[PATCH nft 00/10 nft] syntax updates

[PATCH nft 00/10 nft] syntax updates

[Pablo Neira Ayuso]

Hi,

The following patchset is addressing part of the syntax issues that we
have discussed during the NFWS.

1) Quote user-defined strings from rule selectors. The current behaviour
   is inconsistent since some selectors are quoting user-defined strings
   and others do not, so let's quote them all.

2) Add 'to' for snat and dnat to keep it consistent with redirect,
   masquerade, dup and fwd.

3) Support for Ipv6 address between brackets.

4) Missing QUOTED_STRING and ASTERISK_STRING token descriptions.

5) Allow strings that start by _ and . so we comply with POSIX.1-2008.

6) Kill useless range patter from scanner.

7,8,9) Add meta priority support using minor:major syntax.

10) Add colon after 'redirect to' for consistency with nat and
   masquerade.

Comments welcome.

Pablo Neira Ayuso (10):
  src: quote user-defined strings when used from rule selectors
  src: add 'to' for snat and dnat
  src: support for RFC2732 IPv6 address format with brackets
  parser_bison: missing token string in QUOTED_ASTERISK and ASTERISK_STRING
  scanner: allow strings starting by underscores and dots
  scanner: remove range expression
  src: rename datatype name from tc_handle to classid
  src: simplify classid printing using %x instead of %04x
  src: meta priority support using tc classid
  parser_bison: redirect to :port for consistency with nat/masq statement

 include/datatype.h                  |  6 +--
 src/cli.c                           |  8 +++
 src/ct.c                            |  2 +-
 src/datatype.c                      | 12 +++--
 src/erec.c                          |  1 +
 src/main.c                          |  3 +-
 src/meta.c                          | 66 ++++++++++++++-----------
 src/parser_bison.y                  | 27 ++++++----
 src/proto.c                         |  2 +-
 src/scanner.l                       | 16 +++++-
 src/statement.c                     | 26 ++++++++--
 tests/py/any/meta.t                 | 80 ++++++++++++++++--------------
 tests/py/any/meta.t.payload         | 99 ++++++++++++++++++++++++++++++++-----
 tests/py/ip/dnat.t                  | 16 +++---
 tests/py/ip/dnat.t.payload.ip       | 12 ++---
 tests/py/ip/redirect.t              | 24 ++++-----
 tests/py/ip/redirect.t.payload      | 20 ++++----
 tests/py/ip/snat.t                  | 12 ++---
 tests/py/ip/snat.t.payload          |  8 +--
 tests/py/ip6/dnat.t                 |  5 +-
 tests/py/ip6/dnat.t.payload.ip6     | 14 +++++-
 tests/py/ip6/redirect.t             | 18 +++----
 tests/py/ip6/redirect.t.payload.ip6 | 14 +++---
 tests/py/ip6/snat.t                 |  4 +-
 tests/py/ip6/snat.t.payload.ip6     |  4 +-
 25 files changed, 325 insertions(+), 174 deletions(-)

-- 
2.1.4

[PATCH nft 01/10] src: quote user-defined strings when used from rule selectors

[Pablo Neira Ayuso]

The following selectors display strings using quotes:

* meta iifname
* meta oifname
* meta ibriport
* meta obriport

However, the following do not:

* meta oif
* meta iif
* meta skuid
* meta skgid
* meta iifgroup
* meta oifgroup
* meta rtclassid
* ct label

Given they refer to user-defined values, neither keywords nor internal
built-in known values, let's quote the output of this.

This patch modifies symbolic_constant_print() so we can signal this to
indicate if the string needs to be quoted.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/datatype.h          |  2 +-
 src/ct.c                    |  2 +-
 src/datatype.c              | 12 ++++++----
 src/meta.c                  | 12 +++++-----
 src/proto.c                 |  2 +-
 tests/py/any/meta.t         | 58 ++++++++++++++++++++++-----------------------
 tests/py/any/meta.t.payload | 26 ++++++++++----------
 7 files changed, 59 insertions(+), 55 deletions(-)

diff --git a/include/datatype.h b/include/datatype.h
index c7e110f..3eb686e 100644
--- a/include/datatype.h
+++ b/include/datatype.h
@@ -188,7 +188,7 @@ extern struct error_record *symbolic_constant_parse(const struct expr *sym,
 						    const struct symbol_table *tbl,
 						    struct expr **res);
 extern void symbolic_constant_print(const struct symbol_table *tbl,
-				    const struct expr *expr);
+				    const struct expr *expr, bool quotes);
 extern void symbol_table_print(const struct symbol_table *tbl,
 			       const struct datatype *dtype);
 
diff --git a/src/ct.c b/src/ct.c
index f6018d8..3575596 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -108,7 +108,7 @@ static void ct_label_type_print(const struct expr *expr)
 	for (s = ct_label_tbl->symbols; s->identifier != NULL; s++) {
 		if (bit != s->value)
 			continue;
-		printf("%s", s->identifier);
+		printf("\"%s\"", s->identifier);
 		return;
 	}
 	/* can happen when connlabel.conf is altered after rules were added */
diff --git a/src/datatype.c b/src/datatype.c
index 002c4c6..2b1619a 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -86,7 +86,8 @@ void datatype_print(const struct expr *expr)
 		if (dtype->print != NULL)
 			return dtype->print(expr);
 		if (dtype->sym_tbl != NULL)
-			return symbolic_constant_print(dtype->sym_tbl, expr);
+			return symbolic_constant_print(dtype->sym_tbl, expr,
+						       false);
 	} while ((dtype = dtype->basetype));
 
 	BUG("datatype %s has no print method or symbol table\n",
@@ -154,7 +155,7 @@ out:
 }
 
 void symbolic_constant_print(const struct symbol_table *tbl,
-			     const struct expr *expr)
+			     const struct expr *expr, bool quotes)
 {
 	unsigned int len = div_round_up(expr->len, BITS_PER_BYTE);
 	const struct symbolic_constant *s;
@@ -173,7 +174,10 @@ void symbolic_constant_print(const struct symbol_table *tbl,
 	if (s->identifier == NULL)
 		return expr_basetype(expr)->print(expr);
 
-	printf("%s", s->identifier);
+	if (quotes)
+		printf("\"%s\"", s->identifier);
+	else
+		printf("%s", s->identifier);
 }
 
 void symbol_table_print(const struct symbol_table *tbl,
@@ -684,7 +688,7 @@ static void __exit mark_table_exit(void)
 
 static void mark_type_print(const struct expr *expr)
 {
-	return symbolic_constant_print(mark_tbl, expr);
+	return symbolic_constant_print(mark_tbl, expr, true);
 }
 
 static struct error_record *mark_type_parse(const struct expr *sym,
diff --git a/src/meta.c b/src/meta.c
index 9dd91de..94263f9 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -47,7 +47,7 @@ static void __exit realm_table_exit(void)
 
 static void realm_type_print(const struct expr *expr)
 {
-	return symbolic_constant_print(realm_tbl, expr);
+	return symbolic_constant_print(realm_tbl, expr, true);
 }
 
 static struct error_record *realm_type_parse(const struct expr *sym,
@@ -144,7 +144,7 @@ static void ifindex_type_print(const struct expr *expr)
 
 	ifindex = mpz_get_uint32(expr->value);
 	if (nft_if_indextoname(ifindex, name))
-		printf("%s", name);
+		printf("\"%s\"", name);
 	else
 		printf("%d", ifindex);
 }
@@ -208,7 +208,7 @@ static void uid_type_print(const struct expr *expr)
 
 		pw = getpwuid(uid);
 		if (pw != NULL)
-			printf("%s", pw->pw_name);
+			printf("\"%s\"", pw->pw_name);
 		else
 			printf("%d", uid);
 		return;
@@ -260,7 +260,7 @@ static void gid_type_print(const struct expr *expr)
 
 		gr = getgrgid(gid);
 		if (gr != NULL)
-			printf("%s", gr->gr_name);
+			printf("\"%s\"", gr->gr_name);
 		else
 			printf("%u", gid);
 		return;
@@ -314,7 +314,7 @@ static const struct symbol_table pkttype_type_tbl = {
 
 static void pkttype_type_print(const struct expr *expr)
 {
-	return symbolic_constant_print(&pkttype_type_tbl, expr);
+	return symbolic_constant_print(&pkttype_type_tbl, expr, false);
 }
 
 static const struct datatype pkttype_type = {
@@ -341,7 +341,7 @@ static void __exit devgroup_table_exit(void)
 
 static void devgroup_type_print(const struct expr *expr)
 {
-	return symbolic_constant_print(devgroup_tbl, expr);
+	return symbolic_constant_print(devgroup_tbl, expr, true);
 }
 
 static struct error_record *devgroup_type_parse(const struct expr *sym,
diff --git a/src/proto.c b/src/proto.c
index 4c12977..94995f1 100644
--- a/src/proto.c
+++ b/src/proto.c
@@ -871,7 +871,7 @@ static const struct symbol_table ethertype_tbl = {
 
 static void ethertype_print(const struct expr *expr)
 {
-	return symbolic_constant_print(&ethertype_tbl, expr);
+	return symbolic_constant_print(&ethertype_tbl, expr, false);
 }
 
 const struct datatype ethertype_type = {
diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t
index 909de8b..11ebf75 100644
--- a/tests/py/any/meta.t
+++ b/tests/py/any/meta.t
@@ -61,10 +61,10 @@ meta mark or 0x03 != 0x01;ok;mark | 0x00000003 != 0x00000001
 meta mark xor 0x03 == 0x01;ok;mark 0x00000002
 meta mark xor 0x03 != 0x01;ok;mark != 0x00000002
 
