Netfilter-Devel Archive on lore.kernel.org
 help / color / Atom feed
* [nft PATCH 1/2] doc: nft.8: Mention wildcard interface matching
@ 2020-02-06 11:38 Phil Sutter
  2020-02-06 11:38 ` [nft PATCH 2/2] scanner: Extend asteriskstring definition Phil Sutter
  0 siblings, 1 reply; 6+ messages in thread
From: Phil Sutter @ 2020-02-06 11:38 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Special meaning of asterisk in interface names wasn't described
anywhere.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 doc/primary-expression.txt | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 94eccc20241a2..b15df015e5484 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -36,6 +36,13 @@ add such a rule, it will stop matching if the interface gets renamed and it
 will match again in case interface gets deleted and later a new interface
 with the same name is created.
 
+Like with iptables, wildcard matching on interface name prefixes is available for
+*iifname* and *oifname* matches by appending an asterisk (*) character. Note
+however that unlike iptables, nftables does not accept interface names
+consisting of the wildcard character only - users are supposed to just skip
+those always matching expressions. In order to match on literal asterisk
+character at end of interface name, one may escape it using backslash (\).
+
 .Meta expression types
 [options="header"]
 |==================
-- 
2.24.1


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [nft PATCH 2/2] scanner: Extend asteriskstring definition
  2020-02-06 11:38 [nft PATCH 1/2] doc: nft.8: Mention wildcard interface matching Phil Sutter
@ 2020-02-06 11:38 ` Phil Sutter
  2020-02-07 17:31   ` Pablo Neira Ayuso
  0 siblings, 1 reply; 6+ messages in thread
From: Phil Sutter @ 2020-02-06 11:38 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Accept sole escaped asterisks as well as unescaped asterisks if
surrounded by strings. The latter is merely cosmetic, but literal
asterisk will help when translating from iptables where asterisk has no
special meaning.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/scanner.l | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/scanner.l b/src/scanner.l
index 99ee83559d2eb..da9bacee23eb5 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -120,7 +120,7 @@ numberstring	({decstring}|{hexstring})
 letter		[a-zA-Z]
 string		({letter}|[_.])({letter}|{digit}|[/\-_\.])*
 quotedstring	\"[^"]*\"
-asteriskstring	({string}\*|{string}\\\*)
+asteriskstring	({string}\*|{string}\\\*|\\\*|{string}\*{string})
 comment		#.*$
 slash		\/
 
-- 
2.24.1


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [nft PATCH 2/2] scanner: Extend asteriskstring definition
  2020-02-06 11:38 ` [nft PATCH 2/2] scanner: Extend asteriskstring definition Phil Sutter
@ 2020-02-07 17:31   ` Pablo Neira Ayuso
  2020-02-07 17:59     ` Phil Sutter
  0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2020-02-07 17:31 UTC (permalink / raw)
  To: Phil Sutter; +Cc: netfilter-devel

On Thu, Feb 06, 2020 at 12:38:28PM +0100, Phil Sutter wrote:
> Accept sole escaped asterisks as well as unescaped asterisks if
> surrounded by strings. The latter is merely cosmetic, but literal
> asterisk will help when translating from iptables where asterisk has no
> special meaning.
> 
> Signed-off-by: Phil Sutter <phil@nwl.cc>
> ---
>  src/scanner.l | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/scanner.l b/src/scanner.l
> index 99ee83559d2eb..da9bacee23eb5 100644
> --- a/src/scanner.l
> +++ b/src/scanner.l
> @@ -120,7 +120,7 @@ numberstring	({decstring}|{hexstring})
>  letter		[a-zA-Z]
>  string		({letter}|[_.])({letter}|{digit}|[/\-_\.])*
>  quotedstring	\"[^"]*\"
> -asteriskstring	({string}\*|{string}\\\*)
> +asteriskstring	({string}\*|{string}\\\*|\\\*|{string}\*{string})

Probably this:

        {string}\\\*{string})

instead of:

        {string}\*{string})

?

The escaping makes it probably clear that there is no support for
infix wildcard matching?

This asteriskstring rule is falling under the string rule in bison.
This is allowing to use \\\* for log messages too, and elsewhere.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [nft PATCH 2/2] scanner: Extend asteriskstring definition
  2020-02-07 17:31   ` Pablo Neira Ayuso
@ 2020-02-07 17:59     ` Phil Sutter
  2020-02-09 22:21       ` Pablo Neira Ayuso
  0 siblings, 1 reply; 6+ messages in thread
From: Phil Sutter @ 2020-02-07 17:59 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Hi Pablo,

On Fri, Feb 07, 2020 at 06:31:40PM +0100, Pablo Neira Ayuso wrote:
> On Thu, Feb 06, 2020 at 12:38:28PM +0100, Phil Sutter wrote:
> > Accept sole escaped asterisks as well as unescaped asterisks if
> > surrounded by strings. The latter is merely cosmetic, but literal
> > asterisk will help when translating from iptables where asterisk has no
> > special meaning.
> > 
> > Signed-off-by: Phil Sutter <phil@nwl.cc>
> > ---
> >  src/scanner.l | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/src/scanner.l b/src/scanner.l
> > index 99ee83559d2eb..da9bacee23eb5 100644
> > --- a/src/scanner.l
> > +++ b/src/scanner.l
> > @@ -120,7 +120,7 @@ numberstring	({decstring}|{hexstring})
> >  letter		[a-zA-Z]
> >  string		({letter}|[_.])({letter}|{digit}|[/\-_\.])*
> >  quotedstring	\"[^"]*\"
> > -asteriskstring	({string}\*|{string}\\\*)
> > +asteriskstring	({string}\*|{string}\\\*|\\\*|{string}\*{string})
> 
> Probably this:
> 
>         {string}\\\*{string})
> 
> instead of:
> 
>         {string}\*{string})
> 
> ?
> 
> The escaping makes it probably clear that there is no support for
> infix wildcard matching?

