From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Phil Sutter <phil@nwl.cc>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [nft PATCH v2] libnftables: Store top_scope in struct nft_ctx
Date: Wed, 6 Nov 2019 13:40:17 +0100 [thread overview]
Message-ID: <20191106124017.trvdxr4dylvigg5g@salvia> (raw)
In-Reply-To: <20191030212854.19494-1-phil@nwl.cc>
On Wed, Oct 30, 2019 at 10:28:54PM +0100, Phil Sutter wrote:
> Allow for interactive sessions to make use of defines. Since parser is
> initialized for each line, top scope defines didn't persist although
> they are actually useful for stuff like:
>
> | # nft -i
> | goodports = { 22, 23, 80, 443 }
^
'define' is missing here, right?
> | add rule inet t c tcp dport $goodports accept
> | add rule inet t c tcp sport $goodports accept
>
> Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
One more comment, possible follow up, just an idea.
> diff --git a/src/libnftables.c b/src/libnftables.c
> index e20372438db62..7c35e898d87ab 100644
> --- a/src/libnftables.c
> +++ b/src/libnftables.c
> @@ -155,6 +155,8 @@ struct nft_ctx *nft_ctx_new(uint32_t flags)
> nft_ctx_add_include_path(ctx, DEFAULT_INCLUDE_PATH);
> ctx->parser_max_errors = 10;
> init_list_head(&ctx->cache.list);
> + ctx->top_scope = xzalloc(sizeof(struct scope));
> + init_list_head(&ctx->top_scope->symbols);
Probably add scope_alloc()
> ctx->flags = flags;
> ctx->output.output_fp = stdout;
> ctx->output.error_fp = stderr;
> @@ -292,6 +294,8 @@ void nft_ctx_free(struct nft_ctx *ctx)
> iface_cache_release();
> cache_release(&ctx->cache);
> nft_ctx_clear_include_paths(ctx);
> + scope_release(ctx->top_scope);
> + xfree(ctx->top_scope);
and scope_free().
> xfree(ctx->state);
> nft_exit(ctx);
> xfree(ctx);
> @@ -368,7 +372,7 @@ static int nft_parse_bison_buffer(struct nft_ctx *nft, const char *buf,
> {
> int ret;
>
> - parser_init(nft, nft->state, msgs, cmds);
> + parser_init(nft, nft->state, msgs, cmds, nft->top_scope);
> nft->scanner = scanner_init(nft->state);
> scanner_push_buffer(nft->scanner, &indesc_cmdline, buf);
>
> @@ -384,7 +388,7 @@ static int nft_parse_bison_filename(struct nft_ctx *nft, const char *filename,
> {
> int ret;
>
> - parser_init(nft, nft->state, msgs, cmds);
> + parser_init(nft, nft->state, msgs, cmds, nft->top_scope);
> nft->scanner = scanner_init(nft->state);
> if (scanner_read_file(nft, filename, &internal_location) < 0)
> return -1;
> diff --git a/src/parser_bison.y b/src/parser_bison.y
> index 7f9b1752f41d4..b73cf3bcfb209 100644
> --- a/src/parser_bison.y
> +++ b/src/parser_bison.y
> @@ -42,13 +42,13 @@
> #include "parser_bison.h"
>
> void parser_init(struct nft_ctx *nft, struct parser_state *state,
> - struct list_head *msgs, struct list_head *cmds)
> + struct list_head *msgs, struct list_head *cmds,
> + struct scope *top_scope)
> {
> memset(state, 0, sizeof(*state));
> - init_list_head(&state->top_scope.symbols);
> state->msgs = msgs;
> state->cmds = cmds;
> - state->scopes[0] = scope_init(&state->top_scope, NULL);
> + state->scopes[0] = scope_init(top_scope, NULL);
> init_list_head(&state->indesc_list);
> }
>
> diff --git a/tests/shell/testcases/nft-i/0001define_0 b/tests/shell/testcases/nft-i/0001define_0
> new file mode 100755
> index 0000000000000..62e1b6dede21d
> --- /dev/null
> +++ b/tests/shell/testcases/nft-i/0001define_0
> @@ -0,0 +1,22 @@
> +#!/bin/bash
> +
> +set -e
> +
> +# test if using defines in interactive nft sessions works
> +
> +$NFT -i >/dev/null <<EOF
> +add table inet t
> +add chain inet t c
> +define ports = { 22, 443 }
> +add rule inet t c tcp dport \$ports accept
> +add rule inet t c udp dport \$ports accept
> +EOF
> +
> +$NFT -i >/dev/null <<EOF
> +define port = 22
> +flush chain inet t c
> +redefine port = 443
> +delete chain inet t c
> +undefine port
> +delete table inet t
> +EOF
> --
> 2.23.0
>
next prev parent reply other threads:[~2019-11-06 12:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-30 21:28 [nft PATCH v2] libnftables: Store top_scope in struct nft_ctx Phil Sutter
2019-11-06 12:40 ` Pablo Neira Ayuso [this message]
2019-11-06 14:00 ` Phil Sutter
2019-11-06 14:00 Phil Sutter
2019-11-06 14:22 ` Phil Sutter
2019-11-07 9:41 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191106124017.trvdxr4dylvigg5g@salvia \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).