-meta iif eth0 accept;ok;iif eth0 accept
-meta iif eth0 accept;ok;iif eth0 accept
-meta iif != eth0 accept;ok;iif != eth0 accept
-meta iif != eth0 accept;ok;iif != eth0 accept
+meta iif "eth0" accept;ok;iif "eth0" accept
+meta iif "eth0" accept;ok;iif "eth0" accept
+meta iif != "eth0" accept;ok;iif != "eth0" accept
+meta iif != "eth0" accept;ok;iif != "eth0" accept
 
 meta iifname "eth0";ok;iifname "eth0"
 meta iifname != "eth0";ok;iifname != "eth0"
@@ -80,10 +80,10 @@ meta iiftype ether;ok;iiftype ether
 meta iiftype != ppp;ok;iiftype != ppp
 meta iiftype ppp;ok;iiftype ppp
 
-meta oif lo accept;ok;oif lo accept
-meta oif != lo accept;ok;oif != lo accept
-meta oif {eth0, lo} accept;ok
-- meta oif != {eth0, lo} accept;ok
+meta oif "lo" accept;ok;oif "lo" accept
+meta oif != "lo" accept;ok;oif != "lo" accept
+meta oif {"eth0", "lo"} accept;ok
+- meta oif != {"eth0", "lo"} accept;ok
 
 meta oifname "eth0";ok;oifname "eth0"
 meta oifname != "eth0";ok;oifname != "eth0"
@@ -97,10 +97,10 @@ meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok
 meta oiftype != ether;ok;oiftype != ether
 meta oiftype ether;ok;oiftype ether
 
-meta skuid {bin, root, daemon} accept;ok;skuid { 0, 1, 2} accept
-- meta skuid != {bin, root, daemon} accept;ok
-meta skuid root;ok;skuid 0
-meta skuid != root;ok;skuid != 0
+meta skuid {"bin", "root", "daemon"} accept;ok;skuid { 0, 1, 2} accept
+- meta skuid != {"bin", "root", "daemon"} accept;ok
+meta skuid "root";ok;skuid 0
+meta skuid != "root";ok;skuid != 0
 meta skuid lt 3000 accept;ok;skuid < 3000 accept
 meta skuid gt 3000 accept;ok;skuid > 3000 accept
 meta skuid eq 3000 accept;ok;skuid 3000 accept
@@ -109,10 +109,10 @@ meta skuid != 2001-2005 accept;ok;skuid != 2001-2005 accept
 meta skuid { 2001-2005} accept;ok;skuid { 2001-2005} accept
 - meta skuid != { 2001-2005} accept;ok
 
-meta skgid {bin, root, daemon} accept;ok;skgid { 0, 1, 2} accept
-- meta skgid != {bin, root, daemon} accept;ok
-meta skgid root;ok;skgid 0
-meta skgid != root;ok;skgid != 0
+meta skgid {"bin", "root", "daemon"} accept;ok;skgid { 0, 1, 2} accept
+- meta skgid != {"bin", "root", "daemon"} accept;ok
+meta skgid "root";ok;skgid 0
+meta skgid != "root";ok;skgid != 0
 meta skgid lt 3000 accept;ok;skgid < 3000 accept
 meta skgid gt 3000 accept;ok;skgid > 3000 accept
 meta skgid eq 3000 accept;ok;skgid 3000 accept
@@ -148,7 +148,7 @@ meta skgid 3000;ok;skgid 3000
 # BUG:  meta nftrace 1;ok
 # <cmdline>:1:1-37: Error: Could not process rule: Operation not supported
 - meta nftrace 1;ok
-meta rtclassid cosmos;ok;rtclassid cosmos
+meta rtclassid "cosmos";ok;rtclassid "cosmos"
 
 meta pkttype broadcast;ok;pkttype broadcast
 meta pkttype unicast;ok;pkttype unicast
@@ -167,22 +167,22 @@ meta cpu { 2,3};ok;cpu { 2,3}
 meta cpu { 2-3, 5-7};ok
 -meta cpu != { 2,3};ok; cpu != { 2,3}
 
-meta iifgroup 0;ok;iifgroup default
-meta iifgroup != 0;ok;iifgroup != default
-meta iifgroup default;ok;iifgroup default
-meta iifgroup != default;ok;iifgroup != default
-meta iifgroup {default};ok;iifgroup {default}
-- meta iifgroup != {default};ok
+meta iifgroup 0;ok;iifgroup "default"
+meta iifgroup != 0;ok;iifgroup != "default"
+meta iifgroup "default";ok;iifgroup "default"
+meta iifgroup != "default";ok;iifgroup != "default"
+meta iifgroup {"default"};ok;iifgroup {"default"}
+- meta iifgroup != {"default"};ok
 meta iifgroup { 11,33};ok
 meta iifgroup {11-33};ok
 - meta iifgroup != {11,33};ok
 - meta iifgroup != {11-33};ok
-meta oifgroup 0;ok;oifgroup default
-meta oifgroup != 0;ok;oifgroup != default
-meta oifgroup default;ok;oifgroup default
-meta oifgroup != default;ok;oifgroup != default
-meta oifgroup {default};ok;oifgroup {default}
-- meta oifgroup != {default};ok
+meta oifgroup 0;ok;oifgroup "default"
+meta oifgroup != 0;ok;oifgroup != "default"
+meta oifgroup "default";ok;oifgroup "default"
+meta oifgroup != "default";ok;oifgroup != "default"
+meta oifgroup {"default"};ok;oifgroup {"default"}
+- meta oifgroup != {"default"};ok
 meta oifgroup { 11,33};ok
 meta oifgroup {11-33};ok
 - meta oifgroup != {11,33};ok
diff --git a/tests/py/any/meta.t.payload b/tests/py/any/meta.t.payload
index acd7851..d10d0e6 100644
--- a/tests/py/any/meta.t.payload
+++ b/tests/py/any/meta.t.payload
@@ -340,7 +340,7 @@ ip test-ip4 input
   [ meta load oiftype => reg 1 ]
   [ cmp eq reg 1 0x00000001 ]
 
-# meta skuid {bin, root, daemon} accept
+# meta skuid {"bin", "root", "daemon"} accept
 __set%d test-ip4 3
 __set%d test-ip4 0
 	element 00000001  : 0 [end]	element 00000000  : 0 [end]	element 00000002  : 0 [end]
@@ -349,12 +349,12 @@ ip test-ip4 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
-# meta skuid root
+# meta skuid "root"
 ip test-ip4 input
   [ meta load skuid => reg 1 ]
   [ cmp eq reg 1 0x00000000 ]
 
-# meta skuid != root
+# meta skuid != "root"
 ip test-ip4 input
   [ meta load skuid => reg 1 ]
   [ cmp neq reg 1 0x00000000 ]
@@ -405,7 +405,7 @@ ip test-ip4 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
-# meta skgid {bin, root, daemon} accept
+# meta skgid {"bin", "root", "daemon"} accept
 __set%d test-ip4 3
 __set%d test-ip4 0
 	element 00000001  : 0 [end]	element 00000000  : 0 [end]	element 00000002  : 0 [end]
@@ -414,12 +414,12 @@ ip test-ip4 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
-# meta skgid root
+# meta skgid "root"
 ip test-ip4 input
   [ meta load skgid => reg 1 ]
   [ cmp eq reg 1 0x00000000 ]
 
-# meta skgid != root
+# meta skgid != "root"
 ip test-ip4 input
   [ meta load skgid => reg 1 ]
   [ cmp neq reg 1 0x00000000 ]
@@ -536,7 +536,7 @@ ip test-ip4 input
   [ meta load skgid => reg 1 ]
   [ cmp eq reg 1 0x00000bb8 ]
 
-# meta rtclassid cosmos
+# meta rtclassid "cosmos"
 ip test-ip4 input
   [ meta load rtclassid => reg 1 ]
   [ cmp eq reg 1 0x00000000 ]
@@ -631,17 +631,17 @@ ip test-ip4 input
   [ meta load iifgroup => reg 1 ]
   [ cmp neq reg 1 0x00000000 ]
 
-# meta iifgroup default
+# meta iifgroup "default"
 ip test-ip4 input
   [ meta load iifgroup => reg 1 ]
   [ cmp eq reg 1 0x00000000 ]
 
