$ = ARPHDR_SADDR_IP; }
| DADDR IP close_scope_ip { $$ = ARPHDR_DADDR_IP; }
;
diff --git a/src/scanner.l b/src/scanner.l
index c78f34b625c2..b1b03b951263 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -197,6 +197,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%option warn
%option stack
%s SCANSTATE_CT
+%s SCANSTATE_ETH
%s SCANSTATE_IP
%s SCANSTATE_IP6
%s SCANSTATE_EXPR_FIB
@@ -393,7 +394,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"bridge" { return BRIDGE; }
-"ether" { return ETHER; }
+"ether" { scanner_push_start_cond(yyscanner, SCANSTATE_ETH); return ETHER; }
"saddr" { return SADDR; }
"daddr" { return DADDR; }
"type" { return TYPE; }
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH nft 06/12] scanner: arp: move to own scope
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
` (4 preceding siblings ...)
2021-03-11 13:23 ` [PATCH nft 05/12] scanner: add ether scope Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
2021-03-11 13:23 ` [PATCH nft 07/12] scanner: remove saddr/daddr from initial state Florian Westphal
` (5 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
allows to move the arp specific tokens out of the INITIAL scope.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 7 ++++---
src/scanner.l | 15 +++++++++------
3 files changed, 14 insertions(+), 9 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index cdc5fd094af5..38039677cd1d 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -28,6 +28,7 @@ struct parser_state {
enum startcond_type {
PARSER_SC_BEGIN,
+ PARSER_SC_ARP,
PARSER_SC_CT,
PARSER_SC_ETH,
PARSER_SC_IP,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 9cfa336643e5..a22f61c4c99b 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -861,6 +861,7 @@ opt_newline : NEWLINE
| /* empty */
;
+close_scope_arp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ARP); };
close_scope_ct : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CT); };
close_scope_eth : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ETH); };
close_scope_fib : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FIB); };
@@ -2431,7 +2432,7 @@ family_spec : /* empty */ { $$ = NFPROTO_IPV4; }
family_spec_explicit : IP close_scope_ip { $$ = NFPROTO_IPV4; }
| IP6 close_scope_ip6 { $$ = NFPROTO_IPV6; }
| INET { $$ = NFPROTO_INET; }
- | ARP { $$ = NFPROTO_ARP; }
+ | ARP close_scope_arp { $$ = NFPROTO_ARP; }
| BRIDGE { $$ = NFPROTO_BRIDGE; }
| NETDEV { $$ = NFPROTO_NETDEV; }
;
@@ -4544,7 +4545,7 @@ keyword_expr : ETHER close_scope_eth { $$ = symbol_value(&@$, "ether"); }
| IP close_scope_ip { $$ = symbol_value(&@$, "ip"); }
| IP6 close_scope_ip6 { $$ = symbol_value(&@$, "ip6"); }
| VLAN { $$ = symbol_value(&@$, "vlan"); }
- | ARP { $$ = symbol_value(&@$, "arp"); }
+ | ARP close_scope_arp { $$ = symbol_value(&@$, "arp"); }
| DNAT { $$ = symbol_value(&@$, "dnat"); }
| SNAT { $$ = symbol_value(&@$, "snat"); }
| ECN { $$ = symbol_value(&@$, "ecn"); }
@@ -5104,7 +5105,7 @@ vlan_hdr_field : ID { $$ = VLANHDR_VID; }
| TYPE { $$ = VLANHDR_TYPE; }
;
-arp_hdr_expr : ARP arp_hdr_field
+arp_hdr_expr : ARP arp_hdr_field close_scope_arp
{
$$ = payload_expr_alloc(&@$, &proto_arp, $2);
}
diff --git a/src/scanner.l b/src/scanner.l
index b1b03b951263..509b1b0d77a2 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -196,6 +196,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%option nodefault
%option warn
%option stack
+%s SCANSTATE_ARP
%s SCANSTATE_CT
%s SCANSTATE_ETH
%s SCANSTATE_IP
@@ -405,12 +406,14 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"cfi" { return CFI; }
"pcp" { return PCP; }
-"arp" { return ARP; }
-"htype" { return HTYPE; }
-"ptype" { return PTYPE; }
-"hlen" { return HLEN; }
-"plen" { return PLEN; }
-"operation" { return OPERATION; }
+"arp" { scanner_push_start_cond(yyscanner, SCANSTATE_ARP); return ARP; }
+<SCANSTATE_ARP>{
+ "htype" { return HTYPE; }
+ "ptype" { return PTYPE; }
+ "hlen" { return HLEN; }
+ "plen" { return PLEN; }
+ "operation" { return OPERATION; }
+}
"ip" { scanner_push_start_cond(yyscanner, SCANSTATE_IP); return IP; }
"version" { return HDRVERSION; }
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH nft 07/12] scanner: remove saddr/daddr from initial state
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
` (5 preceding siblings ...)