Ah, you're right. I assumed it wasn't necessary to escape the asterisk
mid-string, but if we ever added support for infix wildcards (no matter
how unlikely) we were in real trouble.

BTW: Given how confusing bison-generated error messages are, maybe I
should introduce "infixasteriskstring" in scanner.l to catch unescaped
infix asterisks and generate a readable error message from there?

> This asteriskstring rule is falling under the string rule in bison.
> This is allowing to use \\\* for log messages too, and elsewhere.

Ah, that's right. Good, bad, ugly? Just a "neutral remark" from you? :)

Thanks, Phil

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [nft PATCH 2/2] scanner: Extend asteriskstring definition
  2020-02-07 17:59     ` Phil Sutter
@ 2020-02-09 22:21       ` Pablo Neira Ayuso
  2020-02-10 11:18         ` Phil Sutter
  0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2020-02-09 22:21 UTC (permalink / raw)
  To: Phil Sutter, netfilter-devel

On Fri, Feb 07, 2020 at 06:59:02PM +0100, Phil Sutter wrote:
> Hi Pablo,
> 
> On Fri, Feb 07, 2020 at 06:31:40PM +0100, Pablo Neira Ayuso wrote:
> > On Thu, Feb 06, 2020 at 12:38:28PM +0100, Phil Sutter wrote:
> > > Accept sole escaped asterisks as well as unescaped asterisks if
> > > surrounded by strings. The latter is merely cosmetic, but literal
> > > asterisk will help when translating from iptables where asterisk has no
> > > special meaning.
> > > 
> > > Signed-off-by: Phil Sutter <phil@nwl.cc>
> > > ---
> > >  src/scanner.l | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/src/scanner.l b/src/scanner.l
> > > index 99ee83559d2eb..da9bacee23eb5 100644
> > > --- a/src/scanner.l
> > > +++ b/src/scanner.l
> > > @@ -120,7 +120,7 @@ numberstring	({decstring}|{hexstring})
> > >  letter		[a-zA-Z]
> > >  string		({letter}|[_.])({letter}|{digit}|[/\-_\.])*
> > >  quotedstring	\"[^"]*\"
> > > -asteriskstring	({string}\*|{string}\\\*)
> > > +asteriskstring	({string}\*|{string}\\\*|\\\*|{string}\*{string})
> > 
> > Probably this:
> > 
> >         {string}\\\*{string})
> > 
> > instead of:
> > 
> >         {string}\*{string})
> > 
> > ?
> > 
> > The escaping makes it probably clear that there is no support for
> > infix wildcard matching?
> 
> Ah, you're right. I assumed it wasn't necessary to escape the asterisk
> mid-string, but if we ever added support for infix wildcards (no matter
> how unlikely) we were in real trouble.

Yes, I don't expect mid-string matching in the future, but you never
know, so better reserve this just in case :-)

> BTW: Given how confusing bison-generated error messages are, maybe I
> should introduce "infixasteriskstring" in scanner.l to catch unescaped
> infix asterisks and generate a readable error message from there?

bison syntax error reporting is not great, yes. If you think that
makes it easier for error reporting as a short term way to address the
issue, that's fine with me.

> > This asteriskstring rule is falling under the string rule in bison.
> > This is allowing to use \\\* for log messages too, and elsewhere.
> 
> Ah, that's right. Good, bad, ugly? Just a "neutral remark" from you? :)

Just a remark, no issue.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [nft PATCH 2/2] scanner: Extend asteriskstring definition
  2020-02-09 22:21       ` Pablo Neira Ayuso
@ 2020-02-10 11:18         ` Phil Sutter
  0 siblings, 0 replies; 6+ messages in thread
From: Phil Sutter @ 2020-02-10 11:18 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Hi Pablo,

On Sun, Feb 09, 2020 at 11:21:43PM +0100, Pablo Neira Ayuso wrote:
[...]
> Yes, I don't expect mid-string matching in the future, but you never
> know, so better reserve this just in case :-)

DONE, please see v2 I just sent.

> > BTW: Given how confusing bison-generated error messages are, maybe I
> > should introduce "infixasteriskstring" in scanner.l to catch unescaped
> > infix asterisks and generate a readable error message from there?
> 
> bison syntax error reporting is not great, yes. If you think that
> makes it easier for error reporting as a short term way to address the
> issue, that's fine with me.

Tried, but didn't go well - proper error reporting is best put into
parser_bison, but there one can't complain about mid-string asterisk
"anywhere" but only in defined places. So in others the then known token
will make error messages even more confusing.

Cheers, Phil

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-06 11:38 [nft PATCH 1/2] doc: nft.8: Mention wildcard interface matching Phil Sutter
2020-02-06 11:38 ` [nft PATCH 2/2] scanner: Extend asteriskstring definition Phil Sutter
2020-02-07 17:31   ` Pablo Neira Ayuso
2020-02-07 17:59     ` Phil Sutter
2020-02-09 22:21       ` Pablo Neira Ayuso
2020-02-10 11:18         ` Phil Sutter

Netfilter-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netfilter-devel/0 netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ https://lore.kernel.org/netfilter-devel \
		netfilter-devel@vger.kernel.org
	public-inbox-index netfilter-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netfilter-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git