-# meta iifgroup != default
+# meta iifgroup != "default"
 ip test-ip4 input
   [ meta load iifgroup => reg 1 ]
   [ cmp neq reg 1 0x00000000 ]
 
-# meta iifgroup {default}
+# meta iifgroup {"default"}
 __set%d test-ip4 3
 __set%d test-ip4 0
 	element 00000000  : 0 [end]
@@ -676,17 +676,17 @@ ip test-ip4 input
   [ meta load oifgroup => reg 1 ]
   [ cmp neq reg 1 0x00000000 ]
 
-# meta oifgroup default
+# meta oifgroup "default"
 ip test-ip4 input
   [ meta load oifgroup => reg 1 ]
   [ cmp eq reg 1 0x00000000 ]
 
-# meta oifgroup != default
+# meta oifgroup != "default"
 ip test-ip4 input
   [ meta load oifgroup => reg 1 ]
   [ cmp neq reg 1 0x00000000 ]
 
-# meta oifgroup {default}
+# meta oifgroup {"default"}
 __set%d test-ip4 3
 __set%d test-ip4 0
 	element 00000000  : 0 [end]
-- 
2.1.4

[PATCH nft 02/10] src: add 'to' for snat and dnat

[Pablo Neira Ayuso]

This is extra syntaxtic sugar to get this consistent with other
statements such as redirect, masquerade, dup and fwd that indicates
where to go.

Existing syntax is still preserved, but the listing shows the one
including 'to'.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/parser_bison.y              | 14 +++++++-------
 src/statement.c                 |  2 +-
 tests/py/ip/dnat.t              | 16 ++++++++--------
 tests/py/ip/dnat.t.payload.ip   | 12 ++++++------
 tests/py/ip/snat.t              | 12 ++++++------
 tests/py/ip/snat.t.payload      |  8 ++++----
 tests/py/ip6/dnat.t             |  4 ++--
 tests/py/ip6/dnat.t.payload.ip6 |  4 ++--
 tests/py/ip6/snat.t             |  4 ++--
 tests/py/ip6/snat.t.payload.ip6 |  4 ++--
 10 files changed, 40 insertions(+), 40 deletions(-)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index e16b8a3..ba2dba4 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1649,18 +1649,18 @@ stmt_expr		:	map_stmt_expr
 			|	primary_rhs_expr
 			;
 
-nat_stmt_args		:	stmt_expr
+nat_stmt_args		:	TO	stmt_expr
 			{
-				$<stmt>0->nat.addr = $1;
+				$<stmt>0->nat.addr = $2;
 			}
-			|	stmt_expr	COLON	stmt_expr
+			|	TO	stmt_expr	COLON	stmt_expr
 			{
-				$<stmt>0->nat.addr = $1;
-				$<stmt>0->nat.proto = $3;
+				$<stmt>0->nat.addr = $2;
+				$<stmt>0->nat.proto = $4;
 			}
-			|	COLON		stmt_expr
+			|	TO	COLON		stmt_expr
 			{
-				$<stmt>0->nat.proto = $2;
+				$<stmt>0->nat.proto = $3;
 			}
 			|       nat_stmt_args   nf_nat_flags
 			{
diff --git a/src/statement.c b/src/statement.c
index 7778a95..ccc16bb 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -396,7 +396,7 @@ static void nat_stmt_print(const struct stmt *stmt)
 		[NFT_NAT_DNAT]	= "dnat",
 	};
 
-	printf("%s ", nat_types[stmt->nat.type]);
+	printf("%s to ", nat_types[stmt->nat.type]);
 	if (stmt->nat.addr)
 		expr_print(stmt->nat.addr);
 	if (stmt->nat.proto) {
diff --git a/tests/py/ip/dnat.t b/tests/py/ip/dnat.t
index 28e658d..d1ffdd7 100644
--- a/tests/py/ip/dnat.t
+++ b/tests/py/ip/dnat.t
@@ -2,15 +2,15 @@
 
 *ip;test-ip4;prerouting
 
-iifname "eth0" tcp dport 80-90 dnat 192.168.3.2;ok
-iifname "eth0" tcp dport != 80-90 dnat 192.168.3.2;ok
-iifname "eth0" tcp dport {80, 90, 23} dnat 192.168.3.2;ok
-- iifname "eth0" tcp dport != {80, 90, 23} dnat 192.168.3.2;ok
-- iifname "eth0" tcp dport != {80, 90, 23} dnat 192.168.3.2;ok
+iifname "eth0" tcp dport 80-90 dnat to 192.168.3.2;ok
+iifname "eth0" tcp dport != 80-90 dnat to 192.168.3.2;ok
+iifname "eth0" tcp dport {80, 90, 23} dnat to 192.168.3.2;ok
+- iifname "eth0" tcp dport != {80, 90, 23} dnat to 192.168.3.2;ok
+- iifname "eth0" tcp dport != {80, 90, 23} dnat to 192.168.3.2;ok
 # BUG: invalid expression type set
 # nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
 
-iifname "eth0" tcp dport != 23-34 dnat 192.168.3.2;ok
+iifname "eth0" tcp dport != 23-34 dnat to 192.168.3.2;ok
 
-dnat ct mark map { 0x00000014 : 1.2.3.4};ok
-dnat ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};ok
+dnat to ct mark map { 0x00000014 : 1.2.3.4};ok
+dnat to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};ok
diff --git a/tests/py/ip/dnat.t.payload.ip b/tests/py/ip/dnat.t.payload.ip
index bf972c6..be382da 100644
--- a/tests/py/ip/dnat.t.payload.ip
+++ b/tests/py/ip/dnat.t.payload.ip
@@ -1,4 +1,4 @@
-# iifname "eth0" tcp dport 80-90 dnat 192.168.3.2
+# iifname "eth0" tcp dport 80-90 dnat to 192.168.3.2
 ip test-ip4 prerouting
   [ meta load iifname => reg 1 ]
   [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
@@ -10,7 +10,7 @@ ip test-ip4 prerouting
   [ immediate reg 1 0x0203a8c0 ]
   [ nat dnat ip addr_min reg 1 addr_max reg 0 ]
 
-# iifname "eth0" tcp dport != 80-90 dnat 192.168.3.2
+# iifname "eth0" tcp dport != 80-90 dnat to 192.168.3.2
 ip test-ip4 prerouting
   [ meta load iifname => reg 1 ]
   [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
@@ -22,7 +22,7 @@ ip test-ip4 prerouting
   [ immediate reg 1 0x0203a8c0 ]
   [ nat dnat ip addr_min reg 1 addr_max reg 0 ]
 
-# iifname "eth0" tcp dport {80, 90, 23} dnat 192.168.3.2
+# iifname "eth0" tcp dport {80, 90, 23} dnat to 192.168.3.2
 __set%d test-ip4 3
 __set%d test-ip4 0
 	element 00005000  : 0 [end]	element 00005a00  : 0 [end]	element 00001700  : 0 [end]
@@ -36,7 +36,7 @@ ip test-ip4 prerouting
   [ immediate reg 1 0x0203a8c0 ]
   [ nat dnat ip addr_min reg 1 addr_max reg 0 ]
 
-# iifname "eth0" tcp dport != 23-34 dnat 192.168.3.2
+# iifname "eth0" tcp dport != 23-34 dnat to 192.168.3.2
 ip test-ip4 prerouting
   [ meta load iifname => reg 1 ]
   [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
@@ -48,7 +48,7 @@ ip test-ip4 prerouting
   [ immediate reg 1 0x0203a8c0 ]
   [ nat dnat ip addr_min reg 1 addr_max reg 0 ]
 
-# dnat ct mark map { 0x00000014 : 1.2.3.4}
+# dnat to ct mark map { 0x00000014 : 1.2.3.4}
 __map%d test-ip4 b
 __map%d test-ip4 0
 	element 00000014  : 04030201 0 [end]
@@ -57,7 +57,7 @@ ip test-ip4 prerouting
   [ lookup reg 1 set __map%d dreg 1 ]
   [ nat dnat ip addr_min reg 1 addr_max reg 0 ]
 
-# dnat ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4}
+# dnat to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4}
 __map%d test-ip4 b
 __map%d test-ip4 0
 	element 00000014 01010101  : 04030201 0 [end]
diff --git a/tests/py/ip/snat.t b/tests/py/ip/snat.t
index a8469a3..ec2df8c 100644
--- a/tests/py/ip/snat.t
+++ b/tests/py/ip/snat.t
@@ -2,12 +2,12 @@
 