2021-03-11 13:23 ` [PATCH nft 06/12] scanner: arp: move to own scope Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
2021-03-11 13:23 ` [PATCH nft 08/12] scanner: vlan: move to own scope Florian Westphal
` (4 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
This can now be reduced to expressions that can expect saddr/daddr tokens.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/scanner.l | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/scanner.l b/src/scanner.l
index 509b1b0d77a2..728b2c79b395 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -396,8 +396,10 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"bridge" { return BRIDGE; }
"ether" { scanner_push_start_cond(yyscanner, SCANSTATE_ETH); return ETHER; }
-"saddr" { return SADDR; }
-"daddr" { return DADDR; }
+<SCANSTATE_ARP,SCANSTATE_CT,SCANSTATE_ETH,SCANSTATE_IP,SCANSTATE_IP6,SCANSTATE_EXPR_FIB,SCANSTATE_EXPR_IPSEC>{
+ "saddr" { return SADDR; }
+ "daddr" { return DADDR; }
+}
"type" { return TYPE; }
"typeof" { return TYPEOF; }
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH nft 08/12] scanner: vlan: move to own scope
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
` (6 preceding siblings ...)
2021-03-11 13:23 ` [PATCH nft 07/12] scanner: remove saddr/daddr from initial state Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
2021-03-11 13:23 ` [PATCH nft 09/12] scanner: limit: " Florian Westphal
` (3 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
ID needs to remain exposed as its used by ct, icmp, icmp6 and so on.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 5 +++--
src/scanner.l | 9 ++++++---
3 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 38039677cd1d..889f9418a864 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -33,6 +33,7 @@ enum startcond_type {
PARSER_SC_ETH,
PARSER_SC_IP,
PARSER_SC_IP6,
+ PARSER_SC_VLAN,
PARSER_SC_EXPR_FIB,
PARSER_SC_EXPR_HASH,
PARSER_SC_EXPR_IPSEC,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index a22f61c4c99b..a6ce506bf5b5 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -868,6 +868,7 @@ close_scope_fib : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FIB); }
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
close_scope_ip : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP); };
close_scope_ip6 : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP6); };
+close_scope_vlan : { scanner_pop_start_cond(nft->scanner, PARSER_SC_VLAN); };
close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
@@ -4544,7 +4545,7 @@ boolean_expr : boolean_keys
keyword_expr : ETHER close_scope_eth { $$ = symbol_value(&@$, "ether"); }
| IP close_scope_ip { $$ = symbol_value(&@$, "ip"); }
| IP6 close_scope_ip6 { $$ = symbol_value(&@$, "ip6"); }
- | VLAN { $$ = symbol_value(&@$, "vlan"); }
+ | VLAN close_scope_vlan { $$ = symbol_value(&@$, "vlan"); }
| ARP close_scope_arp { $$ = symbol_value(&@$, "arp"); }
| DNAT { $$ = symbol_value(&@$, "dnat"); }
| SNAT { $$ = symbol_value(&@$, "snat"); }
@@ -5093,7 +5094,7 @@ eth_hdr_field : SADDR { $$ = ETHHDR_SADDR; }
| TYPE { $$ = ETHHDR_TYPE; }
;
-vlan_hdr_expr : VLAN vlan_hdr_field
+vlan_hdr_expr : VLAN vlan_hdr_field close_scope_vlan
{
$$ = payload_expr_alloc(&@$, &proto_vlan, $2);
}
diff --git a/src/scanner.l b/src/scanner.l
index 728b2c79b395..b664a794184f 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -201,6 +201,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_ETH
%s SCANSTATE_IP
%s SCANSTATE_IP6
+%s SCANSTATE_VLAN
%s SCANSTATE_EXPR_FIB
%s SCANSTATE_EXPR_HASH
%s SCANSTATE_EXPR_IPSEC
@@ -403,10 +404,12 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"type" { return TYPE; }
"typeof" { return TYPEOF; }
-"vlan" { return VLAN; }
+"vlan" { scanner_push_start_cond(yyscanner, SCANSTATE_VLAN); return VLAN; }
"id" { return ID; }
-"cfi" { return CFI; }
-"pcp" { return PCP; }
+<SCANSTATE_VLAN>{
+ "cfi" { return CFI; }
+ "pcp" { return PCP; }
+}
"arp" { scanner_push_start_cond(yyscanner, SCANSTATE_ARP); return ARP; }
<SCANSTATE_ARP>{
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH nft 09/12] scanner: limit: move to own scope
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
` (7 preceding siblings ...)
