* [nft PATCH 00/26] scanner: Some fixes, many new scopes
@ 2022-02-19 13:27 Phil Sutter
2022-02-19 13:27 ` [nft PATCH 01/26] tests: py: Test connlimit statement Phil Sutter
` (26 more replies)
0 siblings, 27 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:27 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Patch 1 adds a test for 'ct count' statement, patches 2 and 3 fix some
keywords' scope, bulk scope introduction in the remaining ones.
Phil Sutter (26):
tests: py: Test connlimit statement
scanner: Move 'maps' keyword into list cmd scope
scanner: Some time units are only used in limit scope
scanner: rt: Move seg-left keyword into scope
scanner: icmp{,v6}: Move to own scope
scanner: igmp: Move to own scope
scanner: tcp: Move to own scope
scanner: synproxy: Move to own scope
scanner: comp: Move to own scope.
scanner: udp{,lite}: Move to own scope
scanner: dccp, th: Move to own scopes
scanner: osf: Move to own scope
scanner: ah, esp: Move to own scopes
scanner: dst, frag, hbh, mh: Move to own scopes
scanner: type: Move to own scope
scanner: rt: Extend scope over rt0, rt2 and srh
scanner: monitor: Move to own Scope
scanner: reset: move to own Scope
scanner: import, export: Move to own scopes
scanner: reject: Move to own scope
scanner: flags: move to own scope
scanner: policy: move to own scope
scanner: nat: Move to own scope
scanner: at: Move to own scope
scanner: meta: Move to own scope
scanner: dup, fwd, tproxy: Move to own scopes
include/parser.h | 29 +++
src/parser_bison.y | 263 +++++++++++++++------------
src/scanner.l | 361 ++++++++++++++++++++++++--------------
tests/py/any/ct.t | 3 +
tests/py/any/ct.t.json | 19 ++
tests/py/any/ct.t.payload | 8 +
6 files changed, 436 insertions(+), 247 deletions(-)
--
2.34.1
^ permalink raw reply [flat|nested] 36+ messages in thread
* [nft PATCH 01/26] tests: py: Test connlimit statement
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
@ 2022-02-19 13:27 ` Phil Sutter
2022-02-19 13:27 ` [nft PATCH 02/26] scanner: Move 'maps' keyword into list cmd scope Phil Sutter
` (25 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:27 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
This wasn't covered at all.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
tests/py/any/ct.t | 3 +++
tests/py/any/ct.t.json | 19 +++++++++++++++++++
tests/py/any/ct.t.payload | 8 ++++++++
3 files changed, 30 insertions(+)
diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t
index 8b8e68ab7361a..f73fa4e7aedbe 100644
--- a/tests/py/any/ct.t
+++ b/tests/py/any/ct.t
@@ -144,3 +144,6 @@ ct set invalid original 42;fail
ct set invalid 42;fail
notrack;ok
+
+ct count 3;ok
+ct count over 3;ok
diff --git a/tests/py/any/ct.t.json b/tests/py/any/ct.t.json
index 6684963b6609c..a2a06025992c7 100644
--- a/tests/py/any/ct.t.json
+++ b/tests/py/any/ct.t.json
@@ -1502,3 +1502,22 @@
}
]
+# ct count 3
+[
+ {
+ "ct count": {
+ "val": 3
+ }
+ }
+]
+
+# ct count over 3
+[
+ {
+ "ct count": {
+ "inv": true,
+ "val": 3
+ }
+ }
+]
+
diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload
index 733276e196f20..ed868e53277d9 100644
--- a/tests/py/any/ct.t.payload
+++ b/tests/py/any/ct.t.payload
@@ -508,3 +508,11 @@ ip6
[ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00000000 ]
+# ct count 3
+ip test-ip4 output
+ [ connlimit count 3 flags 0 ]
+
+# ct count over 3
+ip test-ip4 output
+ [ connlimit count 3 flags 1 ]
+
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 02/26] scanner: Move 'maps' keyword into list cmd scope
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
2022-02-19 13:27 ` [nft PATCH 01/26] tests: py: Test connlimit statement Phil Sutter
@ 2022-02-19 13:27 ` Phil Sutter
2022-02-19 13:27 ` [nft PATCH 03/26] scanner: Some time units are only used in limit scope Phil Sutter
` (24 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:27 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
This was missed when introducing SCANSTATE_CMD_LIST, no other command
operates on "maps".
Fixes: 6a24ffb04642e ("scanner: add list cmd parser scope")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
src/scanner.l | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/scanner.l b/src/scanner.l
index 7dcc45c2fd505..ce78fcd6fa995 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -286,7 +286,6 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"set" { return SET; }
"element" { return ELEMENT; }
"map" { return MAP; }
-"maps" { return MAPS; }
"flowtable" { return FLOWTABLE; }
"handle" { return HANDLE; }
"ruleset" { return RULESET; }
@@ -353,6 +352,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"meters" { return METERS; }
"flowtables" { return FLOWTABLES; }
"limits" { return LIMITS; }
+ "maps" { return MAPS; }
"secmarks" { return SECMARKS; }
"synproxys" { return SYNPROXYS; }
"hooks" { return HOOKS; }
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 03/26] scanner: Some time units are only used in limit scope
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
2022-02-19 13:27 ` [nft PATCH 01/26] tests: py: Test connlimit statement Phil Sutter
2022-02-19 13:27 ` [nft PATCH 02/26] scanner: Move 'maps' keyword into list cmd scope Phil Sutter
@ 2022-02-19 13:27 ` Phil Sutter
2022-02-20 0:38 ` Pablo Neira Ayuso
2022-02-19 13:27 ` [nft PATCH 04/26] scanner: rt: Move seg-left keyword into scope Phil Sutter
` (23 subsequent siblings)
26 siblings, 1 reply; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:27 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
'hour' and 'day' are allowed as unqualified meta expressions, so leave
them alone.
Fixes: eae2525685252 ("scanner: limit: move to own scope")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
src/scanner.l | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/scanner.l b/src/scanner.l
index ce78fcd6fa995..eaf5460870a09 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -385,6 +385,11 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
<SCANSTATE_LIMIT>{
"rate" { return RATE; }
"burst" { return BURST; }
+
+ /* time_unit */
+ "second" { return SECOND; }
+ "minute" { return MINUTE; }
+ "week" { return WEEK; }
}
<SCANSTATE_CT,SCANSTATE_LIMIT,SCANSTATE_QUOTA>"over" { return OVER; }
@@ -394,11 +399,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"until" { return UNTIL; }
}
-"second" { return SECOND; }
-"minute" { return MINUTE; }
"hour" { return HOUR; }
"day" { return DAY; }
-"week" { return WEEK; }
"reject" { return _REJECT; }
"with" { return WITH; }
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 04/26] scanner: rt: Move seg-left keyword into scope
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (2 preceding siblings ...)
2022-02-19 13:27 ` [nft PATCH 03/26] scanner: Some time units are only used in limit scope Phil Sutter
@ 2022-02-19 13:27 ` Phil Sutter
2022-02-19 13:27 ` [nft PATCH 05/26] scanner: icmp{,v6}: Move to own scope Phil Sutter
` (22 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:27 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
It's not used outside of rt_hdr_expr, so move it out of INIT scope.
Fixes: 8861db1b771a6 ("scanner: rt: move to own scope")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
src/scanner.l | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/scanner.l b/src/scanner.l
index eaf5460870a09..9a189ec391328 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -590,7 +590,6 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"rt0" { return RT0; }
"rt2" { return RT2; }
"srh" { return RT4; }
-"seg-left" { return SEG_LEFT; }
"addr" { return ADDR; }
"last-entry" { return LAST_ENT; }
"tag" { return TAG; }
@@ -631,6 +630,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
<SCANSTATE_EXPR_RT>{
"classid" { return CLASSID; }
"nexthop" { return NEXTHOP; }
+ "seg-left" { return SEG_LEFT; }
}
"ct" { scanner_push_start_cond(yyscanner, SCANSTATE_CT); return CT; }
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 05/26] scanner: icmp{,v6}: Move to own scope
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (3 preceding siblings ...)
2022-02-19 13:27 ` [nft PATCH 04/26] scanner: rt: Move seg-left keyword into scope Phil Sutter
@ 2022-02-19 13:27 ` Phil Sutter
2022-02-19 13:27 ` [nft PATCH 06/26] scanner: igmp: " Phil Sutter
` (21 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:27 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Unify the two, header fields are almost identical.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/parser.h | 1 +
src/parser_bison.y | 13 +++++++------
src/scanner.l | 19 +++++++++++--------
3 files changed, 19 insertions(+), 14 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index cb7d12a36edb0..ba955c9160581 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -34,6 +34,7 @@ enum startcond_type {
PARSER_SC_CT,
PARSER_SC_COUNTER,
PARSER_SC_ETH,
+ PARSER_SC_ICMP,
PARSER_SC_IP,
PARSER_SC_IP6,
PARSER_SC_LIMIT,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index d67d16b8bc8c7..ca5140ade098e 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -935,6 +935,7 @@ close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH);
close_scope_ip : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP); };
close_scope_ip6 : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP6); };
close_scope_vlan : { scanner_pop_start_cond(nft->scanner, PARSER_SC_VLAN); };
+close_scope_icmp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ICMP); };
close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
close_scope_list : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_LIST); };
close_scope_limit : { scanner_pop_start_cond(nft->scanner, PARSER_SC_LIMIT); };
@@ -3340,7 +3341,7 @@ reject_opts : /* empty */
$<stmt>0->reject.type = -1;
$<stmt>0->reject.icmp_code = -1;
}
- | WITH ICMP TYPE reject_with_expr
+ | WITH ICMP TYPE reject_with_expr close_scope_icmp
{
$<stmt>0->reject.family = NFPROTO_IPV4;
$<stmt>0->reject.type = NFT_REJECT_ICMP_UNREACH;
@@ -3354,7 +3355,7 @@ reject_opts : /* empty */
$<stmt>0->reject.expr = $3;
datatype_set($<stmt>0->reject.expr, &icmp_code_type);
}
- | WITH ICMP6 TYPE reject_with_expr
+ | WITH ICMP6 TYPE reject_with_expr close_scope_icmp
{
$<stmt>0->reject.family = NFPROTO_IPV6;
$<stmt>0->reject.type = NFT_REJECT_ICMP_UNREACH;
@@ -4789,7 +4790,7 @@ primary_rhs_expr : symbol_expr { $$ = $1; }
BYTEORDER_HOST_ENDIAN,
sizeof(data) * BITS_PER_BYTE, &data);
}
- | ICMP
+ | ICMP close_scope_icmp
{
uint8_t data = IPPROTO_ICMP;
$$ = constant_expr_alloc(&@$, &inet_protocol_type,
@@ -4803,7 +4804,7 @@ primary_rhs_expr : symbol_expr { $$ = $1; }
BYTEORDER_HOST_ENDIAN,
sizeof(data) * BITS_PER_BYTE, &data);
}
- | ICMP6
+ | ICMP6 close_scope_icmp
{
uint8_t data = IPPROTO_ICMPV6;
$$ = constant_expr_alloc(&@$, &inet_protocol_type,
@@ -5379,7 +5380,7 @@ ip_option_field : TYPE { $$ = IPOPT_FIELD_TYPE; }
| ADDR { $$ = IPOPT_FIELD_ADDR_0; }
;
-icmp_hdr_expr : ICMP icmp_hdr_field
+icmp_hdr_expr : ICMP icmp_hdr_field close_scope_icmp
{
$$ = payload_expr_alloc(&@$, &proto_icmp, $2);
}
@@ -5422,7 +5423,7 @@ ip6_hdr_field : HDRVERSION { $$ = IP6HDR_VERSION; }
| SADDR { $$ = IP6HDR_SADDR; }
| DADDR { $$ = IP6HDR_DADDR; }
;
-icmp6_hdr_expr : ICMP6 icmp6_hdr_field
+icmp6_hdr_expr : ICMP6 icmp6_hdr_field close_scope_icmp
{
$$ = payload_expr_alloc(&@$, &proto_icmp6, $2);
}
diff --git a/src/scanner.l b/src/scanner.l
index 9a189ec391328..e8ec352f88698 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -200,6 +200,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_CT
%s SCANSTATE_COUNTER
%s SCANSTATE_ETH
+%s SCANSTATE_ICMP
%s SCANSTATE_IP
%s SCANSTATE_IP6
%s SCANSTATE_LIMIT
@@ -496,11 +497,16 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"sack-perm" { return SACK_PERM; }
"timestamp" { return TIMESTAMP; }
-"icmp" { return ICMP; }
-"code" { return CODE; }
+"icmp" { scanner_push_start_cond(yyscanner, SCANSTATE_ICMP); return ICMP; }
+"icmpv6" { scanner_push_start_cond(yyscanner, SCANSTATE_ICMP); return ICMP6; }
+<SCANSTATE_ICMP>{
+ "gateway" { return GATEWAY; }
+ "code" { return CODE; }
+ "param-problem" { return PPTR; }
+ "max-delay" { return MAXDELAY; }
+ "mtu" { return MTU; }
+}
"sequence" { return SEQUENCE; }
-"gateway" { return GATEWAY; }
-"mtu" { return MTU; }
"igmp" { return IGMP; }
"mrt" { return MRT; }
@@ -513,10 +519,6 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
}
"nexthdr" { return NEXTHDR; }
-"icmpv6" { return ICMP6; }
-"param-problem" { return PPTR; }
-"max-delay" { return MAXDELAY; }
-
"ah" { return AH; }
"reserved" { return RESERVED; }
"spi" { return SPI; }
@@ -631,6 +633,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"classid" { return CLASSID; }
"nexthop" { return NEXTHOP; }
"seg-left" { return SEG_LEFT; }
+ "mtu" { return MTU; }
}
"ct" { scanner_push_start_cond(yyscanner, SCANSTATE_CT); return CT; }
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 06/26] scanner: igmp: Move to own scope
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (4 preceding siblings ...)
2022-02-19 13:27 ` [nft PATCH 05/26] scanner: icmp{,v6}: Move to own scope Phil Sutter
@ 2022-02-19 13:27 ` Phil Sutter
2022-02-19 13:27 ` [nft PATCH 07/26] scanner: tcp: " Phil Sutter
` (20 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:27 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
At least isolates 'mrt' and 'group' keywords, the latter is shared with
log statement.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/parser.h | 1 +
src/parser_bison.y | 3 ++-
src/scanner.l | 10 +++++++---
3 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index ba955c9160581..16e02a1ffe129 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -35,6 +35,7 @@ enum startcond_type {
PARSER_SC_COUNTER,
PARSER_SC_ETH,
PARSER_SC_ICMP,
+ PARSER_SC_IGMP,
PARSER_SC_IP,
PARSER_SC_IP6,
PARSER_SC_LIMIT,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index ca5140ade098e..6340bda6cc585 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -936,6 +936,7 @@ close_scope_ip : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP); };
close_scope_ip6 : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP6); };
close_scope_vlan : { scanner_pop_start_cond(nft->scanner, PARSER_SC_VLAN); };
close_scope_icmp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ICMP); };
+close_scope_igmp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IGMP); };
close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
close_scope_list : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_LIST); };
close_scope_limit : { scanner_pop_start_cond(nft->scanner, PARSER_SC_LIMIT); };
@@ -5395,7 +5396,7 @@ icmp_hdr_field : TYPE { $$ = ICMPHDR_TYPE; }
| MTU { $$ = ICMPHDR_MTU; }
;
-igmp_hdr_expr : IGMP igmp_hdr_field
+igmp_hdr_expr : IGMP igmp_hdr_field close_scope_igmp
{
$$ = payload_expr_alloc(&@$, &proto_igmp, $2);
}
diff --git a/src/scanner.l b/src/scanner.l
index e8ec352f88698..a584b5fba39b4 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -201,6 +201,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_COUNTER
%s SCANSTATE_ETH
%s SCANSTATE_ICMP
+%s SCANSTATE_IGMP
%s SCANSTATE_IP
%s SCANSTATE_IP6
%s SCANSTATE_LIMIT
@@ -369,11 +370,11 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"log" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_LOG); return LOG; }
"prefix" { return PREFIX; }
-"group" { return GROUP; }
<SCANSTATE_STMT_LOG>{
"snaplen" { return SNAPLEN; }
"queue-threshold" { return QUEUE_THRESHOLD; }
"level" { return LEVEL; }
+ "group" { return GROUP; }
}
"queue" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_QUEUE); return QUEUE;}
@@ -508,8 +509,11 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
}
"sequence" { return SEQUENCE; }
-"igmp" { return IGMP; }
-"mrt" { return MRT; }
+"igmp" { scanner_push_start_cond(yyscanner, SCANSTATE_IGMP); return IGMP; }
+<SCANSTATE_IGMP>{
+ "mrt" { return MRT; }
+ "group" { return GROUP; }
+}
"ip6" { scanner_push_start_cond(yyscanner, SCANSTATE_IP6); return IP6; }
"priority" { return PRIORITY; }
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 07/26] scanner: tcp: Move to own scope
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (5 preceding siblings ...)