 *ip;test-ip4;postrouting
 
-iifname "eth0" tcp dport 80-90 snat 192.168.3.2;ok
-iifname "eth0" tcp dport != 80-90 snat 192.168.3.2;ok
-iifname "eth0" tcp dport {80, 90, 23} snat 192.168.3.2;ok
-- iifname "eth0" tcp dport != {80, 90, 23} snat 192.168.3.2;ok
-- iifname "eth0" tcp dport != {80, 90, 23} snat 192.168.3.2;ok
+iifname "eth0" tcp dport 80-90 snat to 192.168.3.2;ok
+iifname "eth0" tcp dport != 80-90 snat to 192.168.3.2;ok
+iifname "eth0" tcp dport {80, 90, 23} snat to 192.168.3.2;ok
+- iifname "eth0" tcp dport != {80, 90, 23} snat to 192.168.3.2;ok
+- iifname "eth0" tcp dport != {80, 90, 23} snat to 192.168.3.2;ok
 # BUG: invalid expression type set
 # nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
 
-iifname "eth0" tcp dport != 23-34 snat 192.168.3.2;ok
+iifname "eth0" tcp dport != 23-34 snat to 192.168.3.2;ok
diff --git a/tests/py/ip/snat.t.payload b/tests/py/ip/snat.t.payload
index cbea641..bef97a8 100644
--- a/tests/py/ip/snat.t.payload
+++ b/tests/py/ip/snat.t.payload
@@ -1,4 +1,4 @@
-# iifname "eth0" tcp dport 80-90 snat 192.168.3.2
+# iifname "eth0" tcp dport 80-90 snat to 192.168.3.2
 ip test-ip4 postrouting
   [ meta load iifname => reg 1 ]
   [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
@@ -10,7 +10,7 @@ ip test-ip4 postrouting
   [ immediate reg 1 0x0203a8c0 ]
   [ nat snat ip addr_min reg 1 addr_max reg 0 ]
 
-# iifname "eth0" tcp dport != 80-90 snat 192.168.3.2
+# iifname "eth0" tcp dport != 80-90 snat to 192.168.3.2
 ip test-ip4 postrouting
   [ meta load iifname => reg 1 ]
   [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
@@ -22,7 +22,7 @@ ip test-ip4 postrouting
   [ immediate reg 1 0x0203a8c0 ]
   [ nat snat ip addr_min reg 1 addr_max reg 0 ]
 
-# iifname "eth0" tcp dport {80, 90, 23} snat 192.168.3.2
+# iifname "eth0" tcp dport {80, 90, 23} snat to 192.168.3.2
 __set%d test-ip4 3
 __set%d test-ip4 0
 	element 00005000  : 0 [end]	element 00005a00  : 0 [end]	element 00001700  : 0 [end]
@@ -36,7 +36,7 @@ ip test-ip4 postrouting
   [ immediate reg 1 0x0203a8c0 ]
   [ nat snat ip addr_min reg 1 addr_max reg 0 ]
 
-# iifname "eth0" tcp dport != 23-34 snat 192.168.3.2
+# iifname "eth0" tcp dport != 23-34 snat to 192.168.3.2
 ip test-ip4 postrouting
   [ meta load iifname => reg 1 ]
   [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
diff --git a/tests/py/ip6/dnat.t b/tests/py/ip6/dnat.t
index b061f2f..b256e01 100644
--- a/tests/py/ip6/dnat.t
+++ b/tests/py/ip6/dnat.t
@@ -2,5 +2,5 @@
 
 *ip6;test-ip6;prerouting
 
-tcp dport 80-90 dnat 2001:838:35f:1::-2001:838:35f:2:::80-100;ok
-tcp dport 80-90 dnat 2001:838:35f:1::-2001:838:35f:2:: :100;ok;tcp dport 80-90 dnat 2001:838:35f:1::-2001:838:35f:2:::100
+tcp dport 80-90 dnat to 2001:838:35f:1::-2001:838:35f:2:::80-100;ok
+tcp dport 80-90 dnat to 2001:838:35f:1::-2001:838:35f:2:: :100;ok;tcp dport 80-90 dnat to 2001:838:35f:1::-2001:838:35f:2:::100
diff --git a/tests/py/ip6/dnat.t.payload.ip6 b/tests/py/ip6/dnat.t.payload.ip6
index 13c7a0e..494ade3 100644
--- a/tests/py/ip6/dnat.t.payload.ip6
+++ b/tests/py/ip6/dnat.t.payload.ip6
@@ -1,4 +1,4 @@
-# tcp dport 80-90 dnat 2001:838:35f:1::-2001:838:35f:2:::80-100
+# tcp dport 80-90 dnat to 2001:838:35f:1::-2001:838:35f:2:::80-100
 ip6 test-ip6 prerouting
   [ payload load 1b @ network header + 6 => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
@@ -11,7 +11,7 @@ ip6 test-ip6 prerouting
   [ immediate reg 4 0x00006400 ]
   [ nat dnat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 4 ]
 
-# tcp dport 80-90 dnat 2001:838:35f:1::-2001:838:35f:2:: :100
+# tcp dport 80-90 dnat to 2001:838:35f:1::-2001:838:35f:2:: :100
 ip6 test-ip6 prerouting
   [ payload load 1b @ network header + 6 => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
diff --git a/tests/py/ip6/snat.t b/tests/py/ip6/snat.t
index dec8dff..b85d9af 100644
--- a/tests/py/ip6/snat.t
+++ b/tests/py/ip6/snat.t
@@ -2,5 +2,5 @@
 
 *ip6;test-ip6;postrouting
 
-tcp dport 80-90 snat 2001:838:35f:1::-2001:838:35f:2:: :80-100;ok;tcp dport 80-90 snat 2001:838:35f:1::-2001:838:35f:2:::80-100
-tcp dport 80-90 snat 2001:838:35f:1::-2001:838:35f:2:::100;ok
+tcp dport 80-90 snat to 2001:838:35f:1::-2001:838:35f:2:: :80-100;ok;tcp dport 80-90 snat to 2001:838:35f:1::-2001:838:35f:2:::80-100
+tcp dport 80-90 snat to 2001:838:35f:1::-2001:838:35f:2:::100;ok
diff --git a/tests/py/ip6/snat.t.payload.ip6 b/tests/py/ip6/snat.t.payload.ip6
index 486bbb8..fbc99c1 100644
--- a/tests/py/ip6/snat.t.payload.ip6
+++ b/tests/py/ip6/snat.t.payload.ip6
@@ -1,4 +1,4 @@
-# tcp dport 80-90 snat 2001:838:35f:1::-2001:838:35f:2:: :80-100
+# tcp dport 80-90 snat to 2001:838:35f:1::-2001:838:35f:2:: :80-100
 ip6 test-ip6 postrouting
   [ payload load 1b @ network header + 6 => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
@@ -11,7 +11,7 @@ ip6 test-ip6 postrouting
   [ immediate reg 4 0x00006400 ]
   [ nat snat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 4 ]
 
-# tcp dport 80-90 snat 2001:838:35f:1::-2001:838:35f:2:::100
+# tcp dport 80-90 snat to 2001:838:35f:1::-2001:838:35f:2:::100
 ip6 test-ip6 postrouting
   [ payload load 1b @ network header + 6 => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
-- 
2.1.4

[PATCH nft 03/10] src: support for RFC2732 IPv6 address format with brackets

[Pablo Neira Ayuso]

The statement:

	dnat to 2001:838:35f:1:::80

is very confusing as it is not so easy to identify where address ends
and the port starts. This even harder to read with ranges.

So this patch adds squared brackets as RFC2732 to enclose the IPv6
address.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/scanner.l                   |  7 +++++++
 src/statement.c                 | 22 ++++++++++++++++++++--
 tests/py/ip6/dnat.t             |  5 +++--
 tests/py/ip6/dnat.t.payload.ip6 | 14 ++++++++++++--
 tests/py/ip6/snat.t             |  4 ++--
 tests/py/ip6/snat.t.payload.ip6 |  4 ++--
 6 files changed, 46 insertions(+), 10 deletions(-)

diff --git a/src/scanner.l b/src/scanner.l
index 613c3c9..3ad4dd9 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -169,6 +169,7 @@ v60		(::)
 macaddr		(([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2})
 ip4addr		(([[:digit:]]{1,3}"."){3}([[:digit:]]{1,3}))
 ip6addr		({v680}|{v67}|{v66}|{v65}|{v64}|{v63}|{v62}|{v61}|{v60})
+ip6addr_rfc2732	(\[{ip6addr}\])
 
 addrstring	({macaddr}|{ip4addr}|{ip6addr})
 
@@ -475,6 +476,12 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 				return STRING;
 			}
 