2021-03-11 13:23 ` [PATCH nft 08/12] scanner: vlan: move to own scope Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
2021-03-11 13:23 ` [PATCH nft 10/12] scanner: quota: " Florian Westphal
` (2 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Moves rate and burst out of INITIAL.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 25 +++++++++++++------------
src/scanner.l | 9 ++++++---
3 files changed, 20 insertions(+), 15 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 889f9418a864..a5ea208ecfc8 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -33,6 +33,7 @@ enum startcond_type {
PARSER_SC_ETH,
PARSER_SC_IP,
PARSER_SC_IP6,
+ PARSER_SC_LIMIT,
PARSER_SC_VLAN,
PARSER_SC_EXPR_FIB,
PARSER_SC_EXPR_HASH,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index a6ce506bf5b5..67afc32a547f 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -870,6 +870,7 @@ close_scope_ip : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP); };
close_scope_ip6 : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP6); };
close_scope_vlan : { scanner_pop_start_cond(nft->scanner, PARSER_SC_VLAN); };
close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
+close_scope_limit : { scanner_pop_start_cond(nft->scanner, PARSER_SC_LIMIT); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
close_scope_rt : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_RT); };
@@ -1057,11 +1058,11 @@ add_cmd : TABLE table_spec
{
$$ = cmd_alloc_obj_ct(CMD_ADD, NFT_OBJECT_CT_EXPECT, &$3, &@$, $4);
}
- | LIMIT obj_spec limit_obj limit_config
+ | LIMIT obj_spec limit_obj limit_config close_scope_limit
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_LIMIT, &$2, &@$, $3);
}
- | LIMIT obj_spec limit_obj '{' limit_block '}'
+ | LIMIT obj_spec limit_obj '{' limit_block '}' close_scope_limit
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_LIMIT, &$2, &@$, $3);
}
@@ -1166,7 +1167,7 @@ create_cmd : TABLE table_spec
{
$$ = cmd_alloc_obj_ct(CMD_CREATE, NFT_OBJECT_CT_EXPECT, &$3, &@$, $4);
}
- | LIMIT obj_spec limit_obj limit_config
+ | LIMIT obj_spec limit_obj limit_config close_scope_limit
{
$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_LIMIT, &$2, &@$, $3);
}
@@ -1253,7 +1254,7 @@ delete_cmd : TABLE table_or_id_spec
{
$$ = cmd_alloc_obj_ct(CMD_DELETE, $2, &$3, &@$, $4);
}
- | LIMIT obj_or_id_spec
+ | LIMIT obj_or_id_spec close_scope_limit
{
$$ = cmd_alloc(CMD_DELETE, CMD_OBJ_LIMIT, &$2, &@$, NULL);
}
@@ -1333,7 +1334,7 @@ list_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_LIST, CMD_OBJ_LIMITS, &$3, &@$, NULL);
}
- | LIMIT obj_spec
+ | LIMIT obj_spec close_scope_limit
{
$$ = cmd_alloc(CMD_LIST, CMD_OBJ_LIMIT, &$2, &@$, NULL);
}
@@ -1667,7 +1668,7 @@ table_block : /* empty */ { $$ = $<table>-1; }
}
| table_block LIMIT obj_identifier