2022-02-19 13:27 ` [nft PATCH 06/26] scanner: igmp: " Phil Sutter
@ 2022-02-19 13:27 ` Phil Sutter
2022-02-19 13:27 ` [nft PATCH 08/26] scanner: synproxy: " Phil Sutter
` (19 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:27 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Apart from header fields, this isolates TCP option types and
fields, too.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
src/parser_bison.y | 2 +-
src/scanner.l | 60 +++++++++++++++++++++++++++-------------------
2 files changed, 36 insertions(+), 26 deletions(-)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 6340bda6cc585..55f3b2bc35bec 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -942,13 +942,13 @@ close_scope_list : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_LIST); }
close_scope_limit : { scanner_pop_start_cond(nft->scanner, PARSER_SC_LIMIT); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
close_scope_quota : { scanner_pop_start_cond(nft->scanner, PARSER_SC_QUOTA); };
-close_scope_tcp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_TCP); }
close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
close_scope_rt : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_RT); };
close_scope_sctp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_SCTP); };
close_scope_sctp_chunk : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_SCTP_CHUNK); };
close_scope_secmark : { scanner_pop_start_cond(nft->scanner, PARSER_SC_SECMARK); };
close_scope_socket : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_SOCKET); }
+close_scope_tcp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_TCP); };
close_scope_log : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_LOG); }
diff --git a/src/scanner.l b/src/scanner.l
index a584b5fba39b4..95dcd0330bd3e 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -468,30 +468,46 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"ptr" { return PTR; }
"value" { return VALUE; }
+
+ "option" { return OPTION; }
+ "options" { return OPTIONS; }
}
<SCANSTATE_TCP>{
-"echo" { return ECHO; }
-"eol" { return EOL; }
-"fastopen" { return FASTOPEN; }
-"mptcp" { return MPTCP; }
-"md5sig" { return MD5SIG; }
-"subtype" { return SUBTYPE; }
-"nop" { return NOP; }
-"noop" { return NOP; }
-"sack" { return SACK; }
-"sack0" { return SACK0; }
-"sack1" { return SACK1; }
-"sack2" { return SACK2; }
-"sack3" { return SACK3; }
-"time" { return TIME; }
+ /* tcp header fields */
+ "ackseq" { return ACKSEQ; }
+ "doff" { return DOFF; }
+ "window" { return WINDOW; }
+ "urgptr" { return URGPTR; }
+
+ /* tcp option types */
+ "echo" { return ECHO; }
+ "eol" { return EOL; }
+ "maxseg" { return MSS; }
+ "mss" { return MSS; }
+ "nop" { return NOP; }
+ "noop" { return NOP; }
+ "sack" { return SACK; }
+ "sack0" { return SACK0; }
+ "sack1" { return SACK1; }
+ "sack2" { return SACK2; }
+ "sack3" { return SACK3; }
+ "fastopen" { return FASTOPEN; }
+ "mptcp" { return MPTCP; }
+ "md5sig" { return MD5SIG; }
+
+ /* tcp option fields */
+ "left" { return LEFT; }
+ "right" { return RIGHT; }
+ "count" { return COUNT; }
+ "tsval" { return TSVAL; }
+ "tsecr" { return TSECR; }
+ "subtype" { return SUBTYPE; }
-"count" { return COUNT; }
-"left" { return LEFT; }
-"right" { return RIGHT; }
-"tsval" { return TSVAL; }
-"tsecr" { return TSECR; }
+ "options" { return OPTIONS; }
+ "option" { return OPTION; }
}
+"time" { return TIME; }
"maxseg" { return MSS; }
"mss" { return MSS; }
"sack-permitted" { return SACK_PERM; }
@@ -540,11 +556,6 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"port" { return PORT; }
"tcp" { scanner_push_start_cond(yyscanner, SCANSTATE_TCP); return TCP; }
-"ackseq" { return ACKSEQ; }
-"doff" { return DOFF; }
-"window" { return WINDOW; }
-"urgptr" { return URGPTR; }
-"option" { return OPTION; }
"dccp" { return DCCP; }
@@ -688,7 +699,6 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"notrack" { return NOTRACK; }
-"options" { return OPTIONS; }
"all" { return ALL; }
"xml" { return XML; }
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 08/26] scanner: synproxy: Move to own scope
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (6 preceding siblings ...)
2022-02-19 13:27 ` [nft PATCH 07/26] scanner: tcp: " Phil Sutter
@ 2022-02-19 13:27 ` Phil Sutter
2022-02-19 13:27 ` [nft PATCH 09/26] scanner: comp: " Phil Sutter
` (18 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:27 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Quite a few keywords are shared with PARSER_SC_TCP.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/parser.h | 1 +
src/parser_bison.y | 15 ++++++++-------
src/scanner.l | 20 +++++++++++++-------
3 files changed, 22 insertions(+), 14 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 16e02a1ffe129..0e75bad482075 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -55,6 +55,7 @@ enum startcond_type {
PARSER_SC_EXPR_SOCKET,
PARSER_SC_STMT_LOG,
+ PARSER_SC_STMT_SYNPROXY,
};
struct mnl_socket;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 55f3b2bc35bec..937bb410fa779 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -951,6 +951,7 @@ close_scope_socket : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_SOCKE
close_scope_tcp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_TCP); };
close_scope_log : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_LOG); }
+close_scope_synproxy : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_SYNPROXY); }
common_block : INCLUDE QUOTED_STRING stmt_separator
{
@@ -1151,11 +1152,11 @@ add_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_SECMARK, &$2, &@$, $3);
}
- | SYNPROXY obj_spec synproxy_obj synproxy_config
+ | SYNPROXY obj_spec synproxy_obj synproxy_config close_scope_synproxy
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_SYNPROXY, &$2, &@$, $3);
}
- | SYNPROXY obj_spec synproxy_obj '{' synproxy_block '}'
+ | SYNPROXY obj_spec synproxy_obj '{' synproxy_block '}' close_scope_synproxy
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_SYNPROXY, &$2, &@$, $3);
}
@@ -1252,7 +1253,7 @@ create_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_SECMARK, &$2, &@$, $3);
}
- | SYNPROXY obj_spec synproxy_obj synproxy_config
+ | SYNPROXY obj_spec synproxy_obj synproxy_config close_scope_synproxy
{
$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_SYNPROXY, &$2, &@$, $3);
}
@@ -1341,7 +1342,7 @@ delete_cmd : TABLE table_or_id_spec
{
$$ = cmd_alloc(CMD_DELETE, CMD_OBJ_SECMARK, &$2, &@$, NULL);
}
- | SYNPROXY obj_or_id_spec
+ | SYNPROXY obj_or_id_spec close_scope_synproxy
{
$$ = cmd_alloc(CMD_DELETE, CMD_OBJ_SYNPROXY, &$2, &@$, NULL);
}
@@ -1437,7 +1438,7 @@ list_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_LIST, CMD_OBJ_SYNPROXYS, &$3, &@$, NULL);
}
- | SYNPROXY obj_spec
+ | SYNPROXY obj_spec close_scope_synproxy
{
$$ = cmd_alloc(CMD_LIST, CMD_OBJ_SYNPROXY, &$2, &@$, NULL);
}
@@ -1793,7 +1794,7 @@ table_block : /* empty */ { $$ = $<table>-1; }
}
| table_block SYNPROXY obj_identifier
obj_block_alloc '{' synproxy_block '}'
- stmt_separator
+ stmt_separator close_scope_synproxy
{
$4->location = @3;
$4->type = NFT_OBJECT_SYNPROXY;
@@ -2828,7 +2829,7 @@ stmt : verdict_stmt
| fwd_stmt
| set_stmt
| map_stmt
- | synproxy_stmt
+ | synproxy_stmt close_scope_synproxy
| chain_stmt
;
diff --git a/src/scanner.l b/src/scanner.l
index 95dcd0330bd3e..01cb501cb8cb3 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -221,6 +221,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_EXPR_SOCKET
%s SCANSTATE_STMT_LOG
+%s SCANSTATE_STMT_SYNPROXY
%%
@@ -492,6 +493,9 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"sack1" { return SACK1; }
"sack2" { return SACK2; }
"sack3" { return SACK3; }
+ "sack-permitted" { return SACK_PERM; }
+ "sack-perm" { return SACK_PERM; }
+ "timestamp" { return TIMESTAMP; }
"fastopen" { return FASTOPEN; }
"mptcp" { return MPTCP; }
"md5sig" { return MD5SIG; }
@@ -508,11 +512,6 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"option" { return OPTION; }
}
"time" { return TIME; }
-"maxseg" { return MSS; }
-"mss" { return MSS; }
-"sack-permitted" { return SACK_PERM; }
-"sack-perm" { return SACK_PERM; }
-"timestamp" { return TIMESTAMP; }
"icmp" { scanner_push_start_cond(yyscanner, SCANSTATE_ICMP); return ICMP; }
"icmpv6" { scanner_push_start_cond(yyscanner, SCANSTATE_ICMP); return ICMP6; }
@@ -694,8 +693,15 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"osf" { return OSF; }
-"synproxy" { return SYNPROXY; }
-"wscale" { return WSCALE; }
+"synproxy" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_SYNPROXY); return SYNPROXY; }
+<SCANSTATE_STMT_SYNPROXY>{
+ "wscale" { return WSCALE; }
+ "maxseg" { return MSS; }
+ "mss" { return MSS; }
+ "timestamp" { return TIMESTAMP; }
+ "sack-permitted" { return SACK_PERM; }
+ "sack-perm" { return SACK_PERM; }
+}
"notrack" { return NOTRACK; }
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 09/26] scanner: comp: Move to own scope.
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (7 preceding siblings ...)
2022-02-19 13:27 ` [nft PATCH 08/26] scanner: synproxy: " Phil Sutter
@ 2022-02-19 13:27 ` Phil Sutter
2022-02-19 13:27 ` [nft PATCH 10/26] scanner: udp{,lite}: " Phil Sutter
` (17 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:27 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Isolates only 'cpi' keyword for now.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/parser.h | 1 +
src/parser_bison.y | 5 +++--
src/scanner.l | 7 +++++--
3 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 0e75bad482075..c16f210121040 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -45,6 +45,7 @@ enum startcond_type {
PARSER_SC_TCP,
PARSER_SC_VLAN,
PARSER_SC_CMD_LIST,
+ PARSER_SC_EXPR_COMP,
PARSER_SC_EXPR_FIB,
PARSER_SC_EXPR_HASH,
PARSER_SC_EXPR_IPSEC,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 937bb410fa779..7a02eaf88a58f 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -927,6 +927,7 @@ opt_newline : NEWLINE
;
close_scope_arp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ARP); };
+close_scope_comp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_COMP); };
close_scope_ct : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CT); };
close_scope_counter : { scanner_pop_start_cond(nft->scanner, PARSER_SC_COUNTER); };
close_scope_eth : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ETH); };
@@ -4813,7 +4814,7 @@ primary_rhs_expr : symbol_expr { $$ = $1; }
BYTEORDER_HOST_ENDIAN,
sizeof(data) * BITS_PER_BYTE, &data);
}
- | COMP
+ | COMP close_scope_comp
{
uint8_t data = IPPROTO_COMP;
$$ = constant_expr_alloc(&@$, &inet_protocol_type,
@@ -5464,7 +5465,7 @@ esp_hdr_field : SPI { $$ = ESPHDR_SPI; }
| SEQUENCE { $$ = ESPHDR_SEQUENCE; }
;
-comp_hdr_expr : COMP comp_hdr_field
+comp_hdr_expr : COMP comp_hdr_field close_scope_comp
{
$$ = payload_expr_alloc(&@$, &proto_comp, $2);
}
diff --git a/src/scanner.l b/src/scanner.l
index 01cb501cb8cb3..a27df6c7e3915 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -211,6 +211,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_TCP
%s SCANSTATE_VLAN
%s SCANSTATE_CMD_LIST
+%s SCANSTATE_EXPR_COMP
%s SCANSTATE_EXPR_FIB
%s SCANSTATE_EXPR_HASH
%s SCANSTATE_EXPR_IPSEC
@@ -544,9 +545,11 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"esp" { return ESP; }
-"comp" { return COMP; }
+"comp" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_COMP); return COMP; }
+<SCANSTATE_EXPR_COMP>{
+ "cpi" { return CPI; }
+}
"flags" { return FLAGS; }
-"cpi" { return CPI; }
"udp" { return UDP; }
"udplite" { return UDPLITE; }
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 10/26] scanner: udp{,lite}: Move to own scope
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (8 preceding siblings ...)
2022-02-19 13:27 ` [nft PATCH 09/26] scanner: comp: " Phil Sutter
@ 2022-02-19 13:27 ` Phil Sutter
2022-02-19 13:27 ` [nft PATCH 11/26] scanner: dccp, th: Move to own scopes Phil Sutter
` (16 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:27 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
All used keywords are shared with others, so no separation for now apart
from 'csumcov' which was actually missing from scanner.l.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/parser.h | 2 ++
src/parser_bison.y | 12 +++++++-----
src/scanner.l | 9 +++++++--
3 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index c16f210121040..e80a7753ea715 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -54,6 +54,8 @@ enum startcond_type {
PARSER_SC_EXPR_RT,
PARSER_SC_EXPR_SCTP_CHUNK,
PARSER_SC_EXPR_SOCKET,
+ PARSER_SC_EXPR_UDP,
+ PARSER_SC_EXPR_UDPLITE,
PARSER_SC_STMT_LOG,
PARSER_SC_STMT_SYNPROXY,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 7a02eaf88a58f..39789b30f41ab 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -950,6 +950,8 @@ close_scope_sctp_chunk : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_S
close_scope_secmark : { scanner_pop_start_cond(nft->scanner, PARSER_SC_SECMARK); };
close_scope_socket : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_SOCKET); }
close_scope_tcp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_TCP); };
+close_scope_udp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_UDP); };
+close_scope_udplite : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_UDPLITE); };
close_scope_log : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_LOG); }
close_scope_synproxy : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_SYNPROXY); }
@@ -4485,7 +4487,7 @@ ct_cmd_type : HELPERS { $$ = CMD_OBJ_CT_HELPERS; }
;
ct_l4protoname : TCP close_scope_tcp { $$ = IPPROTO_TCP; }
- | UDP { $$ = IPPROTO_UDP; }
+ | UDP close_scope_udp { $$ = IPPROTO_UDP; }
;
ct_helper_config : TYPE QUOTED_STRING PROTOCOL ct_l4protoname stmt_separator
@@ -4765,14 +4767,14 @@ primary_rhs_expr : symbol_expr { $$ = $1; }
BYTEORDER_HOST_ENDIAN,
sizeof(data) * BITS_PER_BYTE, &data);
}
- | UDP
+ | UDP close_scope_udp
{
uint8_t data = IPPROTO_UDP;
$$ = constant_expr_alloc(&@$, &inet_protocol_type,
BYTEORDER_HOST_ENDIAN,
sizeof(data) * BITS_PER_BYTE, &data);
}
- | UDPLITE
+ | UDPLITE close_scope_udplite
{
uint8_t data = IPPROTO_UDPLITE;
$$ = constant_expr_alloc(&@$, &inet_protocol_type,
@@ -5476,7 +5478,7 @@ comp_hdr_field : NEXTHDR { $$ = COMPHDR_NEXTHDR; }
| CPI { $$ = COMPHDR_CPI; }
;
-udp_hdr_expr : UDP udp_hdr_field
+udp_hdr_expr : UDP udp_hdr_field close_scope_udp
{
$$ = payload_expr_alloc(&@$, &proto_udp, $2);
}
@@ -5488,7 +5490,7 @@ udp_hdr_field : SPORT { $$ = UDPHDR_SPORT; }
| CHECKSUM { $$ = UDPHDR_CHECKSUM; }
;
-udplite_hdr_expr : UDPLITE udplite_hdr_field
+udplite_hdr_expr : UDPLITE udplite_hdr_field close_scope_udplite
{
$$ = payload_expr_alloc(&@$, &proto_udplite, $2);
}
diff --git a/src/scanner.l b/src/scanner.l
index a27df6c7e3915..d6fb91bd102b2 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -220,6 +220,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_EXPR_RT
%s SCANSTATE_EXPR_SCTP_CHUNK
%s SCANSTATE_EXPR_SOCKET
+%s SCANSTATE_EXPR_UDP
+%s SCANSTATE_EXPR_UDPLITE
%s SCANSTATE_STMT_LOG
%s SCANSTATE_STMT_SYNPROXY
@@ -551,8 +553,11 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
}
"flags" { return FLAGS; }
-"udp" { return UDP; }
-"udplite" { return UDPLITE; }
+"udp" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_UDP); return UDP; }
+"udplite" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_UDPLITE); return UDPLITE; }
+<SCANSTATE_EXPR_UDPLITE>{
+ "csumcov" { return CSUMCOV; }
+}
"sport" { return SPORT; }
"dport" { return DPORT; }
"port" { return PORT; }
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 11/26] scanner: dccp, th: Move to own scopes
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (9 preceding siblings ...)