+{ip6addr_rfc2732}	{
+				yytext[yyleng - 1] = '\0';
+				yylval->string = xstrdup(yytext + 1);
+				return STRING;
+			}
+
 {timestring}		{
 				yylval->string = xstrdup(yytext);
 				return STRING;
diff --git a/src/statement.c b/src/statement.c
index ccc16bb..fbe74a6 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -397,8 +397,26 @@ static void nat_stmt_print(const struct stmt *stmt)
 	};
 
 	printf("%s to ", nat_types[stmt->nat.type]);
-	if (stmt->nat.addr)
-		expr_print(stmt->nat.addr);
+	if (stmt->nat.addr) {
+		if (stmt->nat.proto) {
+			if (stmt->nat.addr->ops->type == EXPR_VALUE &&
+			    stmt->nat.addr->dtype->type == TYPE_IP6ADDR) {
+				printf("[");
+				expr_print(stmt->nat.addr);
+				printf("]");
+			} else if (stmt->nat.addr->ops->type == EXPR_RANGE &&
+				   stmt->nat.addr->left->dtype->type == TYPE_IP6ADDR) {
+				printf("[");
+				expr_print(stmt->nat.addr->left);
+				printf("]-[");
+				expr_print(stmt->nat.addr->right);
+				printf("]");
+			}
+		} else {
+			expr_print(stmt->nat.addr);
+		}
+	}
+
 	if (stmt->nat.proto) {
 		printf(":");
 		expr_print(stmt->nat.proto);
diff --git a/tests/py/ip6/dnat.t b/tests/py/ip6/dnat.t
index b256e01..78d6d0a 100644
--- a/tests/py/ip6/dnat.t
+++ b/tests/py/ip6/dnat.t
@@ -2,5 +2,6 @@
 
 *ip6;test-ip6;prerouting
 
-tcp dport 80-90 dnat to 2001:838:35f:1::-2001:838:35f:2:::80-100;ok
-tcp dport 80-90 dnat to 2001:838:35f:1::-2001:838:35f:2:: :100;ok;tcp dport 80-90 dnat to 2001:838:35f:1::-2001:838:35f:2:::100
+tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:80-100;ok
+tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:100;ok;tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:100
+tcp dport 80-90 dnat to [2001:838:35f:1::]:80;ok
diff --git a/tests/py/ip6/dnat.t.payload.ip6 b/tests/py/ip6/dnat.t.payload.ip6
index 494ade3..8bd5819 100644
--- a/tests/py/ip6/dnat.t.payload.ip6
+++ b/tests/py/ip6/dnat.t.payload.ip6
@@ -1,4 +1,4 @@
-# tcp dport 80-90 dnat to 2001:838:35f:1::-2001:838:35f:2:::80-100
+# tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:80-100
 ip6 test-ip6 prerouting
   [ payload load 1b @ network header + 6 => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
@@ -11,7 +11,7 @@ ip6 test-ip6 prerouting
   [ immediate reg 4 0x00006400 ]
   [ nat dnat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 4 ]
 
-# tcp dport 80-90 dnat to 2001:838:35f:1::-2001:838:35f:2:: :100
+# tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:100
 ip6 test-ip6 prerouting
   [ payload load 1b @ network header + 6 => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
@@ -23,3 +23,13 @@ ip6 test-ip6 prerouting
   [ immediate reg 3 0x00006400 ]
   [ nat dnat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 0 ]
 
+# tcp dport 80-90 dnat to [2001:838:35f:1::]:80
+ip6 test-ip6 prerouting
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00005000 ]
+  [ cmp lte reg 1 0x00005a00 ]
+  [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ]
+  [ immediate reg 2 0x00005000 ]
+  [ nat dnat ip6 addr_min reg 1 addr_max reg 0 proto_min reg 2 proto_max reg 0 ]
diff --git a/tests/py/ip6/snat.t b/tests/py/ip6/snat.t
index b85d9af..c259f93 100644
--- a/tests/py/ip6/snat.t
+++ b/tests/py/ip6/snat.t
@@ -2,5 +2,5 @@
 
 *ip6;test-ip6;postrouting
 
-tcp dport 80-90 snat to 2001:838:35f:1::-2001:838:35f:2:: :80-100;ok;tcp dport 80-90 snat to 2001:838:35f:1::-2001:838:35f:2:::80-100
-tcp dport 80-90 snat to 2001:838:35f:1::-2001:838:35f:2:::100;ok
+tcp dport 80-90 snat to [2001:838:35f:1::]-[2001:838:35f:2::]:80-100;ok;tcp dport 80-90 snat to [2001:838:35f:1::]-[2001:838:35f:2::]:80-100
+tcp dport 80-90 snat to [2001:838:35f:1::]-[2001:838:35f:2::]:100;ok
diff --git a/tests/py/ip6/snat.t.payload.ip6 b/tests/py/ip6/snat.t.payload.ip6
index fbc99c1..ea40363 100644
--- a/tests/py/ip6/snat.t.payload.ip6
+++ b/tests/py/ip6/snat.t.payload.ip6
@@ -1,4 +1,4 @@
-# tcp dport 80-90 snat to 2001:838:35f:1::-2001:838:35f:2:: :80-100
+# tcp dport 80-90 snat to [2001:838:35f:1::]-[2001:838:35f:2::]:80-100
 ip6 test-ip6 postrouting
   [ payload load 1b @ network header + 6 => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
@@ -11,7 +11,7 @@ ip6 test-ip6 postrouting
   [ immediate reg 4 0x00006400 ]
   [ nat snat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 4 ]
 
-# tcp dport 80-90 snat to 2001:838:35f:1::-2001:838:35f:2:::100
+# tcp dport 80-90 snat to [2001:838:35f:1::]-[2001:838:35f:2::]:100
 ip6 test-ip6 postrouting
   [ payload load 1b @ network header + 6 => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
-- 
2.1.4

[PATCH nft 04/10] parser_bison: missing token string in QUOTED_ASTERISK and ASTERISK_STRING

[Pablo Neira Ayuso]

<cmdline>:1:24-24: Error: syntax error, unexpected newline, expecting string or QUOTED_STRING or ASTERISK_STRING
add rule x y log prefix
                       ^

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/parser_bison.y | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index ba2dba4..f4ce11d 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -221,8 +221,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 
 %token <val> NUM		"number"
 %token <string> STRING		"string"
-%token <string> QUOTED_STRING
-%token <string> ASTERISK_STRING
+%token <string> QUOTED_STRING	"quoted string"
+%token <string> ASTERISK_STRING	"string with a trailing asterisk"
 %destructor { xfree($$); }	STRING QUOTED_STRING ASTERISK_STRING
 
 %token LL_HDR			"ll"
-- 
2.1.4

[PATCH nft 05/10] scanner: allow strings starting by underscores and dots

[Pablo Neira Ayuso]

POSIX.1-2008 (which is simultaneously IEEE Std 1003.1-2008) says:

"The set of characters from which portable filenames are constructed.

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 . _ -"

On top of that it says:

"The <hyphen> character should not be used as the first character of a
portable user name."

This allows a bit more things that NAME_REGEX though, but this still
looks fine to me.

For more info, see:
http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_431
http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_278

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/scanner.l | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/scanner.l b/src/scanner.l
index 3ad4dd9..6f497e8 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -112,7 +112,7 @@ decstring	{digit}+
 hexstring	0[xX]{hexdigit}+
 range		({decstring}?:{decstring}?)
 letter		[a-zA-Z]
-string		({letter})({letter}|{digit}|[/\-_\.])*
+string		({letter}|[_.])({letter}|{digit}|[/\-_\.])*
 quotedstring	\"[^"]*\"
 asteriskstring	({string}\*|{string}\\\*)
 comment		#.*$
-- 
2.1.4

[PATCH nft 06/10] scanner: remove range expression

[Pablo Neira Ayuso]

This expression is not used anywhere in this scanner code.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/scanner.l | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/scanner.l b/src/scanner.l
index 6f497e8..b1420f3 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -110,7 +110,6 @@ digit		[0-9]
 hexdigit	[0-9a-fA-F]
 decstring	{digit}+
 hexstring	0[xX]{hexdigit}+
-range		({decstring}?:{decstring}?)
 letter		[a-zA-Z]
 string		({letter}|[_.])({letter}|{digit}|[/\-_\.])*
 quotedstring	\"[^"]*\"
-- 
2.1.4

[PATCH nft 07/10] src: rename datatype name from tc_handle to classid

[Pablo Neira Ayuso]

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/datatype.h | 4 ++--
 src/meta.c         | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/datatype.h b/include/datatype.h
index 3eb686e..12ec46b 100644
--- a/include/datatype.h
+++ b/include/datatype.h
@@ -27,7 +27,7 @@
  * @TYPE_IFINDEX:	interface index (integer subtype)
  * @TYPE_ARPHRD:	interface type (integer subtype)
  * @TYPE_REALM:		routing realm (integer subtype)
- * @TYPE_TC_HANDLE:	TC handle (integer subtype)
+ * @TYPE_CLASSID:	TC classid (integer subtype)
  * @TYPE_UID:		user ID (integer subtype)
  * @TYPE_GID:		group ID (integer subtype)
  * @TYPE_CT_STATE:	conntrack state (bitmask subtype)
@@ -66,7 +66,7 @@ enum datatypes {
 	TYPE_IFINDEX,
 	TYPE_ARPHRD,
 	TYPE_REALM,
-	TYPE_TC_HANDLE,
+	TYPE_CLASSID,
 	TYPE_UID,
 	TYPE_GID,
 	TYPE_CT_STATE,
diff --git a/src/meta.c b/src/meta.c
index 94263f9..c7967b0 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -127,9 +127,9 @@ err:
 }
 
 static const struct datatype tchandle_type = {
-	.type		= TYPE_TC_HANDLE,
-	.name		= "tc_handle",
-	.desc		= "TC handle",
+	.type		= TYPE_CLASSID,
+	.name		= "classid",
+	.desc		= "TC classid",
 	.byteorder	= BYTEORDER_HOST_ENDIAN,
 	.size		= 4 * BITS_PER_BYTE,
 	.basetype	= &integer_type,
-- 
2.1.4

[PATCH nft 08/10] src: simplify classid printing using %x instead of %04x

[Pablo Neira Ayuso]

No need to print this in iptables CLASSIFY target format,
eg. 0004:1230, this is innecessarily large.