obj_block_alloc '{' limit_block '}'
- stmt_separator
+ stmt_separator close_scope_limit
{
$4->location = @3;
$4->type = NFT_OBJECT_LIMIT;
@@ -1880,7 +1881,7 @@ map_block_alloc : /* empty */
map_block_obj_type : COUNTER { $$ = NFT_OBJECT_COUNTER; }
| QUOTA { $$ = NFT_OBJECT_QUOTA; }
- | LIMIT { $$ = NFT_OBJECT_LIMIT; }
+ | LIMIT close_scope_limit { $$ = NFT_OBJECT_LIMIT; }
| SECMARK { $$ = NFT_OBJECT_SECMARK; }
;
@@ -3045,7 +3046,7 @@ log_flag_tcp : SEQUENCE
}
;
-limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts
+limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts close_scope_limit
{
if ($7 == 0) {
erec_queue(error(&@7, "limit burst must be > 0"),
@@ -3059,7 +3060,7 @@ limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts
$$->limit.type = NFT_LIMIT_PKTS;
$$->limit.flags = $3;
}
- | LIMIT RATE limit_mode NUM STRING limit_burst_bytes
+ | LIMIT RATE limit_mode NUM STRING limit_burst_bytes close_scope_limit
{
struct error_record *erec;
uint64_t rate, unit;
@@ -3084,7 +3085,7 @@ limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts
$$->limit.type = NFT_LIMIT_PKT_BYTES;
$$->limit.flags = $3;
}
- | LIMIT NAME stmt_expr
+ | LIMIT NAME stmt_expr close_scope_limit
{
$$ = objref_stmt_alloc(&@$);
$$->objref.type = NFT_OBJECT_LIMIT;
@@ -4140,7 +4141,7 @@ set_elem_stmt : COUNTER
$$->counter.packets = $3;
$$->counter.bytes = $5;
}
- | LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts
+ | LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts close_scope_limit
{
if ($7 == 0) {
erec_queue(error(&@7, "limit burst must be > 0"),
@@ -4154,7 +4155,7 @@ set_elem_stmt : COUNTER
$$->limit.type = NFT_LIMIT_PKTS;
$$->limit.flags = $3;
}
- | LIMIT RATE limit_mode NUM STRING limit_burst_bytes
+ | LIMIT RATE limit_mode NUM STRING limit_burst_bytes close_scope_limit
{
struct error_record *erec;
uint64_t rate, unit;
diff --git a/src/scanner.l b/src/scanner.l
index b664a794184f..2c5aae846d4f 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -201,6 +201,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_ETH
%s SCANSTATE_IP
%s SCANSTATE_IP6
+%s SCANSTATE_LIMIT
%s SCANSTATE_VLAN
%s SCANSTATE_EXPR_FIB
%s SCANSTATE_EXPR_HASH
@@ -363,9 +364,11 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"bypass" { return BYPASS;}
"fanout" { return FANOUT;}
}
-"limit" { return LIMIT; }
-"rate" { return RATE; }
-"burst" { return BURST; }
+"limit" { scanner_push_start_cond(yyscanner, SCANSTATE_LIMIT); return LIMIT; }
+<SCANSTATE_LIMIT>{
+ "rate" { return RATE; }
+ "burst" { return BURST; }
+}
"until" { return UNTIL; }
"over" { return OVER; }
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH nft 10/12] scanner: quota: move to own scope
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
` (8 preceding siblings ...)