2022-02-19 13:27 ` [nft PATCH 10/26] scanner: udp{,lite}: " Phil Sutter
@ 2022-02-19 13:27 ` Phil Sutter
2022-02-19 13:28 ` [nft PATCH 12/26] scanner: osf: Move to own scope Phil Sutter
` (15 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:27 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
With them in place, heavily shared keywords 'sport' and 'dport' may be
isolated.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/parser.h | 2 ++
src/parser_bison.y | 10 ++++++----
src/scanner.l | 14 ++++++++++----
3 files changed, 18 insertions(+), 8 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index e80a7753ea715..ab372ad0bae88 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -46,6 +46,7 @@ enum startcond_type {
PARSER_SC_VLAN,
PARSER_SC_CMD_LIST,
PARSER_SC_EXPR_COMP,
+ PARSER_SC_EXPR_DCCP,
PARSER_SC_EXPR_FIB,
PARSER_SC_EXPR_HASH,
PARSER_SC_EXPR_IPSEC,
@@ -54,6 +55,7 @@ enum startcond_type {
PARSER_SC_EXPR_RT,
PARSER_SC_EXPR_SCTP_CHUNK,
PARSER_SC_EXPR_SOCKET,
+ PARSER_SC_EXPR_TH,
PARSER_SC_EXPR_UDP,
PARSER_SC_EXPR_UDPLITE,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 39789b30f41ab..adfaa460caf36 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -930,6 +930,7 @@ close_scope_arp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ARP); };
close_scope_comp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_COMP); };
close_scope_ct : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CT); };
close_scope_counter : { scanner_pop_start_cond(nft->scanner, PARSER_SC_COUNTER); };
+close_scope_dccp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_DCCP); };
close_scope_eth : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ETH); };
close_scope_fib : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FIB); };
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
@@ -950,6 +951,7 @@ close_scope_sctp_chunk : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_S
close_scope_secmark : { scanner_pop_start_cond(nft->scanner, PARSER_SC_SECMARK); };
close_scope_socket : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_SOCKET); }
close_scope_tcp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_TCP); };
+close_scope_th : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_TH); };
close_scope_udp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_UDP); };
close_scope_udplite : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_UDPLITE); };
@@ -4823,7 +4825,7 @@ primary_rhs_expr : symbol_expr { $$ = $1; }
BYTEORDER_HOST_ENDIAN,
sizeof(data) * BITS_PER_BYTE, &data);
}
- | DCCP
+ | DCCP close_scope_dccp
{
uint8_t data = IPPROTO_DCCP;
$$ = constant_expr_alloc(&@$, &inet_protocol_type,
@@ -5284,7 +5286,7 @@ payload_raw_expr : AT payload_base_spec COMMA NUM COMMA NUM
payload_base_spec : LL_HDR { $$ = PROTO_BASE_LL_HDR; }
| NETWORK_HDR { $$ = PROTO_BASE_NETWORK_HDR; }
- | TRANSPORT_HDR { $$ = PROTO_BASE_TRANSPORT_HDR; }
+ | TRANSPORT_HDR close_scope_th { $$ = PROTO_BASE_TRANSPORT_HDR; }
| STRING
{
if (!strcmp($1, "ih")) {
@@ -5610,7 +5612,7 @@ tcpopt_field_maxseg : SIZE { $$ = TCPOPT_MAXSEG_SIZE; }
tcpopt_field_mptcp : SUBTYPE { $$ = TCPOPT_MPTCP_SUBTYPE; }
;
-dccp_hdr_expr : DCCP dccp_hdr_field
+dccp_hdr_expr : DCCP dccp_hdr_field close_scope_dccp
{
$$ = payload_expr_alloc(&@$, &proto_dccp, $2);
}
@@ -5738,7 +5740,7 @@ sctp_hdr_field : SPORT { $$ = SCTPHDR_SPORT; }
| CHECKSUM { $$ = SCTPHDR_CHECKSUM; }
;
-th_hdr_expr : TRANSPORT_HDR th_hdr_field
+th_hdr_expr : TRANSPORT_HDR th_hdr_field close_scope_th
{
$$ = payload_expr_alloc(&@$, &proto_th, $2);
if ($$)
diff --git a/src/scanner.l b/src/scanner.l
index d6fb91bd102b2..ed26811c5d906 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -212,6 +212,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_VLAN
%s SCANSTATE_CMD_LIST
%s SCANSTATE_EXPR_COMP
+%s SCANSTATE_EXPR_DCCP
%s SCANSTATE_EXPR_FIB
%s SCANSTATE_EXPR_HASH
%s SCANSTATE_EXPR_IPSEC
@@ -220,6 +221,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_EXPR_RT
%s SCANSTATE_EXPR_SCTP_CHUNK
%s SCANSTATE_EXPR_SOCKET
+%s SCANSTATE_EXPR_TH
%s SCANSTATE_EXPR_UDP
%s SCANSTATE_EXPR_UDPLITE
@@ -422,7 +424,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"ll" { return LL_HDR; }
"nh" { return NETWORK_HDR; }
-"th" { return TRANSPORT_HDR; }
+"th" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_TH); return TRANSPORT_HDR; }
"bridge" { return BRIDGE; }
@@ -558,13 +560,17 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
<SCANSTATE_EXPR_UDPLITE>{
"csumcov" { return CSUMCOV; }
}
-"sport" { return SPORT; }
-"dport" { return DPORT; }
+<SCANSTATE_EXPR_DCCP,SCANSTATE_SCTP,SCANSTATE_TCP,SCANSTATE_EXPR_TH,SCANSTATE_EXPR_UDP,SCANSTATE_EXPR_UDPLITE>{
+ "sport" { return SPORT; }
+}
+<SCANSTATE_CT,SCANSTATE_EXPR_DCCP,SCANSTATE_SCTP,SCANSTATE_TCP,SCANSTATE_EXPR_TH,SCANSTATE_EXPR_UDP,SCANSTATE_EXPR_UDPLITE>{
+ "dport" { return DPORT; }
+}
"port" { return PORT; }
"tcp" { scanner_push_start_cond(yyscanner, SCANSTATE_TCP); return TCP; }
-"dccp" { return DCCP; }
+"dccp" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_DCCP); return DCCP; }
"sctp" { scanner_push_start_cond(yyscanner, SCANSTATE_SCTP); return SCTP; }
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 12/26] scanner: osf: Move to own scope
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (10 preceding siblings ...)
2022-02-19 13:27 ` [nft PATCH 11/26] scanner: dccp, th: Move to own scopes Phil Sutter
@ 2022-02-19 13:28 ` Phil Sutter
2022-02-19 13:28 ` [nft PATCH 13/26] scanner: ah, esp: Move to own scopes Phil Sutter
` (14 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:28 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
It shares two keywords with PARSER_SC_IP.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/parser.h | 1 +
src/parser_bison.y | 5 +++--
src/scanner.l | 13 +++++++++----
3 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index ab372ad0bae88..82402dbc54a70 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -51,6 +51,7 @@ enum startcond_type {
PARSER_SC_EXPR_HASH,
PARSER_SC_EXPR_IPSEC,
PARSER_SC_EXPR_NUMGEN,
+ PARSER_SC_EXPR_OSF,
PARSER_SC_EXPR_QUEUE,
PARSER_SC_EXPR_RT,
PARSER_SC_EXPR_SCTP_CHUNK,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index adfaa460caf36..2deee99394999 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -943,6 +943,7 @@ close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC)
close_scope_list : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_LIST); };
close_scope_limit : { scanner_pop_start_cond(nft->scanner, PARSER_SC_LIMIT); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
+close_scope_osf : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_OSF); };
close_scope_quota : { scanner_pop_start_cond(nft->scanner, PARSER_SC_QUOTA); };
close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
close_scope_rt : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_RT); };
@@ -4104,11 +4105,11 @@ fib_tuple : fib_flag DOT fib_tuple
| fib_flag
;
-osf_expr : OSF osf_ttl HDRVERSION
+osf_expr : OSF osf_ttl HDRVERSION close_scope_osf
{
$$ = osf_expr_alloc(&@$, $2, NFT_OSF_F_VERSION);
}
- | OSF osf_ttl NAME
+ | OSF osf_ttl NAME close_scope_osf
{
$$ = osf_expr_alloc(&@$, $2, 0);
}
diff --git a/src/scanner.l b/src/scanner.l
index ed26811c5d906..65640ebbf40eb 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -217,6 +217,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_EXPR_HASH
%s SCANSTATE_EXPR_IPSEC
%s SCANSTATE_EXPR_NUMGEN
+%s SCANSTATE_EXPR_OSF
%s SCANSTATE_EXPR_QUEUE
%s SCANSTATE_EXPR_RT
%s SCANSTATE_EXPR_SCTP_CHUNK
@@ -367,7 +368,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
}
"counter" { scanner_push_start_cond(yyscanner, SCANSTATE_COUNTER); return COUNTER; }
-"name" { return NAME; }
+<SCANSTATE_COUNTER,SCANSTATE_LIMIT,SCANSTATE_QUOTA,SCANSTATE_STMT_SYNPROXY,SCANSTATE_EXPR_OSF>"name" { return NAME; }
<SCANSTATE_COUNTER,SCANSTATE_CT,SCANSTATE_LIMIT>"packets" { return PACKETS; }
<SCANSTATE_COUNTER,SCANSTATE_CT,SCANSTATE_LIMIT,SCANSTATE_QUOTA>"bytes" { return BYTES; }
@@ -456,13 +457,17 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
}
"ip" { scanner_push_start_cond(yyscanner, SCANSTATE_IP); return IP; }
-"version" { return HDRVERSION; }
+<SCANSTATE_IP,SCANSTATE_IP6,SCANSTATE_EXPR_OSF>{
+ "version" { return HDRVERSION; }
+}
"hdrlength" { return HDRLENGTH; }
"dscp" { return DSCP; }
"ecn" { return ECN; }
"length" { return LENGTH; }
"frag-off" { return FRAG_OFF; }
-"ttl" { return TTL; }
+<SCANSTATE_EXPR_OSF,SCANSTATE_IP>{
+ "ttl" { return TTL; }
+}
"protocol" { return PROTOCOL; }
"checksum" { return CHECKSUM; }
@@ -705,7 +710,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"fib" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_FIB); return FIB; }
-"osf" { return OSF; }
+"osf" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_OSF); return OSF; }
"synproxy" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_SYNPROXY); return SYNPROXY; }
<SCANSTATE_STMT_SYNPROXY>{
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 13/26] scanner: ah, esp: Move to own scopes
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (11 preceding siblings ...)
2022-02-19 13:28 ` [nft PATCH 12/26] scanner: osf: Move to own scope Phil Sutter
@ 2022-02-19 13:28 ` Phil Sutter
2022-02-19 13:28 ` [nft PATCH 14/26] scanner: dst, frag, hbh, mh: " Phil Sutter
` (13 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:28 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
They share 'sequence' keyword with icmp and tcp expressions.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/parser.h | 2 ++
src/parser_bison.y | 10 ++++++----
src/scanner.l | 12 ++++++++----
3 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 82402dbc54a70..7283a6e065289 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -45,8 +45,10 @@ enum startcond_type {
PARSER_SC_TCP,
PARSER_SC_VLAN,
PARSER_SC_CMD_LIST,
+ PARSER_SC_EXPR_AH,
PARSER_SC_EXPR_COMP,
PARSER_SC_EXPR_DCCP,
+ PARSER_SC_EXPR_ESP,
PARSER_SC_EXPR_FIB,
PARSER_SC_EXPR_HASH,
PARSER_SC_EXPR_IPSEC,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 2deee99394999..71530591d3994 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -926,11 +926,13 @@ opt_newline : NEWLINE
| /* empty */
;
+close_scope_ah : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_AH); };
close_scope_arp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ARP); };
close_scope_comp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_COMP); };
close_scope_ct : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CT); };
close_scope_counter : { scanner_pop_start_cond(nft->scanner, PARSER_SC_COUNTER); };
close_scope_dccp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_DCCP); };
+close_scope_esp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_ESP); };
close_scope_eth : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ETH); };
close_scope_fib : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FIB); };
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
@@ -4784,14 +4786,14 @@ primary_rhs_expr : symbol_expr { $$ = $1; }
BYTEORDER_HOST_ENDIAN,
sizeof(data) * BITS_PER_BYTE, &data);
}
- | ESP
+ | ESP close_scope_esp
{
uint8_t data = IPPROTO_ESP;
$$ = constant_expr_alloc(&@$, &inet_protocol_type,
BYTEORDER_HOST_ENDIAN,
sizeof(data) * BITS_PER_BYTE, &data);
}
- | AH
+ | AH close_scope_ah
{
uint8_t data = IPPROTO_AH;
$$ = constant_expr_alloc(&@$, &inet_protocol_type,
@@ -5447,7 +5449,7 @@ icmp6_hdr_field : TYPE { $$ = ICMP6HDR_TYPE; }
| MAXDELAY { $$ = ICMP6HDR_MAXDELAY; }
;
-auth_hdr_expr : AH auth_hdr_field
+auth_hdr_expr : AH auth_hdr_field close_scope_ah
{
$$ = payload_expr_alloc(&@$, &proto_ah, $2);
}
@@ -5460,7 +5462,7 @@ auth_hdr_field : NEXTHDR { $$ = AHHDR_NEXTHDR; }
| SEQUENCE { $$ = AHHDR_SEQUENCE; }
;
-esp_hdr_expr : ESP esp_hdr_field
+esp_hdr_expr : ESP esp_hdr_field close_scope_esp
{
$$ = payload_expr_alloc(&@$, &proto_esp, $2);
}
diff --git a/src/scanner.l b/src/scanner.l
index 65640ebbf40eb..7c4d8b7f904c4 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -211,8 +211,10 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_TCP
%s SCANSTATE_VLAN
%s SCANSTATE_CMD_LIST
+%s SCANSTATE_EXPR_AH
%s SCANSTATE_EXPR_COMP
%s SCANSTATE_EXPR_DCCP
+%s SCANSTATE_EXPR_ESP
%s SCANSTATE_EXPR_FIB
%s SCANSTATE_EXPR_HASH
%s SCANSTATE_EXPR_IPSEC
@@ -532,7 +534,9 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"max-delay" { return MAXDELAY; }
"mtu" { return MTU; }
}
-"sequence" { return SEQUENCE; }
+<SCANSTATE_EXPR_AH,SCANSTATE_EXPR_ESP,SCANSTATE_ICMP,SCANSTATE_TCP>{
+ "sequence" { return SEQUENCE; }
+}
"igmp" { scanner_push_start_cond(yyscanner, SCANSTATE_IGMP); return IGMP; }
<SCANSTATE_IGMP>{
@@ -548,11 +552,11 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
}
"nexthdr" { return NEXTHDR; }
-"ah" { return AH; }
+"ah" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_AH); return AH; }
"reserved" { return RESERVED; }
-"spi" { return SPI; }
+<SCANSTATE_EXPR_AH,SCANSTATE_EXPR_ESP,SCANSTATE_EXPR_IPSEC>"spi" { return SPI; }
-"esp" { return ESP; }
+"esp" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_ESP); return ESP; }
"comp" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_COMP); return COMP; }
<SCANSTATE_EXPR_COMP>{
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 14/26] scanner: dst, frag, hbh, mh: Move to own scopes
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (12 preceding siblings ...)