And always print major and minor numbers.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/meta.c | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/src/meta.c b/src/meta.c
index c7967b0..1b17819 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -80,14 +80,7 @@ static void tchandle_type_print(const struct expr *expr)
 		printf("none");
 		break;
 	default:
-		if (TC_H_MAJ(handle) == 0)
-			printf(":%04x", TC_H_MIN(handle));
-		else if (TC_H_MIN(handle) == 0)
-			printf("%04x:", TC_H_MAJ(handle) >> 16);
-		else {
-			printf("%04x:%04x",
-			       TC_H_MAJ(handle) >> 16, TC_H_MIN(handle));
-		}
+		printf("%0x:%0x", TC_H_MAJ(handle) >> 16, TC_H_MIN(handle));
 		break;
 	}
 }
-- 
2.1.4

[PATCH nft 09/10] src: meta priority support using tc classid

[Pablo Neira Ayuso]

This patch adds the missing bits to scan and parse the meta priority
handle as expressed by tc classid major:minor syntax.

The :minor syntax is not support for two reason: major is always >= 1
and this clashes with port syntax in nat.

Here below, several example on how to match the packet priority field:

   nft add rule filter forward meta priority abcd:0
   nft add rule filter forward meta priority abcd:1234

and to set it, you have to:

   nft add rule filter forward meta priority set abcd:1234

The priority expression in flex looks ahead to restrict the pattern to
avoid problems with mappings:

{classid}/[ \t\n:\-},]

So the following doesn't break:

   ... vmap { 25:accept }
              ^^^^^

The lookahead expression requires a slight change to extend the input
string in one byte.

This patch is conservative as you always have to explicity indicate
major and minor numbers even if zero.

We could consider supporting this shortcut in the future:

	abcd:

However, with regards to this:

	:abcd

We don't need to support it since major number is assumed to be >= 1.
However, if we ever decide to support this, we'll have problems since
this clashes with our port representation in redirect and mangle.

So let's keep this simple and start with this approach.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/cli.c                   |  8 +++++
 src/erec.c                  |  1 +
 src/main.c                  |  3 +-
 src/meta.c                  | 39 +++++++++++++++++-------
 src/scanner.l               |  6 ++++
 src/statement.c             |  2 +-
 tests/py/any/meta.t         | 22 ++++++++------
 tests/py/any/meta.t.payload | 73 +++++++++++++++++++++++++++++++++++++++++++++
 8 files changed, 132 insertions(+), 22 deletions(-)

diff --git a/src/cli.c b/src/cli.c
index adffd6b..a74411a 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -92,6 +92,8 @@ static void cli_complete(char *line)
 	const HIST_ENTRY *hist;
 	const char *c;
 	LIST_HEAD(msgs);
+	int len;
+	char *s;
 
 	if (line == NULL) {
 		printf("\n");
@@ -119,6 +121,12 @@ static void cli_complete(char *line)
 	if (hist == NULL || strcmp(hist->line, line))
 		add_history(line);
 
+	len = strlen(line);
+	s = xmalloc(len + 2);
+	snprintf(s, len + 2, "%s\n", line);
+	xfree(line);
+	line = s;
+
 	parser_init(state, &msgs);
 	scanner_push_buffer(scanner, &indesc_cli, line);
 	nft_run(scanner, state, &msgs);
diff --git a/src/erec.c b/src/erec.c
index 0a1e6c7..3603216 100644
--- a/src/erec.c
+++ b/src/erec.c
@@ -92,6 +92,7 @@ void erec_print(FILE *f, const struct error_record *erec)
 	case INDESC_BUFFER:
 	case INDESC_CLI:
 		line = indesc->data;
+		*strchrnul(line, '\n') = '\0';
 		break;
 	case INDESC_FILE:
 		memset(buf, 0, sizeof(buf));
diff --git a/src/main.c b/src/main.c
index ad73d80..39a47bb 100644
--- a/src/main.c
+++ b/src/main.c
@@ -328,12 +328,13 @@ int main(int argc, char * const *argv)
 		for (len = 0, i = optind; i < argc; i++)
 			len += strlen(argv[i]) + strlen(" ");
 
-		buf = xzalloc(len + 1);
+		buf = xzalloc(len + 2);
 		for (i = optind; i < argc; i++) {
 			strcat(buf, argv[i]);
 			if (i + 1 < argc)
 				strcat(buf, " ");
 		}
+		strcat(buf, "\n");
 		parser_init(&state, &msgs);
 		scanner = scanner_init(&state);
 		scanner_push_buffer(scanner, &indesc_cmdline, buf);
diff --git a/src/meta.c b/src/meta.c
index 1b17819..5a6fee5 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -10,6 +10,7 @@
  * Development of this code funded by Astaro AG (http://www.astaro.com/)
  */
 
+#include <errno.h>
 #include <stddef.h>
 #include <stdlib.h>
 #include <stdio.h>
@@ -89,34 +90,50 @@ static struct error_record *tchandle_type_parse(const struct expr *sym,
 						struct expr **res)
 {
 	uint32_t handle;
+	char *str;
 
 	if (strcmp(sym->identifier, "root") == 0)
 		handle = TC_H_ROOT;
 	else if (strcmp(sym->identifier, "none") == 0)
 		handle = TC_H_UNSPEC;
-	else if (sym->identifier[0] == ':') {
-		if (sscanf(sym->identifier, ":%04x", &handle) != 1)
+	else if (strchr(sym->identifier, ':')) {
+		uint16_t tmp;
+		char *colon;
+
+		str = xstrdup(sym->identifier);
+
+		colon = strchr(str, ':');
+		if (!colon)
 			goto err;
-	} else if (sym->identifier[strlen(sym->identifier)-1] == ':') {
-		if (sscanf(sym->identifier, "%04x:", &handle) != 1)
+
+		*colon = '\0';
+
+		errno = 0;
+		tmp = strtoull(str, NULL, 16);
+		if (errno != 0)
 			goto err;
 
-		handle <<= 16;
-	} else {
-		uint32_t min, max;
+		handle = (tmp << 16);
+		if (str[strlen(str) - 1] == ':')
+			goto out;
 
-		if (sscanf(sym->identifier, "%04x:%04x", &max, &min) != 2)
+		errno = 0;
+		tmp = strtoull(colon + 1, NULL, 16);
+		if (errno != 0)
 			goto err;
 
-		handle = max << 16 | min;
+		handle |= tmp;
+	} else {
+		handle = strtoull(sym->identifier, NULL, 0);
 	}
+out:
 	*res = constant_expr_alloc(&sym->location, sym->dtype,
 				   BYTEORDER_HOST_ENDIAN,
 				   sizeof(handle) * BITS_PER_BYTE, &handle);
 	return NULL;
 err:
-	return error(&sym->location, "Could not parse %s",
-		     sym->dtype->desc);
+	xfree(str);
+	return error(&sym->location, "Could not parse %s", sym->dtype->desc);
 }
 
 static const struct datatype tchandle_type = {
diff --git a/src/scanner.l b/src/scanner.l
index b1420f3..e9384fd 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -170,6 +170,7 @@ ip4addr		(([[:digit:]]{1,3}"."){3}([[:digit:]]{1,3}))
 ip6addr		({v680}|{v67}|{v66}|{v65}|{v64}|{v63}|{v62}|{v61}|{v60})
 ip6addr_rfc2732	(\[{ip6addr}\])
 
+classid		({hexdigit}{1,4}:{hexdigit}{1,4})
 addrstring	({macaddr}|{ip4addr}|{ip6addr})
 
 %option prefix="nft_"
@@ -506,6 +507,11 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 				return NUM;
 			}
 