2021-03-11 13:23 ` [PATCH nft 09/12] scanner: limit: " Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
2021-03-11 13:23 ` [PATCH nft 11/12] scanner: move until,over,used keywords away from init state Florian Westphal
2021-03-11 13:23 ` [PATCH nft 12/12] scanner: secmark: move to own scope Florian Westphal
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
... and move "used" keyword to it.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 21 +++++++++++----------
src/scanner.l | 5 +++--
3 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index a5ea208ecfc8..cc9790f62dc1 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -34,6 +34,7 @@ enum startcond_type {
PARSER_SC_IP,
PARSER_SC_IP6,
PARSER_SC_LIMIT,
+ PARSER_SC_QUOTA,
PARSER_SC_VLAN,
PARSER_SC_EXPR_FIB,
PARSER_SC_EXPR_HASH,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 67afc32a547f..239838c2cbc2 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -872,6 +872,7 @@ close_scope_vlan : { scanner_pop_start_cond(nft->scanner, PARSER_SC_VLAN); };
close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
close_scope_limit : { scanner_pop_start_cond(nft->scanner, PARSER_SC_LIMIT); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
+close_scope_quota : { scanner_pop_start_cond(nft->scanner, PARSER_SC_QUOTA); };
close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
close_scope_rt : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_RT); };
close_scope_socket : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_SOCKET); }
@@ -1038,11 +1039,11 @@ add_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_COUNTER, &$2, &@$, $3);
}
- | QUOTA obj_spec quota_obj quota_config
+ | QUOTA obj_spec quota_obj quota_config close_scope_quota
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_QUOTA, &$2, &@$, $3);
}
- | QUOTA obj_spec quota_obj '{' quota_block '}'
+ | QUOTA obj_spec quota_obj '{' quota_block '}' close_scope_quota
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_QUOTA, &$2, &@$, $3);
}
@@ -1151,7 +1152,7 @@ create_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_COUNTER, &$2, &@$, $3);
}
- | QUOTA obj_spec quota_obj quota_config
+ | QUOTA obj_spec quota_obj quota_config close_scope_quota
{
$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_QUOTA, &$2, &@$, $3);
}
@@ -1246,7 +1247,7 @@ delete_cmd : TABLE table_or_id_spec
{
$$ = cmd_alloc(CMD_DELETE, CMD_OBJ_COUNTER, &$2, &@$, NULL);
}
- | QUOTA obj_or_id_spec
+ | QUOTA obj_or_id_spec close_scope_quota
{
$$ = cmd_alloc(CMD_DELETE, CMD_OBJ_QUOTA, &$2, &@$, NULL);
}
@@ -1322,7 +1323,7 @@ list_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_LIST, CMD_OBJ_QUOTAS, &$3, &@$, NULL);
}
- | QUOTA obj_spec
+ | QUOTA obj_spec close_scope_quota
{
$$ = cmd_alloc(CMD_LIST, CMD_OBJ_QUOTA, &$2, &@$, NULL);
}
@@ -1428,7 +1429,7 @@ reset_cmd : COUNTERS ruleset_spec
{
$$ = cmd_alloc(CMD_RESET, CMD_OBJ_QUOTAS, &$3, &@$, NULL);
}
- | QUOTA obj_spec
+ | QUOTA obj_spec close_scope_quota
{
$$ = cmd_alloc(CMD_RESET, CMD_OBJ_QUOTA, &$2, &@$, NULL);
}
@@ -1630,7 +1631,7 @@ table_block : /* empty */ { $$ = $<table>-1; }
}
| table_block QUOTA obj_identifier
obj_block_alloc '{' quota_block '}'
- stmt_separator
+ stmt_separator close_scope_quota
{
$4->location = @3;
$4->type = NFT_OBJECT_QUOTA;
@@ -1880,7 +1881,7 @@ map_block_alloc : /* empty */
;
map_block_obj_type : COUNTER { $$ = NFT_OBJECT_COUNTER; }
- | QUOTA { $$ = NFT_OBJECT_QUOTA; }
+ | QUOTA close_scope_quota { $$ = NFT_OBJECT_QUOTA; }
| LIMIT close_scope_limit { $$ = NFT_OBJECT_LIMIT; }
| SECMARK { $$ = NFT_OBJECT_SECMARK; }
;
@@ -3118,7 +3119,7 @@ quota_used : /* empty */ { $$ = 0; }
}
;
-quota_stmt : QUOTA quota_mode NUM quota_unit quota_used
+quota_stmt : QUOTA quota_mode NUM quota_unit quota_used close_scope_quota
{
struct error_record *erec;
uint64_t rate;
@@ -3134,7 +3135,7 @@ quota_stmt : QUOTA quota_mode NUM quota_unit quota_used
$$->quota.used = $5;
$$->quota.flags = $2;
}
- | QUOTA NAME stmt_expr
+ | QUOTA NAME stmt_expr close_scope_quota
{
$$ = objref_stmt_alloc(&@$);
$$->objref.type = NFT_OBJECT_QUOTA;
diff --git a/src/scanner.l b/src/scanner.l
index 2c5aae846d4f..e373ff848ba9 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -202,6 +202,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_IP
%s SCANSTATE_IP6
%s SCANSTATE_LIMIT
+%s SCANSTATE_QUOTA
%s SCANSTATE_VLAN
%s SCANSTATE_EXPR_FIB
%s SCANSTATE_EXPR_HASH
@@ -372,8 +373,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"until" { return UNTIL; }
"over" { return OVER; }
-"quota" { return QUOTA; }
-"used" { return USED; }
+"quota" { scanner_push_start_cond(yyscanner, SCANSTATE_QUOTA); return QUOTA; }
+<SCANSTATE_QUOTA>"used" { return USED; }
"second" { return SECOND; }
"minute" { return MINUTE; }
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH nft 11/12] scanner: move until,over,used keywords away from init state
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
` (9 preceding siblings ...)