2022-02-19 13:28 ` [nft PATCH 13/26] scanner: ah, esp: Move to own scopes Phil Sutter
@ 2022-02-19 13:28 ` Phil Sutter
2022-02-19 13:28 ` [nft PATCH 15/26] scanner: type: Move to own scope Phil Sutter
` (12 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:28 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
These are the remaining IPv6 extension header expressions, only rt
expression was scoped already.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/parser.h | 4 ++++
src/parser_bison.y | 20 ++++++++++++--------
src/scanner.l | 36 +++++++++++++++++++++++++-----------
3 files changed, 41 insertions(+), 19 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 7283a6e065289..30ddef0326fae 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -48,10 +48,14 @@ enum startcond_type {
PARSER_SC_EXPR_AH,
PARSER_SC_EXPR_COMP,
PARSER_SC_EXPR_DCCP,
+ PARSER_SC_EXPR_DST,
PARSER_SC_EXPR_ESP,
PARSER_SC_EXPR_FIB,
+ PARSER_SC_EXPR_FRAG,
PARSER_SC_EXPR_HASH,
+ PARSER_SC_EXPR_HBH,
PARSER_SC_EXPR_IPSEC,
+ PARSER_SC_EXPR_MH,
PARSER_SC_EXPR_NUMGEN,
PARSER_SC_EXPR_OSF,
PARSER_SC_EXPR_QUEUE,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 71530591d3994..eb4ac1a603206 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -932,10 +932,13 @@ close_scope_comp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_COMP);
close_scope_ct : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CT); };
close_scope_counter : { scanner_pop_start_cond(nft->scanner, PARSER_SC_COUNTER); };
close_scope_dccp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_DCCP); };
+close_scope_dst : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_DST); };
close_scope_esp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_ESP); };
close_scope_eth : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ETH); };
close_scope_fib : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FIB); };
+close_scope_frag : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FRAG); };
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
+close_scope_hbh : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HBH); };
close_scope_ip : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP); };
close_scope_ip6 : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP6); };
close_scope_vlan : { scanner_pop_start_cond(nft->scanner, PARSER_SC_VLAN); };
@@ -944,6 +947,7 @@ close_scope_igmp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IGMP); };
close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
close_scope_list : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_LIST); };
close_scope_limit : { scanner_pop_start_cond(nft->scanner, PARSER_SC_LIMIT); };
+close_scope_mh : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_MH); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
close_scope_osf : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_OSF); };
close_scope_quota : { scanner_pop_start_cond(nft->scanner, PARSER_SC_QUOTA); };
@@ -5765,7 +5769,7 @@ exthdr_expr : hbh_hdr_expr
| mh_hdr_expr
;
-hbh_hdr_expr : HBH hbh_hdr_field
+hbh_hdr_expr : HBH hbh_hdr_field close_scope_hbh
{
$$ = exthdr_expr_alloc(&@$, &exthdr_hbh, $2);
}
@@ -5823,7 +5827,7 @@ rt4_hdr_field : LAST_ENT { $$ = RT4HDR_LASTENT; }
}
;
-frag_hdr_expr : FRAG frag_hdr_field
+frag_hdr_expr : FRAG frag_hdr_field close_scope_frag
{
$$ = exthdr_expr_alloc(&@$, &exthdr_frag, $2);
}
@@ -5837,7 +5841,7 @@ frag_hdr_field : NEXTHDR { $$ = FRAGHDR_NEXTHDR; }
| ID { $$ = FRAGHDR_ID; }
;
-dst_hdr_expr : DST dst_hdr_field
+dst_hdr_expr : DST dst_hdr_field close_scope_dst
{
$$ = exthdr_expr_alloc(&@$, &exthdr_dst, $2);
}
@@ -5847,7 +5851,7 @@ dst_hdr_field : NEXTHDR { $$ = DSTHDR_NEXTHDR; }
| HDRLENGTH { $$ = DSTHDR_HDRLENGTH; }
;
-mh_hdr_expr : MH mh_hdr_field
+mh_hdr_expr : MH mh_hdr_field close_scope_mh
{
$$ = exthdr_expr_alloc(&@$, &exthdr_mh, $2);
}
@@ -5874,11 +5878,11 @@ exthdr_exists_expr : EXTHDR exthdr_key
}
;
-exthdr_key : HBH { $$ = IPPROTO_HOPOPTS; }
+exthdr_key : HBH close_scope_hbh { $$ = IPPROTO_HOPOPTS; }
| RT close_scope_rt { $$ = IPPROTO_ROUTING; }
- | FRAG { $$ = IPPROTO_FRAGMENT; }
- | DST { $$ = IPPROTO_DSTOPTS; }
- | MH { $$ = IPPROTO_MH; }
+ | FRAG close_scope_frag { $$ = IPPROTO_FRAGMENT; }
+ | DST close_scope_dst { $$ = IPPROTO_DSTOPTS; }
+ | MH close_scope_mh { $$ = IPPROTO_MH; }
;
%%
diff --git a/src/scanner.l b/src/scanner.l
index 7c4d8b7f904c4..e632d825f9ed8 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -214,10 +214,14 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_EXPR_AH
%s SCANSTATE_EXPR_COMP
%s SCANSTATE_EXPR_DCCP
+%s SCANSTATE_EXPR_DST
%s SCANSTATE_EXPR_ESP
%s SCANSTATE_EXPR_FIB
+%s SCANSTATE_EXPR_FRAG
%s SCANSTATE_EXPR_HASH
+%s SCANSTATE_EXPR_HBH
%s SCANSTATE_EXPR_IPSEC
+%s SCANSTATE_EXPR_MH
%s SCANSTATE_EXPR_NUMGEN
%s SCANSTATE_EXPR_OSF
%s SCANSTATE_EXPR_QUEUE
@@ -440,7 +444,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"typeof" { return TYPEOF; }
"vlan" { scanner_push_start_cond(yyscanner, SCANSTATE_VLAN); return VLAN; }
-"id" { return ID; }
+<SCANSTATE_CT,SCANSTATE_EXPR_FRAG,SCANSTATE_VLAN,SCANSTATE_IP,SCANSTATE_ICMP>"id" { return ID; }
<SCANSTATE_VLAN>{
"cfi" { return CFI; }
"dei" { return DEI; }
@@ -462,16 +466,22 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
<SCANSTATE_IP,SCANSTATE_IP6,SCANSTATE_EXPR_OSF>{
"version" { return HDRVERSION; }
}
-"hdrlength" { return HDRLENGTH; }
+<SCANSTATE_EXPR_AH,SCANSTATE_EXPR_DST,SCANSTATE_EXPR_HBH,SCANSTATE_EXPR_MH,SCANSTATE_EXPR_RT,SCANSTATE_IP>{
+ "hdrlength" { return HDRLENGTH; }
+}
"dscp" { return DSCP; }
"ecn" { return ECN; }
"length" { return LENGTH; }
-"frag-off" { return FRAG_OFF; }
+<SCANSTATE_EXPR_FRAG,SCANSTATE_IP>{
+ "frag-off" { return FRAG_OFF; }
+}
<SCANSTATE_EXPR_OSF,SCANSTATE_IP>{
"ttl" { return TTL; }
}
"protocol" { return PROTOCOL; }
-"checksum" { return CHECKSUM; }
+<SCANSTATE_EXPR_MH,SCANSTATE_EXPR_UDP,SCANSTATE_EXPR_UDPLITE,SCANSTATE_ICMP,SCANSTATE_IGMP,SCANSTATE_IP,SCANSTATE_SCTP,SCANSTATE_TCP>{
+ "checksum" { return CHECKSUM; }
+}
<SCANSTATE_IP>{
"lsrr" { return LSRR; }
@@ -553,7 +563,9 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"nexthdr" { return NEXTHDR; }
"ah" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_AH); return AH; }
-"reserved" { return RESERVED; }
+<SCANSTATE_EXPR_AH,SCANSTATE_EXPR_FRAG,SCANSTATE_EXPR_MH,SCANSTATE_TCP>{
+ "reserved" { return RESERVED; }
+}
<SCANSTATE_EXPR_AH,SCANSTATE_EXPR_ESP,SCANSTATE_EXPR_IPSEC>"spi" { return SPI; }
"esp" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_ESP); return ESP; }
@@ -634,15 +646,17 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"tag" { return TAG; }
"sid" { return SID; }
-"hbh" { return HBH; }
+"hbh" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_HBH); return HBH; }
-"frag" { return FRAG; }
-"reserved2" { return RESERVED2; }
-"more-fragments" { return MORE_FRAGMENTS; }
+"frag" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_FRAG); return FRAG; }
+<SCANSTATE_EXPR_FRAG>{
+ "reserved2" { return RESERVED2; }
+ "more-fragments" { return MORE_FRAGMENTS; }
+}
-"dst" { return DST; }
+"dst" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_DST); return DST; }
-"mh" { return MH; }
+"mh" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_MH); return MH; }
"meta" { return META; }
"mark" { return MARK; }
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 15/26] scanner: type: Move to own scope
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (13 preceding siblings ...)
2022-02-19 13:28 ` [nft PATCH 14/26] scanner: dst, frag, hbh, mh: " Phil Sutter
@ 2022-02-19 13:28 ` Phil Sutter
2022-02-19 13:28 ` [nft PATCH 16/26] scanner: rt: Extend scope over rt0, rt2 and srh Phil Sutter
` (11 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:28 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
As a side-effect, this fixes for use of 'classid' as set data type.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/parser.h | 1 +
src/parser_bison.y | 65 +++++++++++++++++++++++-----------------------
src/scanner.l | 15 ++++++++---
3 files changed, 45 insertions(+), 36 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 30ddef0326fae..072fea24eb0bd 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -43,6 +43,7 @@ enum startcond_type {
PARSER_SC_SCTP,
PARSER_SC_SECMARK,
PARSER_SC_TCP,
+ PARSER_SC_TYPE,
PARSER_SC_VLAN,
PARSER_SC_CMD_LIST,
PARSER_SC_EXPR_AH,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index eb4ac1a603206..c8fb154353924 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -958,6 +958,7 @@ close_scope_sctp_chunk : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_S
close_scope_secmark : { scanner_pop_start_cond(nft->scanner, PARSER_SC_SECMARK); };
close_scope_socket : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_SOCKET); }
close_scope_tcp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_TCP); };
+close_scope_type : { scanner_pop_start_cond(nft->scanner, PARSER_SC_TYPE); };
close_scope_th : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_TH); };
close_scope_udp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_UDP); };
close_scope_udplite : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_UDPLITE); };
@@ -1918,7 +1919,7 @@ set_block_alloc : /* empty */
set_block : /* empty */ { $$ = $<set>-1; }
| set_block common_block
| set_block stmt_separator
- | set_block TYPE data_type_expr stmt_separator
+ | set_block TYPE data_type_expr stmt_separator close_scope_type
{
$1->key = $3;
$$ = $1;
@@ -2012,7 +2013,7 @@ map_block : /* empty */ { $$ = $<set>-1; }
}
| map_block TYPE
data_type_expr COLON data_type_expr
- stmt_separator
+ stmt_separator close_scope_type
{
$1->key = $3;
$1->data = $5;
@@ -2022,7 +2023,7 @@ map_block : /* empty */ { $$ = $<set>-1; }
}
| map_block TYPE
data_type_expr COLON INTERVAL data_type_expr
- stmt_separator
+ stmt_separator close_scope_type
{
$1->key = $3;
$1->data = $6;
@@ -2056,7 +2057,7 @@ map_block : /* empty */ { $$ = $<set>-1; }
}
| map_block TYPE
data_type_expr COLON map_block_obj_type
- stmt_separator
+ stmt_separator close_scope_type
{
$1->key = $3;
$1->objtype = $5;
@@ -2373,33 +2374,33 @@ type_identifier : STRING { $$ = $1; }
| CLASSID { $$ = xstrdup("classid"); }
;
-hook_spec : TYPE STRING HOOK STRING dev_spec prio_spec
+hook_spec : TYPE close_scope_type STRING HOOK STRING dev_spec prio_spec
{
- const char *chain_type = chain_type_name_lookup($2);
+ const char *chain_type = chain_type_name_lookup($3);
if (chain_type == NULL) {
- erec_queue(error(&@2, "unknown chain type"),
+ erec_queue(error(&@3, "unknown chain type"),
state->msgs);
- xfree($2);
+ xfree($3);
YYERROR;
}
- $<chain>0->type.loc = @2;
+ $<chain>0->type.loc = @3;
$<chain>0->type.str = xstrdup(chain_type);
- xfree($2);
+ xfree($3);
$<chain>0->loc = @$;
- $<chain>0->hook.loc = @4;
- $<chain>0->hook.name = chain_hookname_lookup($4);
+ $<chain>0->hook.loc = @5;
+ $<chain>0->hook.name = chain_hookname_lookup($5);
if ($<chain>0->hook.name == NULL) {
- erec_queue(error(&@4, "unknown chain hook"),
+ erec_queue(error(&@5, "unknown chain hook"),
state->msgs);
- xfree($4);
+ xfree($5);
YYERROR;
}
- xfree($4);
+ xfree($5);
- $<chain>0->dev_expr = $5;
- $<chain>0->priority = $6;
+ $<chain>0->dev_expr = $6;
+ $<chain>0->priority = $7;
$<chain>0->flags |= CHAIN_F_BASECHAIN;
}
;
@@ -3355,7 +3356,7 @@ reject_opts : /* empty */
$<stmt>0->reject.type = -1;
$<stmt>0->reject.icmp_code = -1;
}
- | WITH ICMP TYPE reject_with_expr close_scope_icmp
+ | WITH ICMP TYPE reject_with_expr close_scope_type close_scope_icmp
{
$<stmt>0->reject.family = NFPROTO_IPV4;
$<stmt>0->reject.type = NFT_REJECT_ICMP_UNREACH;
@@ -3369,7 +3370,7 @@ reject_opts : /* empty */
$<stmt>0->reject.expr = $3;
datatype_set($<stmt>0->reject.expr, &icmp_code_type);
}
- | WITH ICMP6 TYPE reject_with_expr close_scope_icmp
+ | WITH ICMP6 TYPE reject_with_expr close_scope_type close_scope_icmp
{
$<stmt>0->reject.family = NFPROTO_IPV6;
$<stmt>0->reject.type = NFT_REJECT_ICMP_UNREACH;
@@ -3383,7 +3384,7 @@ reject_opts : /* empty */
$<stmt>0->reject.expr = $3;
datatype_set($<stmt>0->reject.expr, &icmpv6_code_type);
}
- | WITH ICMPX TYPE reject_with_expr
+ | WITH ICMPX TYPE reject_with_expr close_scope_type
{
$<stmt>0->reject.type = NFT_REJECT_ICMPX_UNREACH;
$<stmt>0->reject.expr = $4;
@@ -4094,7 +4095,7 @@ fib_expr : FIB fib_tuple fib_result close_scope_fib
fib_result : OIF { $$ =NFT_FIB_RESULT_OIF; }
| OIFNAME { $$ =NFT_FIB_RESULT_OIFNAME; }
- | TYPE { $$ =NFT_FIB_RESULT_ADDRTYPE; }
+ | TYPE close_scope_type { $$ =NFT_FIB_RESULT_ADDRTYPE; }
;
fib_flag : SADDR { $$ = NFTA_FIB_F_SADDR; }
@@ -4499,7 +4500,7 @@ ct_l4protoname : TCP close_scope_tcp { $$ = IPPROTO_TCP; }
| UDP close_scope_udp { $$ = IPPROTO_UDP; }
;
-ct_helper_config : TYPE QUOTED_STRING PROTOCOL ct_l4protoname stmt_separator
+ct_helper_config : TYPE QUOTED_STRING PROTOCOL ct_l4protoname stmt_separator close_scope_type
{
struct ct_helper *ct;
int ret;
@@ -5315,7 +5316,7 @@ eth_hdr_expr : ETHER eth_hdr_field close_scope_eth
eth_hdr_field : SADDR { $$ = ETHHDR_SADDR; }
| DADDR { $$ = ETHHDR_DADDR; }
- | TYPE { $$ = ETHHDR_TYPE; }
+ | TYPE close_scope_type { $$ = ETHHDR_TYPE; }
;
vlan_hdr_expr : VLAN vlan_hdr_field close_scope_vlan
@@ -5328,7 +5329,7 @@ vlan_hdr_field : ID { $$ = VLANHDR_VID; }
| CFI { $$ = VLANHDR_CFI; }
| DEI { $$ = VLANHDR_DEI; }
| PCP { $$ = VLANHDR_PCP; }
- | TYPE { $$ = VLANHDR_TYPE; }
+ | TYPE close_scope_type { $$ = VLANHDR_TYPE; }
;
arp_hdr_expr : ARP arp_hdr_field close_scope_arp
@@ -5387,7 +5388,7 @@ ip_option_type : LSRR { $$ = IPOPT_LSRR; }
| RA { $$ = IPOPT_RA; }
;
-ip_option_field : TYPE { $$ = IPOPT_FIELD_TYPE; }
+ip_option_field : TYPE close_scope_type { $$ = IPOPT_FIELD_TYPE; }
| LENGTH { $$ = IPOPT_FIELD_LENGTH; }
| VALUE { $$ = IPOPT_FIELD_VALUE; }
| PTR { $$ = IPOPT_FIELD_PTR; }
@@ -5400,7 +5401,7 @@ icmp_hdr_expr : ICMP icmp_hdr_field close_scope_icmp
}
;
-icmp_hdr_field : TYPE { $$ = ICMPHDR_TYPE; }
+icmp_hdr_field : TYPE close_scope_type { $$ = ICMPHDR_TYPE; }
| CODE { $$ = ICMPHDR_CODE; }
| CHECKSUM { $$ = ICMPHDR_CHECKSUM; }
| ID { $$ = ICMPHDR_ID; }
@@ -5415,7 +5416,7 @@ igmp_hdr_expr : IGMP igmp_hdr_field close_scope_igmp
}
;
-igmp_hdr_field : TYPE { $$ = IGMPHDR_TYPE; }
+igmp_hdr_field : TYPE close_scope_type { $$ = IGMPHDR_TYPE; }
| CHECKSUM { $$ = IGMPHDR_CHECKSUM; }
| MRT { $$ = IGMPHDR_MRT; }
| GROUP { $$ = IGMPHDR_GROUP; }
@@ -5443,7 +5444,7 @@ icmp6_hdr_expr : ICMP6 icmp6_hdr_field close_scope_icmp
}
;
-icmp6_hdr_field : TYPE { $$ = ICMP6HDR_TYPE; }
+icmp6_hdr_field : TYPE close_scope_type { $$ = ICMP6HDR_TYPE; }
| CODE { $$ = ICMP6HDR_CODE; }
| CHECKSUM { $$ = ICMP6HDR_CHECKSUM; }
| PPTR { $$ = ICMP6HDR_PPTR; }
@@ -5627,7 +5628,7 @@ dccp_hdr_expr : DCCP dccp_hdr_field close_scope_dccp
dccp_hdr_field : SPORT { $$ = DCCPHDR_SPORT; }
| DPORT { $$ = DCCPHDR_DPORT; }
- | TYPE { $$ = DCCPHDR_TYPE; }
+ | TYPE close_scope_type { $$ = DCCPHDR_TYPE; }
;
sctp_chunk_type : DATA { $$ = SCTP_CHUNK_TYPE_DATA; }
@@ -5650,7 +5651,7 @@ sctp_chunk_type : DATA { $$ = SCTP_CHUNK_TYPE_DATA; }
| ASCONF { $$ = SCTP_CHUNK_TYPE_ASCONF; }
;
-sctp_chunk_common_field : TYPE { $$ = SCTP_CHUNK_COMMON_TYPE; }
+sctp_chunk_common_field : TYPE close_scope_type { $$ = SCTP_CHUNK_COMMON_TYPE; }
| FLAGS { $$ = SCTP_CHUNK_COMMON_FLAGS; }
| LENGTH { $$ = SCTP_CHUNK_COMMON_LENGTH; }
;
@@ -5787,7 +5788,7 @@ rt_hdr_expr : RT rt_hdr_field close_scope_rt
rt_hdr_field : NEXTHDR { $$ = RTHDR_NEXTHDR; }
| HDRLENGTH { $$ = RTHDR_HDRLENGTH; }
- | TYPE { $$ = RTHDR_TYPE; }
+ | TYPE close_scope_type { $$ = RTHDR_TYPE; }
| SEG_LEFT { $$ = RTHDR_SEG_LEFT; }
;
@@ -5859,7 +5860,7 @@ mh_hdr_expr : MH mh_hdr_field close_scope_mh
mh_hdr_field : NEXTHDR { $$ = MHHDR_NEXTHDR; }
| HDRLENGTH { $$ = MHHDR_HDRLENGTH; }
- | TYPE { $$ = MHHDR_TYPE; }
+ | TYPE close_scope_type { $$ = MHHDR_TYPE; }
| RESERVED { $$ = MHHDR_RESERVED; }
| CHECKSUM { $$ = MHHDR_CHECKSUM; }
;
diff --git a/src/scanner.l b/src/scanner.l
index e632d825f9ed8..eb8c3a130aac9 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -209,6 +209,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_SCTP
%s SCANSTATE_SECMARK
%s SCANSTATE_TCP
+%s SCANSTATE_TYPE
%s SCANSTATE_VLAN
%s SCANSTATE_CMD_LIST
%s SCANSTATE_EXPR_AH
@@ -440,7 +441,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"saddr" { return SADDR; }
"daddr" { return DADDR; }
}
-"type" { return TYPE; }
+"type" { scanner_push_start_cond(yyscanner, SCANSTATE_TYPE); return TYPE; }
"typeof" { return TYPEOF; }
"vlan" { scanner_push_start_cond(yyscanner, SCANSTATE_VLAN); return VLAN; }
@@ -469,7 +470,9 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
<SCANSTATE_EXPR_AH,SCANSTATE_EXPR_DST,SCANSTATE_EXPR_HBH,SCANSTATE_EXPR_MH,SCANSTATE_EXPR_RT,SCANSTATE_IP>{
"hdrlength" { return HDRLENGTH; }
}
-"dscp" { return DSCP; }
+<SCANSTATE_IP,SCANSTATE_IP6,SCANSTATE_TYPE>{
+ "dscp" { return DSCP; }
+}
"ecn" { return ECN; }
"length" { return LENGTH; }
<SCANSTATE_EXPR_FRAG,SCANSTATE_IP>{
@@ -560,7 +563,9 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"flowlabel" { return FLOWLABEL; }
"hoplimit" { return HOPLIMIT; }
}
-"nexthdr" { return NEXTHDR; }
+<SCANSTATE_EXPR_AH,SCANSTATE_EXPR_COMP,SCANSTATE_EXPR_DST,SCANSTATE_EXPR_FRAG,SCANSTATE_EXPR_HBH,SCANSTATE_EXPR_MH,SCANSTATE_EXPR_RT,SCANSTATE_IP6>{
+ "nexthdr" { return NEXTHDR; }
+}
"ah" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_AH); return AH; }
<SCANSTATE_EXPR_AH,SCANSTATE_EXPR_FRAG,SCANSTATE_EXPR_MH,SCANSTATE_TCP>{
@@ -681,11 +686,13 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"cgroup" { return CGROUP; }
<SCANSTATE_EXPR_RT>{
- "classid" { return CLASSID; }
"nexthop" { return NEXTHOP; }
"seg-left" { return SEG_LEFT; }
"mtu" { return MTU; }
}
+<SCANSTATE_EXPR_RT,SCANSTATE_TYPE>{
+ "classid" { return CLASSID; }
+}
"ct" { scanner_push_start_cond(yyscanner, SCANSTATE_CT); return CT; }
<SCANSTATE_CT>{
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 16/26] scanner: rt: Extend scope over rt0, rt2 and srh
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (14 preceding siblings ...)