+{classid}/[ \t\n:\-},]	{
+				yylval->string = xstrdup(yytext);
+				return STRING;
+			}
+
 {quotedstring}		{
 				yytext[yyleng - 1] = '\0';
 				yylval->string = xstrdup(yytext + 1);
diff --git a/src/statement.c b/src/statement.c
index fbe74a6..59b133c 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -477,7 +477,7 @@ static void redir_stmt_print(const struct stmt *stmt)
 	printf("redirect");
 
 	if (stmt->redir.proto) {
-		printf(" to ");
+		printf(" to :");
 		expr_print(stmt->redir.proto);
 	}
 
diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t
index 11ebf75..86ed719 100644
--- a/tests/py/any/meta.t
+++ b/tests/py/any/meta.t
@@ -38,15 +38,19 @@ meta l4proto { 33, 55, 67, 88};ok;meta l4proto { 33, 55, 67, 88}
 meta l4proto { 33-55};ok
 - meta l4proto != { 33-55};ok
 
-- meta priority :aabb;ok
-- meta priority bcad:dadc;ok
-- meta priority aabb:;ok
-- meta priority != :aabb;ok
-- meta priority != bcad:dadc;ok
-- meta priority != aabb:;ok
-- meta priority bcad:dada-bcad:dadc;ok
-- meta priority != bcad:dada-bcad:dadc;ok
-- meta priority {bcad:dada, bcad:dadc, aaaa:bbbb};ok
+meta priority root;ok
+meta priority none;ok
+meta priority 0x87654321;ok;meta priority 8765:4321
+meta priority 2271560481;ok;meta priority 8765:4321
+meta priority 1:1234;ok
+meta priority bcad:dadc;ok
+meta priority aabb:0;ok
+meta priority != bcad:dadc;ok
+meta priority != aabb:0;ok
+meta priority bcad:dada-bcad:dadc;ok
+meta priority != bcad:dada-bcad:dadc;ok
+meta priority {bcad:dada, bcad:dadc, aaaa:bbbb};ok
+meta priority set cafe:beef;ok
 - meta priority != {bcad:dada, bcad:dadc, aaaa:bbbb};ok
 
 meta mark 0x4;ok;mark 0x00000004
diff --git a/tests/py/any/meta.t.payload b/tests/py/any/meta.t.payload
index d10d0e6..1b0a057 100644
--- a/tests/py/any/meta.t.payload
+++ b/tests/py/any/meta.t.payload
@@ -790,3 +790,76 @@ ip test-ip4 input
 ip test-ip4 input
   [ meta load prandom => reg 1 ]
   [ cmp gt reg 1 0x40420f00 ]
+
+# meta priority root
+ip test-ip4 input 
+  [ meta load priority => reg 1 ]
+  [ cmp eq reg 1 0xffffffff ]
+
+# meta priority none
+netdev test-netdev ingress 
+  [ meta load priority => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# meta priority 1:1234
+ip test-ip4 input
+  [ meta load priority => reg 1 ]
+  [ cmp eq reg 1 0x00011234 ]
+
+# meta priority bcad:dadc
+ip test-ip4 input 
+  [ meta load priority => reg 1 ]
+  [ cmp eq reg 1 0xbcaddadc ]
+
+# meta priority aabb:0
+ip test-ip4 input 
+  [ meta load priority => reg 1 ]
+  [ cmp eq reg 1 0xaabb0000 ]
+
+# meta priority != bcad:dadc
+ip test-ip4 input 
+  [ meta load priority => reg 1 ]
+  [ cmp neq reg 1 0xbcaddadc ]
+
+# meta priority != aabb:0
+ip test-ip4 input 
+  [ meta load priority => reg 1 ]
+  [ cmp neq reg 1 0xaabb0000 ]
+
+# meta priority bcad:dada-bcad:dadc
+ip test-ip4 input 
+  [ meta load priority => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ cmp gte reg 1 0xdadaadbc ]
+  [ cmp lte reg 1 0xdcdaadbc ]
+
+# meta priority != bcad:dada-bcad:dadc
+ip test-ip4 input 
+  [ meta load priority => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ cmp lt reg 1 0xdadaadbc ]
+  [ cmp gt reg 1 0xdcdaadbc ]
+
+# meta priority {bcad:dada, bcad:dadc, aaaa:bbbb}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element bcaddada  : 0 [end]	element bcaddadc  : 0 [end]	element aaaabbbb  : 0 [end]
+ip test-ip4 input 
+  [ meta load priority => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# meta priority set cafe:beef
+ip test-ip4 input 
+  [ immediate reg 1 0xcafebeef ]
+  [ meta set priority with reg 1 ]
+
+# meta priority 0x87654321
+ip test-ip4 input
+  [ meta load priority => reg 1 ]
+  [ cmp eq reg 1 0x87654321 ]
+
+# meta priority 2271560481
+ip test-ip4 input
+  [ meta load priority => reg 1 ]
+  [ cmp eq reg 1 0x87654321 ]
+
-- 
2.1.4

[PATCH nft 10/10] parser_bison: redirect to :port for consistency with nat/masq statement

[Pablo Neira Ayuso]

Use the colon port syntax for consistency with other statements.
Existing syntax is still preserved but the output displays the colon.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/parser_bison.y                  |  9 +++++++++
 tests/py/ip/redirect.t              | 24 ++++++++++++------------
 tests/py/ip/redirect.t.payload      | 20 ++++++++++----------
 tests/py/ip6/redirect.t             | 18 +++++++++---------
 tests/py/ip6/redirect.t.payload.ip6 | 14 +++++++-------
 5 files changed, 47 insertions(+), 38 deletions(-)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index f4ce11d..8025415 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1701,6 +1701,10 @@ redir_stmt_arg		:	TO	stmt_expr
 			{
 				$<stmt>0->redir.proto = $2;
 			}
+			|	TO	COLON	stmt_expr
+			{
+				$<stmt>0->redir.proto = $3;
+			}
 			|	nf_nat_flags
 			{
 				$<stmt>0->redir.flags = $1;
@@ -1710,6 +1714,11 @@ redir_stmt_arg		:	TO	stmt_expr
 				$<stmt>0->redir.proto = $2;
 				$<stmt>0->redir.flags = $3;
 			}
+			|	TO	COLON	stmt_expr	nf_nat_flags
+			{
+				$<stmt>0->redir.proto = $3;
+				$<stmt>0->redir.flags = $4;
+			}
 			;
 
 dup_stmt		:	DUP	TO	stmt_expr
diff --git a/tests/py/ip/redirect.t b/tests/py/ip/redirect.t
index 7e205a9..f6ddfc0 100644
--- a/tests/py/ip/redirect.t
+++ b/tests/py/ip/redirect.t
@@ -18,19 +18,19 @@ udp dport 53 redirect persistent,fully-random;ok;udp dport 53 redirect fully-ran
 udp dport 53 redirect persistent,fully-random,random;ok;udp dport 53 redirect random,fully-random,persistent
 
 # port specification
-tcp dport 22 redirect to 22;ok
-udp dport 1234 redirect to 4321;ok
-ip daddr 172.16.0.1 udp dport 9998 redirect to 6515;ok
-tcp dport 39128 redirect to 993;ok
-ip protocol tcp redirect to 100-200;ok;ip protocol 6 redirect to 100-200
-redirect to 1234;fail
-redirect to 12341111;fail
+tcp dport 22 redirect to :22;ok
+udp dport 1234 redirect to :4321;ok
+ip daddr 172.16.0.1 udp dport 9998 redirect to :6515;ok
+tcp dport 39128 redirect to :993;ok
+ip protocol tcp redirect to :100-200;ok;ip protocol 6 redirect to :100-200
+redirect to :1234;fail
+redirect to :12341111;fail
 
 # both port and nf_nat flags
-tcp dport 9128 redirect to 993 random;ok
-tcp dport 9128 redirect to 993 fully-random;ok
-tcp dport 9128 redirect to 123 persistent;ok
-tcp dport 9128 redirect to 123 random,persistent;ok
+tcp dport 9128 redirect to :993 random;ok
+tcp dport 9128 redirect to :993 fully-random;ok
+tcp dport 9128 redirect to :123 persistent;ok
+tcp dport 9128 redirect to :123 random,persistent;ok
 
 # nf_nat flags is the last argument
 udp dport 1234 redirect random to 123;fail
@@ -47,5 +47,5 @@ ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter packets 0 bytes 0 redirect;ok
 iifname eth0 ct state new,established tcp dport vmap {22 : drop, 222 : drop } redirect;ok
 
 # redirect with maps
-ip protocol 6 redirect to tcp dport map { 22 : 8000, 80 : 8080};ok
+ip protocol 6 redirect to : tcp dport map { 22 : 8000, 80 : 8080};ok
 
diff --git a/tests/py/ip/redirect.t.payload b/tests/py/ip/redirect.t.payload
index e02a26d..dfb5a3b 100644
--- a/tests/py/ip/redirect.t.payload
+++ b/tests/py/ip/redirect.t.payload
@@ -86,7 +86,7 @@ ip test-ip4 output
   [ cmp eq reg 1 0x00003500 ]
   [ redir flags 0x1c ]
 