2021-03-11 13:23 ` [PATCH nft 10/12] scanner: quota: " Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
2021-03-11 13:23 ` [PATCH nft 12/12] scanner: secmark: move to own scope Florian Westphal
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Only applicable for limit and quota. "ct count" also needs 'over'.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/scanner.l | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/scanner.l b/src/scanner.l
index e373ff848ba9..d09189ae4492 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -370,11 +370,13 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"rate" { return RATE; }
"burst" { return BURST; }
}
-"until" { return UNTIL; }
-"over" { return OVER; }
+<SCANSTATE_CT,SCANSTATE_LIMIT,SCANSTATE_QUOTA>"over" { return OVER; }
"quota" { scanner_push_start_cond(yyscanner, SCANSTATE_QUOTA); return QUOTA; }
-<SCANSTATE_QUOTA>"used" { return USED; }
+<SCANSTATE_QUOTA>{
+ "used" { return USED; }
+ "until" { return UNTIL; }
+}
"second" { return SECOND; }
"minute" { return MINUTE; }
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH nft 12/12] scanner: secmark: move to own scope
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
` (10 preceding siblings ...)
2021-03-11 13:23 ` [PATCH nft 11/12] scanner: move until,over,used keywords away from init state Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 19 ++++++++++---------
src/scanner.l | 3 ++-
3 files changed, 13 insertions(+), 10 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index cc9790f62dc1..9fdebcd11dd2 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -35,6 +35,7 @@ enum startcond_type {
PARSER_SC_IP6,
PARSER_SC_LIMIT,
PARSER_SC_QUOTA,
+ PARSER_SC_SECMARK,
PARSER_SC_VLAN,
PARSER_SC_EXPR_FIB,
PARSER_SC_EXPR_HASH,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 239838c2cbc2..08a2599e5374 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -875,6 +875,7 @@ close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGE
close_scope_quota : { scanner_pop_start_cond(nft->scanner, PARSER_SC_QUOTA); };
close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
close_scope_rt : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_RT); };
+close_scope_secmark : { scanner_pop_start_cond(nft->scanner, PARSER_SC_SECMARK); };
close_scope_socket : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_SOCKET); }
common_block : INCLUDE QUOTED_STRING stmt_separator
@@ -1067,11 +1068,11 @@ add_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_LIMIT, &$2, &@$, $3);
}
- | SECMARK obj_spec secmark_obj secmark_config
+ | SECMARK obj_spec secmark_obj secmark_config close_scope_secmark
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_SECMARK, &$2, &@$, $3);
}
- | SECMARK obj_spec secmark_obj '{' secmark_block '}'
+ | SECMARK obj_spec secmark_obj '{' secmark_block '}' close_scope_secmark
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_SECMARK, &$2, &@$, $3);
}
@@ -1172,7 +1173,7 @@ create_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_LIMIT, &$2, &@$, $3);
}
- | SECMARK obj_spec secmark_obj secmark_config
+ | SECMARK obj_spec secmark_obj secmark_config close_scope_secmark
{
$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_SECMARK, &$2, &@$, $3);
}
@@ -1259,7 +1260,7 @@ delete_cmd : TABLE table_or_id_spec
{
$$ = cmd_alloc(CMD_DELETE, CMD_OBJ_LIMIT, &$2, &@$, NULL);
}
- | SECMARK obj_or_id_spec