2022-02-19 13:28 ` [nft PATCH 15/26] scanner: type: Move to own scope Phil Sutter
@ 2022-02-19 13:28 ` Phil Sutter
2022-02-19 13:28 ` [nft PATCH 17/26] scanner: monitor: Move to own Scope Phil Sutter
` (10 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:28 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
These are technically all just routing headers with different types, so
unify them under the same scope.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
src/parser_bison.y | 6 +++---
src/scanner.l | 12 ++++++------
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index c8fb154353924..a4f98e59e282a 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -5792,7 +5792,7 @@ rt_hdr_field : NEXTHDR { $$ = RTHDR_NEXTHDR; }
| SEG_LEFT { $$ = RTHDR_SEG_LEFT; }
;
-rt0_hdr_expr : RT0 rt0_hdr_field
+rt0_hdr_expr : RT0 rt0_hdr_field close_scope_rt
{
$$ = exthdr_expr_alloc(&@$, &exthdr_rt0, $2);
}
@@ -5804,7 +5804,7 @@ rt0_hdr_field : ADDR '[' NUM ']'
}
;
-rt2_hdr_expr : RT2 rt2_hdr_field
+rt2_hdr_expr : RT2 rt2_hdr_field close_scope_rt
{
$$ = exthdr_expr_alloc(&@$, &exthdr_rt2, $2);
}
@@ -5813,7 +5813,7 @@ rt2_hdr_expr : RT2 rt2_hdr_field
rt2_hdr_field : ADDR { $$ = RT2HDR_ADDR; }
;
-rt4_hdr_expr : RT4 rt4_hdr_field
+rt4_hdr_expr : RT4 rt4_hdr_field close_scope_rt
{
$$ = exthdr_expr_alloc(&@$, &exthdr_rt4, $2);
}
diff --git a/src/scanner.l b/src/scanner.l
index eb8c3a130aac9..6975d9f226ef2 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -643,13 +643,10 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
}
"rt" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_RT); return RT; }
-"rt0" { return RT0; }
-"rt2" { return RT2; }
-"srh" { return RT4; }
+"rt0" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_RT); return RT0; }
+"rt2" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_RT); return RT2; }
+"srh" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_RT); return RT4; }
"addr" { return ADDR; }
-"last-entry" { return LAST_ENT; }
-"tag" { return TAG; }
-"sid" { return SID; }
"hbh" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_HBH); return HBH; }
@@ -689,6 +686,9 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"nexthop" { return NEXTHOP; }
"seg-left" { return SEG_LEFT; }
"mtu" { return MTU; }
+ "last-entry" { return LAST_ENT; }
+ "tag" { return TAG; }
+ "sid" { return SID; }
}
<SCANSTATE_EXPR_RT,SCANSTATE_TYPE>{
"classid" { return CLASSID; }
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 17/26] scanner: monitor: Move to own Scope
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (15 preceding siblings ...)
2022-02-19 13:28 ` [nft PATCH 16/26] scanner: rt: Extend scope over rt0, rt2 and srh Phil Sutter
@ 2022-02-19 13:28 ` Phil Sutter
2022-02-19 13:28 ` [nft PATCH 18/26] scanner: reset: move " Phil Sutter
` (9 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:28 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Some keywords are shared with list command.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/parser.h | 1 +
src/parser_bison.y | 3 ++-
src/scanner.l | 17 +++++++++++------
3 files changed, 14 insertions(+), 7 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 072fea24eb0bd..09499f08119bf 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -46,6 +46,7 @@ enum startcond_type {
PARSER_SC_TYPE,
PARSER_SC_VLAN,
PARSER_SC_CMD_LIST,
+ PARSER_SC_CMD_MONITOR,
PARSER_SC_EXPR_AH,
PARSER_SC_EXPR_COMP,
PARSER_SC_EXPR_DCCP,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index a4f98e59e282a..6965872a760f1 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -948,6 +948,7 @@ close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC)
close_scope_list : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_LIST); };
close_scope_limit : { scanner_pop_start_cond(nft->scanner, PARSER_SC_LIMIT); };
close_scope_mh : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_MH); };
+close_scope_monitor : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_MONITOR); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
close_scope_osf : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_OSF); };
close_scope_quota : { scanner_pop_start_cond(nft->scanner, PARSER_SC_QUOTA); };
@@ -1052,7 +1053,7 @@ base_cmd : /* empty */ add_cmd { $$ = $1; }
| RENAME rename_cmd { $$ = $2; }
| IMPORT import_cmd { $$ = $2; }
| EXPORT export_cmd { $$ = $2; }
- | MONITOR monitor_cmd { $$ = $2; }
+ | MONITOR monitor_cmd close_scope_monitor { $$ = $2; }
| DESCRIBE describe_cmd { $$ = $2; }
;
diff --git a/src/scanner.l b/src/scanner.l
index 6975d9f226ef2..ea369c0775025 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -212,6 +212,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_TYPE
%s SCANSTATE_VLAN
%s SCANSTATE_CMD_LIST
+%s SCANSTATE_CMD_MONITOR
%s SCANSTATE_EXPR_AH
%s SCANSTATE_EXPR_COMP
%s SCANSTATE_EXPR_DCCP
@@ -289,23 +290,27 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"describe" { return DESCRIBE; }
+<SCANSTATE_CMD_LIST,SCANSTATE_CMD_MONITOR>{
+ "chains" { return CHAINS; }
+ "sets" { return SETS; }
+ "tables" { return TABLES; }
+}
+<SCANSTATE_CMD_MONITOR>{
+ "rules" { return RULES; }
+ "trace" { return TRACE; }
+}
"hook" { return HOOK; }
"device" { return DEVICE; }
"devices" { return DEVICES; }
"table" { return TABLE; }
-"tables" { return TABLES; }
"chain" { return CHAIN; }
-"chains" { return CHAINS; }
"rule" { return RULE; }
-"rules" { return RULES; }
-"sets" { return SETS; }
"set" { return SET; }
"element" { return ELEMENT; }
"map" { return MAP; }
"flowtable" { return FLOWTABLE; }
"handle" { return HANDLE; }
"ruleset" { return RULESET; }
-"trace" { return TRACE; }
"socket" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_SOCKET); return SOCKET; }
<SCANSTATE_EXPR_SOCKET>{
@@ -340,7 +345,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"rename" { return RENAME; }
"import" { return IMPORT; }
"export" { return EXPORT; }
-"monitor" { return MONITOR; }
+"monitor" { scanner_push_start_cond(yyscanner, SCANSTATE_CMD_MONITOR); return MONITOR; }
"position" { return POSITION; }
"index" { return INDEX; }
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 18/26] scanner: reset: move to own Scope
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (16 preceding siblings ...)
2022-02-19 13:28 ` [nft PATCH 17/26] scanner: monitor: Move to own Scope Phil Sutter
@ 2022-02-19 13:28 ` Phil Sutter
2022-02-19 13:28 ` [nft PATCH 19/26] scanner: import, export: Move to own scopes Phil Sutter
` (8 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:28 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Isolate two more keywords shared with list command.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/parser.h | 1 +
src/parser_bison.y | 7 ++++---
src/scanner.l | 9 ++++++---
3 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 09499f08119bf..0601b410a8458 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -47,6 +47,7 @@ enum startcond_type {
PARSER_SC_VLAN,
PARSER_SC_CMD_LIST,
PARSER_SC_CMD_MONITOR,
+ PARSER_SC_CMD_RESET,
PARSER_SC_EXPR_AH,
PARSER_SC_EXPR_COMP,
PARSER_SC_EXPR_DCCP,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 6965872a760f1..99b52cf41d25d 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -953,6 +953,7 @@ close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGE
close_scope_osf : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_OSF); };
close_scope_quota : { scanner_pop_start_cond(nft->scanner, PARSER_SC_QUOTA); };
close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
+close_scope_reset : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_RESET); };
close_scope_rt : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_RT); };
close_scope_sctp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_SCTP); };
close_scope_sctp_chunk : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_SCTP_CHUNK); };
@@ -1048,7 +1049,7 @@ base_cmd : /* empty */ add_cmd { $$ = $1; }
| DELETE delete_cmd { $$ = $2; }
| GET get_cmd { $$ = $2; }
| LIST list_cmd close_scope_list { $$ = $2; }
- | RESET reset_cmd { $$ = $2; }
+ | RESET reset_cmd close_scope_reset { $$ = $2; }
| FLUSH flush_cmd { $$ = $2; }
| RENAME rename_cmd { $$ = $2; }
| IMPORT import_cmd { $$ = $2; }
@@ -3397,7 +3398,7 @@ reject_opts : /* empty */
$<stmt>0->reject.expr = $3;
datatype_set($<stmt>0->reject.expr, &icmpx_code_type);
}
- | WITH TCP close_scope_tcp RESET
+ | WITH TCP close_scope_tcp RESET close_scope_reset
{
$<stmt>0->reject.type = NFT_REJECT_TCP_RST;
}
@@ -4761,7 +4762,7 @@ keyword_expr : ETHER close_scope_eth { $$ = symbol_value(&@$, "ether"); }
| DNAT { $$ = symbol_value(&@$, "dnat"); }
| SNAT { $$ = symbol_value(&@$, "snat"); }
| ECN { $$ = symbol_value(&@$, "ecn"); }
- | RESET { $$ = symbol_value(&@$, "reset"); }
+ | RESET close_scope_reset { $$ = symbol_value(&@$, "reset"); }
| ORIGINAL { $$ = symbol_value(&@$, "original"); }
| REPLY { $$ = symbol_value(&@$, "reply"); }
| LABEL { $$ = symbol_value(&@$, "label"); }
diff --git a/src/scanner.l b/src/scanner.l
index ea369c0775025..8725295a210cb 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -213,6 +213,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_VLAN
%s SCANSTATE_CMD_LIST
%s SCANSTATE_CMD_MONITOR
+%s SCANSTATE_CMD_RESET
%s SCANSTATE_EXPR_AH
%s SCANSTATE_EXPR_COMP
%s SCANSTATE_EXPR_DCCP
@@ -340,7 +341,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"delete" { return DELETE; }
"get" { return GET; }
"list" { scanner_push_start_cond(yyscanner, SCANSTATE_CMD_LIST); return LIST; }
-"reset" { return RESET; }
+"reset" { scanner_push_start_cond(yyscanner, SCANSTATE_CMD_RESET); return RESET; }
"flush" { return FLUSH; }
"rename" { return RENAME; }
"import" { return IMPORT; }
@@ -384,8 +385,10 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
<SCANSTATE_COUNTER,SCANSTATE_CT,SCANSTATE_LIMIT>"packets" { return PACKETS; }
<SCANSTATE_COUNTER,SCANSTATE_CT,SCANSTATE_LIMIT,SCANSTATE_QUOTA>"bytes" { return BYTES; }
-"counters" { return COUNTERS; }
-"quotas" { return QUOTAS; }
+<SCANSTATE_CMD_LIST,SCANSTATE_CMD_RESET>{
+ "counters" { return COUNTERS; }
+ "quotas" { return QUOTAS; }
+}
"log" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_LOG); return LOG; }
"prefix" { return PREFIX; }
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 19/26] scanner: import, export: Move to own scopes
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (17 preceding siblings ...)
2022-02-19 13:28 ` [nft PATCH 18/26] scanner: reset: move " Phil Sutter
@ 2022-02-19 13:28 ` Phil Sutter
2022-02-19 13:28 ` [nft PATCH 20/26] scanner: reject: Move to own scope Phil Sutter
` (7 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:28 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
In theory, one could use a common scope for both import and export
commands, their parameters are identical.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/parser.h | 2 ++
src/parser_bison.y | 6 ++++--
src/scanner.l | 14 +++++++++-----
3 files changed, 15 insertions(+), 7 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 0601b410a8458..090fd78871a6e 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -45,6 +45,8 @@ enum startcond_type {
PARSER_SC_TCP,
PARSER_SC_TYPE,
PARSER_SC_VLAN,
+ PARSER_SC_CMD_EXPORT,
+ PARSER_SC_CMD_IMPORT,
PARSER_SC_CMD_LIST,
PARSER_SC_CMD_MONITOR,
PARSER_SC_CMD_RESET,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 99b52cf41d25d..22e953eaf77e6 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -935,6 +935,7 @@ close_scope_dccp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_DCCP);
close_scope_dst : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_DST); };
close_scope_esp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_ESP); };
close_scope_eth : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ETH); };
+close_scope_export : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_EXPORT); };
close_scope_fib : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FIB); };
close_scope_frag : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FRAG); };
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
@@ -944,6 +945,7 @@ close_scope_ip6 : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP6); };
close_scope_vlan : { scanner_pop_start_cond(nft->scanner, PARSER_SC_VLAN); };
close_scope_icmp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ICMP); };
close_scope_igmp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IGMP); };
+close_scope_import : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_IMPORT); };
close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
close_scope_list : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_LIST); };
close_scope_limit : { scanner_pop_start_cond(nft->scanner, PARSER_SC_LIMIT); };
@@ -1052,8 +1054,8 @@ base_cmd : /* empty */ add_cmd { $$ = $1; }
| RESET reset_cmd close_scope_reset { $$ = $2; }
| FLUSH flush_cmd { $$ = $2; }
| RENAME rename_cmd { $$ = $2; }
- | IMPORT import_cmd { $$ = $2; }
- | EXPORT export_cmd { $$ = $2; }
+ | IMPORT import_cmd close_scope_import { $$ = $2; }
+ | EXPORT export_cmd close_scope_export { $$ = $2; }
| MONITOR monitor_cmd close_scope_monitor { $$ = $2; }
| DESCRIBE describe_cmd { $$ = $2; }
;
diff --git a/src/scanner.l b/src/scanner.l
index 8725295a210cb..97545b7057ab7 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -211,6 +211,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_TCP
%s SCANSTATE_TYPE
%s SCANSTATE_VLAN
+%s SCANSTATE_CMD_EXPORT
+%s SCANSTATE_CMD_IMPORT
%s SCANSTATE_CMD_LIST
%s SCANSTATE_CMD_MONITOR
%s SCANSTATE_CMD_RESET
@@ -344,8 +346,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"reset" { scanner_push_start_cond(yyscanner, SCANSTATE_CMD_RESET); return RESET; }
"flush" { return FLUSH; }
"rename" { return RENAME; }
-"import" { return IMPORT; }
-"export" { return EXPORT; }
+"import" { scanner_push_start_cond(yyscanner, SCANSTATE_CMD_IMPORT); return IMPORT; }
+"export" { scanner_push_start_cond(yyscanner, SCANSTATE_CMD_EXPORT); return EXPORT; }
"monitor" { scanner_push_start_cond(yyscanner, SCANSTATE_CMD_MONITOR); return MONITOR; }
"position" { return POSITION; }
@@ -759,9 +761,11 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"all" { return ALL; }
-"xml" { return XML; }
-"json" { return JSON; }
-"vm" { return VM; }
+<SCANSTATE_CMD_EXPORT,SCANSTATE_CMD_IMPORT,SCANSTATE_CMD_MONITOR>{
+ "xml" { return XML; }
+ "json" { return JSON; }
+ "vm" { return VM; }
+}
"exists" { return EXISTS; }
"missing" { return MISSING; }
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 20/26] scanner: reject: Move to own scope
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (18 preceding siblings ...)