-# tcp dport 22 redirect to 22
+# tcp dport 22 redirect to :22
 ip test-ip4 output
   [ payload load 1b @ network header + 9 => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
@@ -95,7 +95,7 @@ ip test-ip4 output
   [ immediate reg 1 0x00001600 ]
   [ redir proto_min reg 1 ]
 
-# udp dport 1234 redirect to 4321
+# udp dport 1234 redirect to :4321
 ip test-ip4 output
   [ payload load 1b @ network header + 9 => reg 1 ]
   [ cmp eq reg 1 0x00000011 ]
@@ -104,7 +104,7 @@ ip test-ip4 output
   [ immediate reg 1 0x0000e110 ]
   [ redir proto_min reg 1 ]
 
-# ip daddr 172.16.0.1 udp dport 9998 redirect to 6515
+# ip daddr 172.16.0.1 udp dport 9998 redirect to :6515
 ip test-ip4 output
   [ payload load 4b @ network header + 16 => reg 1 ]
   [ cmp eq reg 1 0x010010ac ]
@@ -115,7 +115,7 @@ ip test-ip4 output
   [ immediate reg 1 0x00007319 ]
   [ redir proto_min reg 1 ]
 
-# tcp dport 39128 redirect to 993
+# tcp dport 39128 redirect to :993
 ip test-ip4 output
   [ payload load 1b @ network header + 9 => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
@@ -124,7 +124,7 @@ ip test-ip4 output
   [ immediate reg 1 0x0000e103 ]
   [ redir proto_min reg 1 ]
 
-# ip protocol tcp redirect to 100-200
+# ip protocol tcp redirect to :100-200
 ip test-ip4 output
   [ payload load 1b @ network header + 9 => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
@@ -132,7 +132,7 @@ ip test-ip4 output
   [ immediate reg 2 0x0000c800 ]
   [ redir proto_min reg 1 proto_max reg 2 ]
 
-# tcp dport 9128 redirect to 993 random
+# tcp dport 9128 redirect to :993 random
 ip test-ip4 output
   [ payload load 1b @ network header + 9 => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
@@ -141,7 +141,7 @@ ip test-ip4 output
   [ immediate reg 1 0x0000e103 ]
   [ redir proto_min reg 1 flags 0x4 ]
 
-# tcp dport 9128 redirect to 993 fully-random
+# tcp dport 9128 redirect to :993 fully-random
 ip test-ip4 output
   [ payload load 1b @ network header + 9 => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
@@ -150,7 +150,7 @@ ip test-ip4 output
   [ immediate reg 1 0x0000e103 ]
   [ redir proto_min reg 1 flags 0x10 ]
 
-# tcp dport 9128 redirect to 123 persistent
+# tcp dport 9128 redirect to :123 persistent
 ip test-ip4 output
   [ payload load 1b @ network header + 9 => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
@@ -159,7 +159,7 @@ ip test-ip4 output
   [ immediate reg 1 0x00007b00 ]
   [ redir proto_min reg 1 flags 0x8 ]
 
-# tcp dport 9128 redirect to 123 random,persistent
+# tcp dport 9128 redirect to :123 random,persistent
 ip test-ip4 output
   [ payload load 1b @ network header + 9 => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
@@ -207,7 +207,7 @@ ip test-ip4 output
   [ lookup reg 1 set __map%d dreg 0 ]
   [ redir ]
 
-# ip protocol 6 redirect to tcp dport map { 22 : 8000, 80 : 8080}
+# ip protocol 6 redirect to : tcp dport map { 22 : 8000, 80 : 8080}
 __map%d test-ip4 b
 __map%d test-ip4 0
         element 00001600  : 0000401f 0 [end]    element 00005000  : 0000901f 0 [end]
diff --git a/tests/py/ip6/redirect.t b/tests/py/ip6/redirect.t
index fca84e5..c5d939c 100644
--- a/tests/py/ip6/redirect.t
+++ b/tests/py/ip6/redirect.t
@@ -20,16 +20,16 @@ udp dport 53 redirect persistent,fully-random;ok;udp dport 53 redirect fully-ran
 udp dport 53 redirect persistent,fully-random,random;ok;udp dport 53 redirect random,fully-random,persistent
 
 # port specification
-udp dport 1234 redirect to 1234;ok
-ip6 daddr fe00::cafe udp dport 9998 redirect to 6515;ok
-ip6 nexthdr tcp redirect to 100-200;ok;ip6 nexthdr 6 redirect to 100-200
-tcp dport 39128 redirect to 993;ok
-redirect to 1234;fail
-redirect to 12341111;fail
+udp dport 1234 redirect to :1234;ok
+ip6 daddr fe00::cafe udp dport 9998 redirect to :6515;ok
+ip6 nexthdr tcp redirect to :100-200;ok;ip6 nexthdr 6 redirect to :100-200
+tcp dport 39128 redirect to :993;ok
+redirect to :1234;fail
+redirect to :12341111;fail
 
 # both port and nf_nat flags
-tcp dport 9128 redirect to 993 random;ok
-tcp dport 9128 redirect to 993 fully-random,persistent;ok
+tcp dport 9128 redirect to :993 random;ok
+tcp dport 9128 redirect to :993 fully-random,persistent;ok
 
 # nf_nat flags are the last argument
 tcp dport 9128 redirect persistent to 123;fail
@@ -46,4 +46,4 @@ ip6 daddr fe00::1-fe00::200 udp dport 53 counter packets 0 bytes 0 redirect;ok
 iifname eth0 ct state new,established tcp dport vmap {22 : drop, 222 : drop } redirect;ok
 
 # redirect with maps
-ip6 nexthdr 6 redirect to tcp dport map { 22 : 8000, 80 : 8080};ok
+ip6 nexthdr 6 redirect to : tcp dport map { 22 : 8000, 80 : 8080};ok
diff --git a/tests/py/ip6/redirect.t.payload.ip6 b/tests/py/ip6/redirect.t.payload.ip6
index 80250ca..420e1f3 100644
--- a/tests/py/ip6/redirect.t.payload.ip6
+++ b/tests/py/ip6/redirect.t.payload.ip6
@@ -97,7 +97,7 @@ ip6 test-ip6 output
   [ cmp eq reg 1 0x00003500 ]
   [ redir flags 0x1c ]
 
-# udp dport 1234 redirect to 1234
+# udp dport 1234 redirect to :1234
 ip6 test-ip6 output
   [ payload load 1b @ network header + 6 => reg 1 ]
   [ cmp eq reg 1 0x00000011 ]
@@ -106,7 +106,7 @@ ip6 test-ip6 output
   [ immediate reg 1 0x0000d204 ]
   [ redir proto_min reg 1 ]
 
-# ip6 daddr fe00::cafe udp dport 9998 redirect to 6515
+# ip6 daddr fe00::cafe udp dport 9998 redirect to :6515
 ip6 test-ip6 output
   [ payload load 16b @ network header + 24 => reg 1 ]
   [ cmp eq reg 1 0x000000fe 0x00000000 0x00000000 0xfeca0000 ]
@@ -117,7 +117,7 @@ ip6 test-ip6 output
   [ immediate reg 1 0x00007319 ]
   [ redir proto_min reg 1 ]
 
-# ip6 nexthdr tcp redirect to 100-200
+# ip6 nexthdr tcp redirect to :100-200
 ip6 test-ip6 output
   [ payload load 1b @ network header + 6 => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
@@ -125,7 +125,7 @@ ip6 test-ip6 output
   [ immediate reg 2 0x0000c800 ]
   [ redir proto_min reg 1 proto_max reg 2 ]
 
-# tcp dport 39128 redirect to 993
+# tcp dport 39128 redirect to :993
 ip6 test-ip6 output
   [ payload load 1b @ network header + 6 => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
@@ -134,7 +134,7 @@ ip6 test-ip6 output
   [ immediate reg 1 0x0000e103 ]
   [ redir proto_min reg 1 ]
 
-# tcp dport 9128 redirect to 993 random
+# tcp dport 9128 redirect to :993 random
 ip6 test-ip6 output
   [ payload load 1b @ network header + 6 => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
@@ -143,7 +143,7 @@ ip6 test-ip6 output
   [ immediate reg 1 0x0000e103 ]
   [ redir proto_min reg 1 flags 0x4 ]
 
-# tcp dport 9128 redirect to 993 fully-random,persistent
+# tcp dport 9128 redirect to :993 fully-random,persistent
 ip6 test-ip6 output
   [ payload load 1b @ network header + 6 => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
@@ -191,7 +191,7 @@ ip6 test-ip6 output
   [ lookup reg 1 set __map%d dreg 0 ]
   [ redir ]
 
-# ip6 nexthdr 6 redirect to tcp dport map { 22 : 8000, 80 : 8080}
+# ip6 nexthdr 6 redirect to : tcp dport map { 22 : 8000, 80 : 8080}
 __map%d test-ip6 b
 __map%d test-ip6 0
 	element 00001600  : 0000401f 0 [end]	element 00005000  : 0000901f 0 [end]
-- 
2.1.4