+ | SECMARK obj_or_id_spec close_scope_secmark
{
$$ = cmd_alloc(CMD_DELETE, CMD_OBJ_SECMARK, &$2, &@$, NULL);
}
@@ -1347,7 +1348,7 @@ list_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_LIST, CMD_OBJ_SECMARKS, &$3, &@$, NULL);
}
- | SECMARK obj_spec
+ | SECMARK obj_spec close_scope_secmark
{
$$ = cmd_alloc(CMD_LIST, CMD_OBJ_SECMARK, &$2, &@$, NULL);
}
@@ -1680,7 +1681,7 @@ table_block : /* empty */ { $$ = $<table>-1; }
}
| table_block SECMARK obj_identifier
obj_block_alloc '{' secmark_block '}'
- stmt_separator
+ stmt_separator close_scope_secmark
{
$4->location = @3;
$4->type = NFT_OBJECT_SECMARK;
@@ -1883,7 +1884,7 @@ map_block_alloc : /* empty */
map_block_obj_type : COUNTER { $$ = NFT_OBJECT_COUNTER; }
| QUOTA close_scope_quota { $$ = NFT_OBJECT_QUOTA; }
| LIMIT close_scope_limit { $$ = NFT_OBJECT_LIMIT; }
- | SECMARK { $$ = NFT_OBJECT_SECMARK; }
+ | SECMARK close_scope_secmark { $$ = NFT_OBJECT_SECMARK; }
;
map_block : /* empty */ { $$ = $<set>-1; }
@@ -4727,7 +4728,7 @@ meta_key_qualified : LENGTH { $$ = NFT_META_LEN; }
| PROTOCOL { $$ = NFT_META_PROTOCOL; }
| PRIORITY { $$ = NFT_META_PRIORITY; }
| RANDOM { $$ = NFT_META_PRANDOM; }
- | SECMARK { $$ = NFT_META_SECMARK; }
+ | SECMARK close_scope_secmark { $$ = NFT_META_SECMARK; }
;
meta_key_unqualified : MARK { $$ = NFT_META_MARK; }
@@ -4966,7 +4967,7 @@ ct_key : L3PROTOCOL { $$ = NFT_CT_L3PROTOCOL; }
| PROTO_DST { $$ = NFT_CT_PROTO_DST; }
| LABEL { $$ = NFT_CT_LABELS; }
| EVENT { $$ = NFT_CT_EVENTMASK; }
- | SECMARK { $$ = NFT_CT_SECMARK; }
+ | SECMARK close_scope_secmark { $$ = NFT_CT_SECMARK; }
| ID { $$ = NFT_CT_ID; }
| ct_key_dir_optional
;
diff --git a/src/scanner.l b/src/scanner.l
index d09189ae4492..a73ce1b819d8 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -203,6 +203,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_IP6
%s SCANSTATE_LIMIT
%s SCANSTATE_QUOTA
+%s SCANSTATE_SECMARK
%s SCANSTATE_VLAN
%s SCANSTATE_EXPR_FIB
%s SCANSTATE_EXPR_HASH
@@ -634,7 +635,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"out" { return OUT; }
}
-"secmark" { return SECMARK; }
+"secmark" { scanner_push_start_cond(yyscanner, SCANSTATE_SECMARK); return SECMARK; }
"secmarks" { return SECMARKS; }
{addrstring} {
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
end of thread, other threads:[~2021-03-11 13:25 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
2021-03-11 13:23 ` [PATCH nft 01/12] scanner: ct: move to own scope Florian Westphal
2021-03-11 13:23 ` [PATCH nft 02/12] scanner: ip: " Florian Westphal
2021-03-11 13:23 ` [PATCH nft 03/12] scanner: ip6: " Florian Westphal
2021-03-11 13:23 ` [PATCH nft 04/12] scanner: add fib scope Florian Westphal
2021-03-11 13:23 ` [PATCH nft 05/12] scanner: add ether scope Florian Westphal
2021-03-11 13:23 ` [PATCH nft 06/12] scanner: arp: move to own scope Florian Westphal
2021-03-11 13:23 ` [PATCH nft 07/12] scanner: remove saddr/daddr from initial state Florian Westphal
2021-03-11 13:23 ` [PATCH nft 08/12] scanner: vlan: move to own scope Florian Westphal
2021-03-11 13:23 ` [PATCH nft 09/12] scanner: limit: " Florian Westphal
2021-03-11 13:23 ` [PATCH nft 10/12] scanner: quota: " Florian Westphal
2021-03-11 13:23 ` [PATCH nft 11/12] scanner: move until,over,used keywords away from init state Florian Westphal
2021-03-11 13:23 ` [PATCH nft 12/12] scanner: secmark: move to own scope Florian Westphal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.