2022-02-19 13:28 ` [nft PATCH 19/26] scanner: import, export: Move to own scopes Phil Sutter
@ 2022-02-19 13:28 ` Phil Sutter
2022-02-19 13:28 ` [nft PATCH 21/26] scanner: flags: move " Phil Sutter
` (6 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:28 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Two more keywords isolated.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/parser.h | 1 +
src/parser_bison.y | 3 ++-
src/scanner.l | 9 ++++++---
3 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 090fd78871a6e..08bdeaca250b2 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -72,6 +72,7 @@ enum startcond_type {
PARSER_SC_EXPR_UDPLITE,
PARSER_SC_STMT_LOG,
+ PARSER_SC_STMT_REJECT,
PARSER_SC_STMT_SYNPROXY,
};
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 22e953eaf77e6..1cdf4cc88376f 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -955,6 +955,7 @@ close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGE
close_scope_osf : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_OSF); };
close_scope_quota : { scanner_pop_start_cond(nft->scanner, PARSER_SC_QUOTA); };
close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
+close_scope_reject : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_REJECT); };
close_scope_reset : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_RESET); };
close_scope_rt : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_RT); };
close_scope_sctp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_SCTP); };
@@ -2835,7 +2836,7 @@ stmt : verdict_stmt
| stateful_stmt
| meta_stmt
| log_stmt close_scope_log
- | reject_stmt
+ | reject_stmt close_scope_reject
| nat_stmt
| tproxy_stmt
| queue_stmt
diff --git a/src/scanner.l b/src/scanner.l
index 97545b7057ab7..6ef20512f6b35 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -238,6 +238,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_EXPR_UDPLITE
%s SCANSTATE_STMT_LOG
+%s SCANSTATE_STMT_REJECT
%s SCANSTATE_STMT_SYNPROXY
%%
@@ -428,9 +429,11 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"hour" { return HOUR; }
"day" { return DAY; }
-"reject" { return _REJECT; }
-"with" { return WITH; }
-"icmpx" { return ICMPX; }
+"reject" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_REJECT); return _REJECT; }
+<SCANSTATE_STMT_REJECT>{
+ "with" { return WITH; }
+ "icmpx" { return ICMPX; }
+}
"snat" { return SNAT; }
"dnat" { return DNAT; }
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 21/26] scanner: flags: move to own scope
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (19 preceding siblings ...)
2022-02-19 13:28 ` [nft PATCH 20/26] scanner: reject: Move to own scope Phil Sutter
@ 2022-02-19 13:28 ` Phil Sutter
2022-02-19 13:28 ` [nft PATCH 22/26] scanner: policy: " Phil Sutter
` (5 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:28 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
This isolates at least 'constant', 'dynamic' and 'all' keywords.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/parser.h | 1 +
src/parser_bison.y | 29 +++++++++++++++--------------
src/scanner.l | 16 ++++++++++------
3 files changed, 26 insertions(+), 20 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 08bdeaca250b2..57f1fcc56bd54 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -34,6 +34,7 @@ enum startcond_type {
PARSER_SC_CT,
PARSER_SC_COUNTER,
PARSER_SC_ETH,
+ PARSER_SC_FLAGS,
PARSER_SC_ICMP,
PARSER_SC_IGMP,
PARSER_SC_IP,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 1cdf4cc88376f..af31f72fd6c99 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -937,6 +937,7 @@ close_scope_esp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_ESP); }
close_scope_eth : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ETH); };
close_scope_export : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_EXPORT); };
close_scope_fib : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FIB); };
+close_scope_flags : { scanner_pop_start_cond(nft->scanner, PARSER_SC_FLAGS); };
close_scope_frag : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FRAG); };
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
close_scope_hbh : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HBH); };
@@ -1668,7 +1669,7 @@ table_block_alloc : /* empty */
}
;
-table_options : FLAGS STRING
+table_options : FLAGS STRING close_scope_flags
{
if (strcmp($2, "dormant") == 0) {
$<table>0->flags |= TABLE_F_DORMANT;
@@ -1935,7 +1936,7 @@ set_block : /* empty */ { $$ = $<set>-1; }
datatype_set($1->key, $3->dtype);
$$ = $1;
}
- | set_block FLAGS set_flag_list stmt_separator
+ | set_block FLAGS set_flag_list stmt_separator close_scope_flags
{
$1->flags = $3;
$$ = $1;
@@ -2069,7 +2070,7 @@ map_block : /* empty */ { $$ = $<set>-1; }
$1->flags |= NFT_SET_OBJECT;
$$ = $1;
}
- | map_block FLAGS set_flag_list stmt_separator
+ | map_block FLAGS set_flag_list stmt_separator close_scope_flags
{
$1->flags |= $3;
$$ = $1;
@@ -2142,7 +2143,7 @@ flowtable_block : /* empty */ { $$ = $<flowtable>-1; }
{
$$->flags |= NFT_FLOWTABLE_COUNTER;
}
- | flowtable_block FLAGS OFFLOAD stmt_separator
+ | flowtable_block FLAGS OFFLOAD stmt_separator close_scope_flags
{
$$->flags |= FLOWTABLE_F_HW_OFFLOAD;
}
@@ -2509,7 +2510,7 @@ dev_spec : DEVICE string
| /* empty */ { $$ = NULL; }
;
-flags_spec : FLAGS OFFLOAD
+flags_spec : FLAGS OFFLOAD close_scope_flags
{
$<chain>0->flags |= CHAIN_F_HW_OFFLOAD;
}
@@ -3114,7 +3115,7 @@ log_arg : PREFIX string
$<stmt>0->log.level = $2;
$<stmt>0->log.flags |= STMT_LOG_LEVEL;
}
- | FLAGS log_flags
+ | FLAGS log_flags close_scope_flags
{
$<stmt>0->log.logflags |= $2;
}
@@ -3816,13 +3817,13 @@ queue_stmt : queue_stmt_compat close_scope_queue
{
$$ = queue_stmt_alloc(&@$, $3, 0);
}
- | QUEUE FLAGS queue_stmt_flags TO queue_stmt_expr close_scope_queue
+ | QUEUE FLAGS queue_stmt_flags close_scope_flags TO queue_stmt_expr close_scope_queue
{
- $$ = queue_stmt_alloc(&@$, $5, $3);
+ $$ = queue_stmt_alloc(&@$, $6, $3);
}
- | QUEUE FLAGS queue_stmt_flags QUEUENUM queue_stmt_expr_simple close_scope_queue
+ | QUEUE FLAGS queue_stmt_flags close_scope_flags QUEUENUM queue_stmt_expr_simple close_scope_queue
{
- $$ = queue_stmt_alloc(&@$, $5, $3);
+ $$ = queue_stmt_alloc(&@$, $6, $3);
}
;
@@ -5489,7 +5490,7 @@ comp_hdr_expr : COMP comp_hdr_field close_scope_comp
;
comp_hdr_field : NEXTHDR { $$ = COMPHDR_NEXTHDR; }
- | FLAGS { $$ = COMPHDR_FLAGS; }
+ | FLAGS close_scope_flags { $$ = COMPHDR_FLAGS; }
| CPI { $$ = COMPHDR_CPI; }
;
@@ -5543,7 +5544,7 @@ tcp_hdr_field : SPORT { $$ = TCPHDR_SPORT; }
| ACKSEQ { $$ = TCPHDR_ACKSEQ; }
| DOFF { $$ = TCPHDR_DOFF; }
| RESERVED { $$ = TCPHDR_RESERVED; }
- | FLAGS { $$ = TCPHDR_FLAGS; }
+ | FLAGS close_scope_flags { $$ = TCPHDR_FLAGS; }
| WINDOW { $$ = TCPHDR_WINDOW; }
| CHECKSUM { $$ = TCPHDR_CHECKSUM; }
| URGPTR { $$ = TCPHDR_URGPTR; }
@@ -5657,7 +5658,7 @@ sctp_chunk_type : DATA { $$ = SCTP_CHUNK_TYPE_DATA; }
;
sctp_chunk_common_field : TYPE close_scope_type { $$ = SCTP_CHUNK_COMMON_TYPE; }
- | FLAGS { $$ = SCTP_CHUNK_COMMON_FLAGS; }
+ | FLAGS close_scope_flags { $$ = SCTP_CHUNK_COMMON_FLAGS; }
| LENGTH { $$ = SCTP_CHUNK_COMMON_LENGTH; }
;
@@ -5825,7 +5826,7 @@ rt4_hdr_expr : RT4 rt4_hdr_field close_scope_rt
;
rt4_hdr_field : LAST_ENT { $$ = RT4HDR_LASTENT; }
- | FLAGS { $$ = RT4HDR_FLAGS; }
+ | FLAGS close_scope_flags { $$ = RT4HDR_FLAGS; }
| TAG { $$ = RT4HDR_TAG; }
| SID '[' NUM ']'
{
diff --git a/src/scanner.l b/src/scanner.l
index 6ef20512f6b35..608471b39898d 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -200,6 +200,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_CT
%s SCANSTATE_COUNTER
%s SCANSTATE_ETH
+%s SCANSTATE_FLAGS
%s SCANSTATE_ICMP
%s SCANSTATE_IGMP
%s SCANSTATE_IP
@@ -355,9 +356,14 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"index" { return INDEX; }
"comment" { return COMMENT; }
-"constant" { return CONSTANT; }
+<SCANSTATE_FLAGS>{
+ "constant" { return CONSTANT; }
+ "dynamic" { return DYNAMIC; }
+
+ /* log flags */
+ "all" { return ALL; }
+}
"interval" { return INTERVAL; }
-"dynamic" { return DYNAMIC; }
"auto-merge" { return AUTOMERGE; }
"timeout" { return TIMEOUT; }
"gc-interval" { return GC_INTERVAL; }
@@ -403,7 +409,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
}
"queue" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_QUEUE); return QUEUE;}
-<SCANSTATE_EXPR_QUEUE>{
+<SCANSTATE_FLAGS,SCANSTATE_EXPR_QUEUE>{
"num" { return QUEUENUM;}
"bypass" { return BYPASS;}
"fanout" { return FANOUT;}
@@ -592,7 +598,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
<SCANSTATE_EXPR_COMP>{
"cpi" { return CPI; }
}
-"flags" { return FLAGS; }
+"flags" { scanner_push_start_cond(yyscanner, SCANSTATE_FLAGS); return FLAGS; }
"udp" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_UDP); return UDP; }
"udplite" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_UDPLITE); return UDPLITE; }
@@ -762,8 +768,6 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"notrack" { return NOTRACK; }
-"all" { return ALL; }
-
<SCANSTATE_CMD_EXPORT,SCANSTATE_CMD_IMPORT,SCANSTATE_CMD_MONITOR>{
"xml" { return XML; }
"json" { return JSON; }
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 22/26] scanner: policy: move to own scope
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (20 preceding siblings ...)
2022-02-19 13:28 ` [nft PATCH 21/26] scanner: flags: move " Phil Sutter
@ 2022-02-19 13:28 ` Phil Sutter
2022-02-19 13:28 ` [nft PATCH 23/26] scanner: nat: Move " Phil Sutter
` (4 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:28 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Isolate 'performance' and 'memory' keywords.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/parser.h | 1 +
src/parser_bison.y | 7 ++++---
src/scanner.l | 9 ++++++---
3 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 57f1fcc56bd54..79eadc0d7e52f 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -40,6 +40,7 @@ enum startcond_type {
PARSER_SC_IP,
PARSER_SC_IP6,
PARSER_SC_LIMIT,
+ PARSER_SC_POLICY,
PARSER_SC_QUOTA,
PARSER_SC_SCTP,
PARSER_SC_SECMARK,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index af31f72fd6c99..eca51617e1713 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -954,6 +954,7 @@ close_scope_mh : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_MH); };
close_scope_monitor : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_MONITOR); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
close_scope_osf : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_OSF); };
+close_scope_policy : { scanner_pop_start_cond(nft->scanner, PARSER_SC_POLICY); };
close_scope_quota : { scanner_pop_start_cond(nft->scanner, PARSER_SC_QUOTA); };
close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
close_scope_reject : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_REJECT); };
@@ -2098,7 +2099,7 @@ map_block : /* empty */ { $$ = $<set>-1; }
| map_block set_mechanism stmt_separator
;
-set_mechanism : POLICY set_policy_spec
+set_mechanism : POLICY set_policy_spec close_scope_policy
{
$<set>0->policy = $2;
}
@@ -2516,7 +2517,7 @@ flags_spec : FLAGS OFFLOAD close_scope_flags
}
;
-policy_spec : POLICY policy_expr
+policy_spec : POLICY policy_expr close_scope_policy
{
if ($<chain>0->policy) {
erec_queue(error(&@$, "you cannot set chain policy twice"),
@@ -4563,7 +4564,7 @@ ct_timeout_config : PROTOCOL ct_l4protoname stmt_separator
ct = &$<obj>0->ct_timeout;
ct->l4proto = l4proto;
}
- | POLICY '=' '{' timeout_states '}' stmt_separator
+ | POLICY '=' '{' timeout_states '}' stmt_separator close_scope_policy
{
struct ct_timeout *ct;
diff --git a/src/scanner.l b/src/scanner.l
index 608471b39898d..b885f84523b97 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -206,6 +206,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_IP
%s SCANSTATE_IP6
%s SCANSTATE_LIMIT
+%s SCANSTATE_POLICY
%s SCANSTATE_QUOTA
%s SCANSTATE_SCTP
%s SCANSTATE_SECMARK
@@ -370,10 +371,12 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"elements" { return ELEMENTS; }
"expires" { return EXPIRES; }
-"policy" { return POLICY; }
+"policy" { scanner_push_start_cond(yyscanner, SCANSTATE_POLICY); return POLICY; }
"size" { return SIZE; }
-"performance" { return PERFORMANCE; }
-"memory" { return MEMORY; }
+<SCANSTATE_POLICY>{
+ "performance" { return PERFORMANCE; }
+ "memory" { return MEMORY; }
+}
"flow" { return FLOW; }
"offload" { return OFFLOAD; }
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 23/26] scanner: nat: Move to own scope
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (21 preceding siblings ...)
2022-02-19 13:28 ` [nft PATCH 22/26] scanner: policy: " Phil Sutter
@ 2022-02-19 13:28 ` Phil Sutter
2022-02-19 13:28 ` [nft PATCH 24/26] scanner: at: " Phil Sutter
` (3 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:28 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Unify nat, masquerade and redirect statements, they widely share their
syntax.
Note the workaround of adding "prefix" to SCANSTATE_IP. This is required
to fix for 'snat ip prefix ...' style expressions.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/parser.h | 1 +
src/parser_bison.y | 13 +++++++------
src/scanner.l | 21 ++++++++++++---------
3 files changed, 20 insertions(+), 15 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 79eadc0d7e52f..0ff0ecfbad9ac 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -74,6 +74,7 @@ enum startcond_type {
PARSER_SC_EXPR_UDPLITE,
PARSER_SC_STMT_LOG,
+ PARSER_SC_STMT_NAT,
PARSER_SC_STMT_REJECT,
PARSER_SC_STMT_SYNPROXY,
};
diff --git a/src/parser_bison.y b/src/parser_bison.y
index eca51617e1713..679579fc75742 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -952,6 +952,7 @@ close_scope_list : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_LIST); }
close_scope_limit : { scanner_pop_start_cond(nft->scanner, PARSER_SC_LIMIT); };
close_scope_mh : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_MH); };
close_scope_monitor : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_MONITOR); };
+close_scope_nat : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_NAT); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
close_scope_osf : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_OSF); };
close_scope_policy : { scanner_pop_start_cond(nft->scanner, PARSER_SC_POLICY); };
@@ -2839,12 +2840,12 @@ stmt : verdict_stmt
| meta_stmt
| log_stmt close_scope_log
| reject_stmt close_scope_reject
- | nat_stmt
+ | nat_stmt close_scope_nat
| tproxy_stmt
| queue_stmt
| ct_stmt
- | masq_stmt
- | redir_stmt
+ | masq_stmt close_scope_nat
+ | redir_stmt close_scope_nat
| dup_stmt
| fwd_stmt
| set_stmt
@@ -4764,8 +4765,8 @@ keyword_expr : ETHER close_scope_eth { $$ = symbol_value(&@$, "ether"); }
| IP6 close_scope_ip6 { $$ = symbol_value(&@$, "ip6"); }
| VLAN close_scope_vlan { $$ = symbol_value(&@$, "vlan"); }
| ARP close_scope_arp { $$ = symbol_value(&@$, "arp"); }
- | DNAT { $$ = symbol_value(&@$, "dnat"); }
- | SNAT { $$ = symbol_value(&@$, "snat"); }
+ | DNAT close_scope_nat { $$ = symbol_value(&@$, "dnat"); }
+ | SNAT close_scope_nat { $$ = symbol_value(&@$, "snat"); }
| ECN { $$ = symbol_value(&@$, "ecn"); }
| RESET close_scope_reset { $$ = symbol_value(&@$, "reset"); }
| ORIGINAL { $$ = symbol_value(&@$, "original"); }
@@ -4854,7 +4855,7 @@ primary_rhs_expr : symbol_expr { $$ = $1; }
BYTEORDER_HOST_ENDIAN,
sizeof(data) * BITS_PER_BYTE, &data);
}
- | REDIRECT
+ | REDIRECT close_scope_nat
{
uint8_t data = ICMP_REDIRECT;
$$ = constant_expr_alloc(&@$, &icmp_type_type,
diff --git a/src/scanner.l b/src/scanner.l
index b885f84523b97..078bcc7084eba 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -240,6 +240,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_EXPR_UDPLITE
%s SCANSTATE_STMT_LOG
+%s SCANSTATE_STMT_NAT
%s SCANSTATE_STMT_REJECT
%s SCANSTATE_STMT_SYNPROXY
@@ -403,7 +404,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
}
"log" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_LOG); return LOG; }
-"prefix" { return PREFIX; }
+<SCANSTATE_STMT_LOG,SCANSTATE_STMT_NAT,SCANSTATE_IP>"prefix" { return PREFIX; }
<SCANSTATE_STMT_LOG>{
"snaplen" { return SNAPLEN; }
"queue-threshold" { return QUEUE_THRESHOLD; }
@@ -444,13 +445,16 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"icmpx" { return ICMPX; }
}
-"snat" { return SNAT; }
-"dnat" { return DNAT; }
-"masquerade" { return MASQUERADE; }
-"redirect" { return REDIRECT; }
+"snat" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return SNAT; }
+"dnat" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return DNAT; }
+"masquerade" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return MASQUERADE; }
+"redirect" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return REDIRECT; }
"random" { return RANDOM; }
-"fully-random" { return FULLY_RANDOM; }
-"persistent" { return PERSISTENT; }
+<SCANSTATE_STMT_NAT>{
+ "fully-random" { return FULLY_RANDOM; }
+ "persistent" { return PERSISTENT; }
+ "port" { return PORT; }
+}
"ll" { return LL_HDR; }
"nh" { return NETWORK_HDR; }
@@ -614,7 +618,6 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
<SCANSTATE_CT,SCANSTATE_EXPR_DCCP,SCANSTATE_SCTP,SCANSTATE_TCP,SCANSTATE_EXPR_TH,SCANSTATE_EXPR_UDP,SCANSTATE_EXPR_UDPLITE>{
"dport" { return DPORT; }
}
-"port" { return PORT; }
"tcp" { scanner_push_start_cond(yyscanner, SCANSTATE_TCP); return TCP; }
@@ -668,7 +671,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"rt0" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_RT); return RT0; }
"rt2" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_RT); return RT2; }
"srh" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_RT); return RT4; }
-"addr" { return ADDR; }
+<SCANSTATE_EXPR_RT,SCANSTATE_STMT_NAT>"addr" { return ADDR; }
"hbh" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_HBH); return HBH; }
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 24/26] scanner: at: Move to own scope
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (22 preceding siblings ...)
2022-02-19 13:28 ` [nft PATCH 23/26] scanner: nat: Move " Phil Sutter
@ 2022-02-19 13:28 ` Phil Sutter
2022-02-19 13:28 ` [nft PATCH 25/26] scanner: meta: " Phil Sutter
` (2 subsequent siblings)
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:28 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Modification of raw TCP option rule is a bit more complicated to avoid
pushing tcp_hdr_option_type into the introduced scope by accident.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/parser.h | 1 +
src/parser_bison.y | 15 ++++++++-------
src/scanner.l | 9 ++++++---
3 files changed, 15 insertions(+), 10 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 0ff0ecfbad9ac..0dcc30be64780 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -31,6 +31,7 @@ struct parser_state {
enum startcond_type {
PARSER_SC_BEGIN,
PARSER_SC_ARP,
+ PARSER_SC_AT,
PARSER_SC_CT,
PARSER_SC_COUNTER,
PARSER_SC_ETH,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 679579fc75742..c6f5d4947356c 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -928,6 +928,7 @@ opt_newline : NEWLINE
close_scope_ah : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_AH); };
close_scope_arp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ARP); };
+close_scope_at : { scanner_pop_start_cond(nft->scanner, PARSER_SC_AT); };
close_scope_comp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_COMP); };
close_scope_ct : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CT); };
close_scope_counter : { scanner_pop_start_cond(nft->scanner, PARSER_SC_COUNTER); };
@@ -4041,7 +4042,7 @@ set_ref_expr : set_ref_symbol_expr
| variable_expr
;
-set_ref_symbol_expr : AT identifier
+set_ref_symbol_expr : AT identifier close_scope_at
{
$$ = symbol_expr_alloc(&@$, SYMBOL_SET,
current_scope(state),
@@ -5014,11 +5015,11 @@ meta_stmt : META meta_key SET stmt_expr
{
$$ = notrack_stmt_alloc(&@$);
}
- | FLOW OFFLOAD AT string
+ | FLOW OFFLOAD AT string close_scope_at
{
$$ = flow_offload_stmt_alloc(&@$, $4);
}
- | FLOW ADD AT string
+ | FLOW ADD AT string close_scope_at
{
$$ = flow_offload_stmt_alloc(&@$, $4);
}
@@ -5291,7 +5292,7 @@ payload_expr : payload_raw_expr
| th_hdr_expr
;
-payload_raw_expr : AT payload_base_spec COMMA NUM COMMA NUM
+payload_raw_expr : AT payload_base_spec COMMA NUM COMMA NUM close_scope_at
{
$$ = payload_expr_alloc(&@$, NULL, 0);
payload_init_raw($$, $2, $4, $6);
@@ -5533,10 +5534,10 @@ tcp_hdr_expr : TCP tcp_hdr_field
{
$$ = tcpopt_expr_alloc(&@$, $3.kind, $3.field);
}
- | TCP OPTION AT tcp_hdr_option_type COMMA NUM COMMA NUM
+ | TCP OPTION AT close_scope_at tcp_hdr_option_type COMMA NUM COMMA NUM
{
- $$ = tcpopt_expr_alloc(&@$, $4, 0);
- tcpopt_init_raw($$, $4, $6, $8, 0);
+ $$ = tcpopt_expr_alloc(&@$, $5, 0);
+ tcpopt_init_raw($$, $5, $7, $9, 0);
}
;
diff --git a/src/scanner.l b/src/scanner.l
index 078bcc7084eba..8d4907dc1fdfe 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -197,6 +197,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%option warn
%option stack
%s SCANSTATE_ARP
+%s SCANSTATE_AT
%s SCANSTATE_CT
%s SCANSTATE_COUNTER
%s SCANSTATE_ETH
@@ -283,7 +284,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"/" { return SLASH; }
"-" { return DASH; }
"*" { return ASTERISK; }
-"@" { return AT; }
+"@" { scanner_push_start_cond(yyscanner, SCANSTATE_AT); return AT; }
"$" { return '$'; }
"=" { return '='; }
"vmap" { return VMAP; }
@@ -456,8 +457,10 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"port" { return PORT; }
}
-"ll" { return LL_HDR; }
-"nh" { return NETWORK_HDR; }
+<SCANSTATE_AT>{
+ "ll" { return LL_HDR; }
+ "nh" { return NETWORK_HDR; }
+}
"th" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_TH); return TRANSPORT_HDR; }
"bridge" { return BRIDGE; }
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 25/26] scanner: meta: Move to own scope
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (23 preceding siblings ...)
2022-02-19 13:28 ` [nft PATCH 24/26] scanner: at: " Phil Sutter
@ 2022-02-19 13:28 ` Phil Sutter
2022-02-19 13:28 ` [nft PATCH 26/26] scanner: dup, fwd, tproxy: Move to own scopes Phil Sutter
2022-02-20 0:34 ` [nft PATCH 00/26] scanner: Some fixes, many new scopes Pablo Neira Ayuso
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:28 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
This allows to isolate 'length' and 'protocol' keywords shared by other
scopes as well.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/parser.h | 1 +
src/parser_bison.y | 9 +++++----
src/scanner.l | 7 ++++---
3 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 0dcc30be64780..bc42229c1a83b 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -41,6 +41,7 @@ enum startcond_type {
PARSER_SC_IP,
PARSER_SC_IP6,
PARSER_SC_LIMIT,
+ PARSER_SC_META,
PARSER_SC_POLICY,
PARSER_SC_QUOTA,
PARSER_SC_SCTP,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index c6f5d4947356c..cd6f22ef8e915 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -951,6 +951,7 @@ close_scope_import : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_IMPORT
close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
close_scope_list : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_LIST); };
close_scope_limit : { scanner_pop_start_cond(nft->scanner, PARSER_SC_LIMIT); };
+close_scope_meta : { scanner_pop_start_cond(nft->scanner, PARSER_SC_META); };
close_scope_mh : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_MH); };
close_scope_monitor : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_MONITOR); };
close_scope_nat : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_NAT); };
@@ -4912,7 +4913,7 @@ chain_expr : variable_expr
}
;
-meta_expr : META meta_key
+meta_expr : META meta_key close_scope_meta
{
$$ = meta_expr_alloc(&@$, $2);
}
@@ -4920,7 +4921,7 @@ meta_expr : META meta_key
{
$$ = meta_expr_alloc(&@$, $1);
}
- | META STRING
+ | META STRING close_scope_meta
{
struct error_record *erec;
unsigned int key;
@@ -4973,7 +4974,7 @@ meta_key_unqualified : MARK { $$ = NFT_META_MARK; }
| HOUR { $$ = NFT_META_TIME_HOUR; }
;
-meta_stmt : META meta_key SET stmt_expr
+meta_stmt : META meta_key SET stmt_expr close_scope_meta
{
switch ($2) {
case NFT_META_SECMARK:
@@ -4997,7 +4998,7 @@ meta_stmt : META meta_key SET stmt_expr
{
$$ = meta_stmt_alloc(&@$, $1, $3);
}
- | META STRING SET stmt_expr
+ | META STRING SET stmt_expr close_scope_meta
{
struct error_record *erec;
unsigned int key;
diff --git a/src/scanner.l b/src/scanner.l
index 8d4907dc1fdfe..be01c6f3b3bc6 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -207,6 +207,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_IP
%s SCANSTATE_IP6
%s SCANSTATE_LIMIT
+%s SCANSTATE_META
%s SCANSTATE_POLICY
%s SCANSTATE_QUOTA
%s SCANSTATE_SCTP
@@ -503,14 +504,14 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"dscp" { return DSCP; }
}
"ecn" { return ECN; }
-"length" { return LENGTH; }
+<SCANSTATE_EXPR_UDP,SCANSTATE_IP,SCANSTATE_IP6,SCANSTATE_META,SCANSTATE_TCP,SCANSTATE_SCTP,SCANSTATE_EXPR_SCTP_CHUNK>"length" { return LENGTH; }
<SCANSTATE_EXPR_FRAG,SCANSTATE_IP>{
"frag-off" { return FRAG_OFF; }
}
<SCANSTATE_EXPR_OSF,SCANSTATE_IP>{
"ttl" { return TTL; }
}
-"protocol" { return PROTOCOL; }
+<SCANSTATE_CT,SCANSTATE_IP,SCANSTATE_META,SCANSTATE_TYPE>"protocol" { return PROTOCOL; }
<SCANSTATE_EXPR_MH,SCANSTATE_EXPR_UDP,SCANSTATE_EXPR_UDPLITE,SCANSTATE_ICMP,SCANSTATE_IGMP,SCANSTATE_IP,SCANSTATE_SCTP,SCANSTATE_TCP>{
"checksum" { return CHECKSUM; }
}
@@ -688,7 +689,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"mh" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_MH); return MH; }
-"meta" { return META; }
+"meta" { scanner_push_start_cond(yyscanner, SCANSTATE_META); return META; }
"mark" { return MARK; }
"iif" { return IIF; }
"iifname" { return IIFNAME; }
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [nft PATCH 26/26] scanner: dup, fwd, tproxy: Move to own scopes
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (24 preceding siblings ...)
2022-02-19 13:28 ` [nft PATCH 25/26] scanner: meta: " Phil Sutter
@ 2022-02-19 13:28 ` Phil Sutter
2022-02-20 0:34 ` [nft PATCH 00/26] scanner: Some fixes, many new scopes Pablo Neira Ayuso
26 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-19 13:28 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
With these three scopes in place, keyword 'to' may be isolated.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/parser.h | 3 +++
src/parser_bison.y | 9 ++++++---
src/scanner.l | 11 +++++++----
3 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index bc42229c1a83b..f32154cca44d3 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -75,10 +75,13 @@ enum startcond_type {
PARSER_SC_EXPR_UDP,
PARSER_SC_EXPR_UDPLITE,
+ PARSER_SC_STMT_DUP,
+ PARSER_SC_STMT_FWD,
PARSER_SC_STMT_LOG,
PARSER_SC_STMT_NAT,
PARSER_SC_STMT_REJECT,
PARSER_SC_STMT_SYNPROXY,
+ PARSER_SC_STMT_TPROXY,
};
struct mnl_socket;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index cd6f22ef8e915..7856b3f222780 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -934,12 +934,14 @@ close_scope_ct : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CT); };
close_scope_counter : { scanner_pop_start_cond(nft->scanner, PARSER_SC_COUNTER); };
close_scope_dccp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_DCCP); };
close_scope_dst : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_DST); };
+close_scope_dup : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_DUP); };
close_scope_esp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_ESP); };
close_scope_eth : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ETH); };
close_scope_export : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_EXPORT); };
close_scope_fib : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FIB); };
close_scope_flags : { scanner_pop_start_cond(nft->scanner, PARSER_SC_FLAGS); };
close_scope_frag : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FRAG); };
+close_scope_fwd : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_FWD); };
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
close_scope_hbh : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HBH); };
close_scope_ip : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP); };
@@ -968,6 +970,7 @@ close_scope_sctp_chunk : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_S
close_scope_secmark : { scanner_pop_start_cond(nft->scanner, PARSER_SC_SECMARK); };
close_scope_socket : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_SOCKET); }
close_scope_tcp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_TCP); };
+close_scope_tproxy : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_TPROXY); };
close_scope_type : { scanner_pop_start_cond(nft->scanner, PARSER_SC_TYPE); };
close_scope_th : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_TH); };
close_scope_udp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_UDP); };
@@ -2843,13 +2846,13 @@ stmt : verdict_stmt
| log_stmt close_scope_log
| reject_stmt close_scope_reject
| nat_stmt close_scope_nat
- | tproxy_stmt
+ | tproxy_stmt close_scope_tproxy
| queue_stmt
| ct_stmt
| masq_stmt close_scope_nat
| redir_stmt close_scope_nat
- | dup_stmt
- | fwd_stmt
+ | dup_stmt close_scope_dup
+ | fwd_stmt close_scope_fwd
| set_stmt
| map_stmt
| synproxy_stmt close_scope_synproxy
diff --git a/src/scanner.l b/src/scanner.l
index be01c6f3b3bc6..fd1cf059a608f 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -241,10 +241,13 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_EXPR_UDP
%s SCANSTATE_EXPR_UDPLITE
+%s SCANSTATE_STMT_DUP
+%s SCANSTATE_STMT_FWD
%s SCANSTATE_STMT_LOG
%s SCANSTATE_STMT_NAT
%s SCANSTATE_STMT_REJECT
%s SCANSTATE_STMT_SYNPROXY
+%s SCANSTATE_STMT_TPROXY
%%
@@ -328,7 +331,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"cgroupv2" { return CGROUPV2; }
"level" { return LEVEL; }
}
-"tproxy" { return TPROXY; }
+"tproxy" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_TPROXY); return TPROXY; }
"accept" { return ACCEPT; }
"drop" { return DROP; }
@@ -336,7 +339,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"jump" { return JUMP; }
"goto" { return GOTO; }
"return" { return RETURN; }
-"to" { return TO; }
+<SCANSTATE_EXPR_QUEUE,SCANSTATE_STMT_DUP,SCANSTATE_STMT_FWD,SCANSTATE_STMT_NAT,SCANSTATE_STMT_TPROXY,SCANSTATE_FLAGS,SCANSTATE_IP,SCANSTATE_IP6>"to" { return TO; } /* XXX: SCANSTATE_FLAGS and SCANSTATE_IP here are workarounds */
"inet" { return INET; }
"netdev" { return NETDEV; }
@@ -759,8 +762,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"mod" { return MOD; }
"offset" { return OFFSET; }
}
-"dup" { return DUP; }
-"fwd" { return FWD; }
+"dup" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_DUP); return DUP; }
+"fwd" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_FWD); return FWD; }
"fib" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_FIB); return FIB; }
--
2.34.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* Re: [nft PATCH 00/26] scanner: Some fixes, many new scopes
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
` (25 preceding siblings ...)
2022-02-19 13:28 ` [nft PATCH 26/26] scanner: dup, fwd, tproxy: Move to own scopes Phil Sutter
@ 2022-02-20 0:34 ` Pablo Neira Ayuso
2022-02-20 0:46 ` Phil Sutter
2022-02-28 21:40 ` Pablo Neira Ayuso
26 siblings, 2 replies; 36+ messages in thread
From: Pablo Neira Ayuso @ 2022-02-20 0:34 UTC (permalink / raw)
To: Phil Sutter; +Cc: netfilter-devel
On Sat, Feb 19, 2022 at 02:27:48PM +0100, Phil Sutter wrote:
> Patch 1 adds a test for 'ct count' statement, patches 2 and 3 fix some
> keywords' scope, bulk scope introduction in the remaining ones.
Could you just push out the fixes in this batch?
My proposal is to release 1.0.2 with accumulated changes in master,
then we follow up with more updates after the release.
I'd also like to push my automerge after the release too.
> Phil Sutter (26):
> tests: py: Test connlimit statement
> scanner: Move 'maps' keyword into list cmd scope
> scanner: Some time units are only used in limit scope
> scanner: rt: Move seg-left keyword into scope
> scanner: icmp{,v6}: Move to own scope
> scanner: igmp: Move to own scope
> scanner: tcp: Move to own scope
> scanner: synproxy: Move to own scope
> scanner: comp: Move to own scope.
> scanner: udp{,lite}: Move to own scope
> scanner: dccp, th: Move to own scopes
> scanner: osf: Move to own scope
> scanner: ah, esp: Move to own scopes
> scanner: dst, frag, hbh, mh: Move to own scopes
> scanner: type: Move to own scope
> scanner: rt: Extend scope over rt0, rt2 and srh
> scanner: monitor: Move to own Scope
> scanner: reset: move to own Scope
> scanner: import, export: Move to own scopes
> scanner: reject: Move to own scope
> scanner: flags: move to own scope
> scanner: policy: move to own scope
> scanner: nat: Move to own scope
> scanner: at: Move to own scope
> scanner: meta: Move to own scope
> scanner: dup, fwd, tproxy: Move to own scopes
>
> include/parser.h | 29 +++
> src/parser_bison.y | 263 +++++++++++++++------------
> src/scanner.l | 361 ++++++++++++++++++++++++--------------
> tests/py/any/ct.t | 3 +
> tests/py/any/ct.t.json | 19 ++
> tests/py/any/ct.t.payload | 8 +
> 6 files changed, 436 insertions(+), 247 deletions(-)
>
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [nft PATCH 03/26] scanner: Some time units are only used in limit scope
2022-02-19 13:27 ` [nft PATCH 03/26] scanner: Some time units are only used in limit scope Phil Sutter
@ 2022-02-20 0:38 ` Pablo Neira Ayuso
2022-02-20 0:40 ` Pablo Neira Ayuso
2022-02-20 0:44 ` Phil Sutter
0 siblings, 2 replies; 36+ messages in thread
From: Pablo Neira Ayuso @ 2022-02-20 0:38 UTC (permalink / raw)
To: Phil Sutter; +Cc: netfilter-devel
On Sat, Feb 19, 2022 at 02:27:51PM +0100, Phil Sutter wrote:
> 'hour' and 'day' are allowed as unqualified meta expressions, so leave
> them alone.
Are you use? I can see time_type is by 'ct expiration'.
> Fixes: eae2525685252 ("scanner: limit: move to own scope")
> Signed-off-by: Phil Sutter <phil@nwl.cc>
> ---
> src/scanner.l | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/src/scanner.l b/src/scanner.l
> index ce78fcd6fa995..eaf5460870a09 100644
> --- a/src/scanner.l
> +++ b/src/scanner.l
> @@ -385,6 +385,11 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
> <SCANSTATE_LIMIT>{
> "rate" { return RATE; }
> "burst" { return BURST; }
> +
> + /* time_unit */
> + "second" { return SECOND; }
> + "minute" { return MINUTE; }
> + "week" { return WEEK; }
> }
> <SCANSTATE_CT,SCANSTATE_LIMIT,SCANSTATE_QUOTA>"over" { return OVER; }
>
> @@ -394,11 +399,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
> "until" { return UNTIL; }
> }
>
> -"second" { return SECOND; }
> -"minute" { return MINUTE; }
> "hour" { return HOUR; }
> "day" { return DAY; }
> -"week" { return WEEK; }
>
> "reject" { return _REJECT; }
> "with" { return WITH; }
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [nft PATCH 03/26] scanner: Some time units are only used in limit scope
2022-02-20 0:38 ` Pablo Neira Ayuso
@ 2022-02-20 0:40 ` Pablo Neira Ayuso
2022-02-20 0:44 ` Phil Sutter
1 sibling, 0 replies; 36+ messages in thread
From: Pablo Neira Ayuso @ 2022-02-20 0:40 UTC (permalink / raw)
To: Phil Sutter; +Cc: netfilter-devel
On Sun, Feb 20, 2022 at 01:38:23AM +0100, Pablo Neira Ayuso wrote:
> On Sat, Feb 19, 2022 at 02:27:51PM +0100, Phil Sutter wrote:
> > 'hour' and 'day' are allowed as unqualified meta expressions, so leave
> > them alone.
>
> Are you use? I can see time_type is by 'ct expiration'.
Actually, ct expiration takes 1s, 1m, 1h and so on.
> > Fixes: eae2525685252 ("scanner: limit: move to own scope")
> > Signed-off-by: Phil Sutter <phil@nwl.cc>
> > ---
> > src/scanner.l | 8 +++++---
> > 1 file changed, 5 insertions(+), 3 deletions(-)
> >
> > diff --git a/src/scanner.l b/src/scanner.l
> > index ce78fcd6fa995..eaf5460870a09 100644
> > --- a/src/scanner.l
> > +++ b/src/scanner.l
> > @@ -385,6 +385,11 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
> > <SCANSTATE_LIMIT>{
> > "rate" { return RATE; }
> > "burst" { return BURST; }
> > +
> > + /* time_unit */
> > + "second" { return SECOND; }
> > + "minute" { return MINUTE; }
> > + "week" { return WEEK; }
> > }
> > <SCANSTATE_CT,SCANSTATE_LIMIT,SCANSTATE_QUOTA>"over" { return OVER; }
> >
> > @@ -394,11 +399,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
> > "until" { return UNTIL; }
> > }
> >
> > -"second" { return SECOND; }
> > -"minute" { return MINUTE; }
> > "hour" { return HOUR; }
> > "day" { return DAY; }
> > -"week" { return WEEK; }
> >
> > "reject" { return _REJECT; }
> > "with" { return WITH; }
> > --
> > 2.34.1
> >
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [nft PATCH 03/26] scanner: Some time units are only used in limit scope
2022-02-20 0:38 ` Pablo Neira Ayuso
2022-02-20 0:40 ` Pablo Neira Ayuso
@ 2022-02-20 0:44 ` Phil Sutter
1 sibling, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-20 0:44 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
On Sun, Feb 20, 2022 at 01:38:19AM +0100, Pablo Neira Ayuso wrote:
> On Sat, Feb 19, 2022 at 02:27:51PM +0100, Phil Sutter wrote:
> > 'hour' and 'day' are allowed as unqualified meta expressions, so leave
> > them alone.
>
> Are you use? I can see time_type is by 'ct expiration'.
It's not about time_type, but the keywords. We support 'meta day' and
'meta hour' expressions, and they are allowed as unqualified. So
effectively:
| nft add rule t c day "Saturday" hour "13:37"
must succeed. Therefore "day" and "hour" keywords must stay in global
scope.
Cheers, Phil
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [nft PATCH 00/26] scanner: Some fixes, many new scopes
2022-02-20 0:34 ` [nft PATCH 00/26] scanner: Some fixes, many new scopes Pablo Neira Ayuso
@ 2022-02-20 0:46 ` Phil Sutter
2022-02-28 21:40 ` Pablo Neira Ayuso
1 sibling, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-02-20 0:46 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
On Sun, Feb 20, 2022 at 01:34:16AM +0100, Pablo Neira Ayuso wrote:
> On Sat, Feb 19, 2022 at 02:27:48PM +0100, Phil Sutter wrote:
> > Patch 1 adds a test for 'ct count' statement, patches 2 and 3 fix some
> > keywords' scope, bulk scope introduction in the remaining ones.
>
> Could you just push out the fixes in this batch?
Sure!
> My proposal is to release 1.0.2 with accumulated changes in master,
> then we follow up with more updates after the release.
>
> I'd also like to push my automerge after the release too.
OK, cool. I'll push the fixes now and keep the scope bulk add for later.
Thanks, Phil
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [nft PATCH 00/26] scanner: Some fixes, many new scopes
2022-02-20 0:34 ` [nft PATCH 00/26] scanner: Some fixes, many new scopes Pablo Neira Ayuso
2022-02-20 0:46 ` Phil Sutter
@ 2022-02-28 21:40 ` Pablo Neira Ayuso
2022-03-01 17:24 ` Phil Sutter
1 sibling, 1 reply; 36+ messages in thread
From: Pablo Neira Ayuso @ 2022-02-28 21:40 UTC (permalink / raw)
To: Phil Sutter; +Cc: netfilter-devel
On Sun, Feb 20, 2022 at 01:34:20AM +0100, Pablo Neira Ayuso wrote:
> On Sat, Feb 19, 2022 at 02:27:48PM +0100, Phil Sutter wrote:
> > Patch 1 adds a test for 'ct count' statement, patches 2 and 3 fix some
> > keywords' scope, bulk scope introduction in the remaining ones.
>
> Could you just push out the fixes in this batch?
>
> My proposal is to release 1.0.2 with accumulated changes in master,
> then we follow up with more updates after the release.
I think it's fine to merge this to master now that 1.0.2 has been
released.
Thanks.
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [nft PATCH 00/26] scanner: Some fixes, many new scopes
2022-02-28 21:40 ` Pablo Neira Ayuso
@ 2022-03-01 17:24 ` Phil Sutter
2022-03-01 21:07 ` Pablo Neira Ayuso
0 siblings, 1 reply; 36+ messages in thread
From: Phil Sutter @ 2022-03-01 17:24 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
On Mon, Feb 28, 2022 at 10:40:03PM +0100, Pablo Neira Ayuso wrote:
> On Sun, Feb 20, 2022 at 01:34:20AM +0100, Pablo Neira Ayuso wrote:
> > On Sat, Feb 19, 2022 at 02:27:48PM +0100, Phil Sutter wrote:
> > > Patch 1 adds a test for 'ct count' statement, patches 2 and 3 fix some
> > > keywords' scope, bulk scope introduction in the remaining ones.
> >
> > Could you just push out the fixes in this batch?
> >
> > My proposal is to release 1.0.2 with accumulated changes in master,
> > then we follow up with more updates after the release.
>
> I think it's fine to merge this to master now that 1.0.2 has been
> released.
Pushed the series after a rebase and successful py testsuite run for
sanity. Thanks for the heads-up!
Cheers, Phil
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [nft PATCH 00/26] scanner: Some fixes, many new scopes
2022-03-01 17:24 ` Phil Sutter
@ 2022-03-01 21:07 ` Pablo Neira Ayuso
2022-03-02 13:50 ` Phil Sutter
0 siblings, 1 reply; 36+ messages in thread
From: Pablo Neira Ayuso @ 2022-03-01 21:07 UTC (permalink / raw)
To: Phil Sutter, netfilter-devel
Hi Phil,
On Tue, Mar 01, 2022 at 06:24:51PM +0100, Phil Sutter wrote:
> On Mon, Feb 28, 2022 at 10:40:03PM +0100, Pablo Neira Ayuso wrote:
> > On Sun, Feb 20, 2022 at 01:34:20AM +0100, Pablo Neira Ayuso wrote:
> > > On Sat, Feb 19, 2022 at 02:27:48PM +0100, Phil Sutter wrote:
> > > > Patch 1 adds a test for 'ct count' statement, patches 2 and 3 fix some
> > > > keywords' scope, bulk scope introduction in the remaining ones.
> > >
> > > Could you just push out the fixes in this batch?
> > >
> > > My proposal is to release 1.0.2 with accumulated changes in master,
> > > then we follow up with more updates after the release.
> >
> > I think it's fine to merge this to master now that 1.0.2 has been
> > released.
>
> Pushed the series after a rebase and successful py testsuite run for
> sanity. Thanks for the heads-up!
shell testsuite reports problems:
results: [OK] 298 [FAILED] 3 [TOTAL] 301
These test breaks with syntax errors.
Please, also run monitor and json_echo tests.
Thanks.
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [nft PATCH 00/26] scanner: Some fixes, many new scopes
2022-03-01 21:07 ` Pablo Neira Ayuso
@ 2022-03-02 13:50 ` Phil Sutter
0 siblings, 0 replies; 36+ messages in thread
From: Phil Sutter @ 2022-03-02 13:50 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Hi,
On Tue, Mar 01, 2022 at 10:07:37PM +0100, Pablo Neira Ayuso wrote:
> On Tue, Mar 01, 2022 at 06:24:51PM +0100, Phil Sutter wrote:
> > On Mon, Feb 28, 2022 at 10:40:03PM +0100, Pablo Neira Ayuso wrote:
> > > On Sun, Feb 20, 2022 at 01:34:20AM +0100, Pablo Neira Ayuso wrote:
> > > > On Sat, Feb 19, 2022 at 02:27:48PM +0100, Phil Sutter wrote:
> > > > > Patch 1 adds a test for 'ct count' statement, patches 2 and 3 fix some
> > > > > keywords' scope, bulk scope introduction in the remaining ones.
> > > >
> > > > Could you just push out the fixes in this batch?
> > > >
> > > > My proposal is to release 1.0.2 with accumulated changes in master,
> > > > then we follow up with more updates after the release.
> > >
> > > I think it's fine to merge this to master now that 1.0.2 has been
> > > released.
> >
> > Pushed the series after a rebase and successful py testsuite run for
> > sanity. Thanks for the heads-up!
>
> shell testsuite reports problems:
>
> results: [OK] 298 [FAILED] 3 [TOTAL] 301
Ah, sorry. I falsely assumed py testsuite would cover anything
syntax-related. I just sent a fix.
> These test breaks with syntax errors.
>
> Please, also run monitor and json_echo tests.
Luckily, both passed.
Sorry, Phil
^ permalink raw reply [flat|nested] 36+ messages in thread
end of thread, other threads:[~2022-03-02 13:51 UTC | newest]
Thread overview: 36+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-19 13:27 [nft PATCH 00/26] scanner: Some fixes, many new scopes Phil Sutter
2022-02-19 13:27 ` [nft PATCH 01/26] tests: py: Test connlimit statement Phil Sutter
2022-02-19 13:27 ` [nft PATCH 02/26] scanner: Move 'maps' keyword into list cmd scope Phil Sutter
2022-02-19 13:27 ` [nft PATCH 03/26] scanner: Some time units are only used in limit scope Phil Sutter
2022-02-20 0:38 ` Pablo Neira Ayuso
2022-02-20 0:40 ` Pablo Neira Ayuso
2022-02-20 0:44 ` Phil Sutter
2022-02-19 13:27 ` [nft PATCH 04/26] scanner: rt: Move seg-left keyword into scope Phil Sutter
2022-02-19 13:27 ` [nft PATCH 05/26] scanner: icmp{,v6}: Move to own scope Phil Sutter
2022-02-19 13:27 ` [nft PATCH 06/26] scanner: igmp: " Phil Sutter
2022-02-19 13:27 ` [nft PATCH 07/26] scanner: tcp: " Phil Sutter
2022-02-19 13:27 ` [nft PATCH 08/26] scanner: synproxy: " Phil Sutter
2022-02-19 13:27 ` [nft PATCH 09/26] scanner: comp: " Phil Sutter
2022-02-19 13:27 ` [nft PATCH 10/26] scanner: udp{,lite}: " Phil Sutter
2022-02-19 13:27 ` [nft PATCH 11/26] scanner: dccp, th: Move to own scopes Phil Sutter
2022-02-19 13:28 ` [nft PATCH 12/26] scanner: osf: Move to own scope Phil Sutter
2022-02-19 13:28 ` [nft PATCH 13/26] scanner: ah, esp: Move to own scopes Phil Sutter
2022-02-19 13:28 ` [nft PATCH 14/26] scanner: dst, frag, hbh, mh: " Phil Sutter
2022-02-19 13:28 ` [nft PATCH 15/26] scanner: type: Move to own scope Phil Sutter
2022-02-19 13:28 ` [nft PATCH 16/26] scanner: rt: Extend scope over rt0, rt2 and srh Phil Sutter
2022-02-19 13:28 ` [nft PATCH 17/26] scanner: monitor: Move to own Scope Phil Sutter
2022-02-19 13:28 ` [nft PATCH 18/26] scanner: reset: move " Phil Sutter
2022-02-19 13:28 ` [nft PATCH 19/26] scanner: import, export: Move to own scopes Phil Sutter
2022-02-19 13:28 ` [nft PATCH 20/26] scanner: reject: Move to own scope Phil Sutter
2022-02-19 13:28 ` [nft PATCH 21/26] scanner: flags: move " Phil Sutter
2022-02-19 13:28 ` [nft PATCH 22/26] scanner: policy: " Phil Sutter
2022-02-19 13:28 ` [nft PATCH 23/26] scanner: nat: Move " Phil Sutter
2022-02-19 13:28 ` [nft PATCH 24/26] scanner: at: " Phil Sutter
2022-02-19 13:28 ` [nft PATCH 25/26] scanner: meta: " Phil Sutter
2022-02-19 13:28 ` [nft PATCH 26/26] scanner: dup, fwd, tproxy: Move to own scopes Phil Sutter
2022-02-20 0:34 ` [nft PATCH 00/26] scanner: Some fixes, many new scopes Pablo Neira Ayuso
2022-02-20 0:46 ` Phil Sutter
2022-02-28 21:40 ` Pablo Neira Ayuso
2022-03-01 17:24 ` Phil Sutter
2022-03-01 21:07 ` Pablo Neira Ayuso
2022-03-02 13:50 ` Phil Sutter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.