[PATCH 0/2] nftables: removal of secmark and shortened meta expressions

[PATCH 0/2] nftables: removal of secmark and shortened meta expressions

[Patrick McHardy]

These patches remove the secmark from the ct and meta expressions since
userspace should use the secctx and change the nftables grammar to accept
a subset of meta expressions without the meta keyword for a more natural
look.

Unless there are objections, I'll push those patches to master shortly.

[PATCH 1/2] expr: remove secmark from ct and meta expression

[Patrick McHardy]

The secctx should be used instead of the secmark. Remove for now.

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 src/ct.c      | 3 ---
 src/meta.c    | 2 --
 src/parser.y  | 3 ---
 src/scanner.l | 1 -
 4 files changed, 9 deletions(-)

diff --git a/src/ct.c b/src/ct.c
index b8f7632..f893df9 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -104,9 +104,6 @@ static const struct ct_template ct_templates[] = {
 	[NFT_CT_MARK]		= CT_TEMPLATE("mark",	    &mark_type,
 					      BYTEORDER_HOST_ENDIAN,
 					      4 * BITS_PER_BYTE),
-	[NFT_CT_SECMARK]	= CT_TEMPLATE("secmark",    &integer_type,
-					      BYTEORDER_HOST_ENDIAN,
-					      4 * BITS_PER_BYTE),
 	[NFT_CT_EXPIRATION]	= CT_TEMPLATE("expiration", &time_type,
 					      BYTEORDER_HOST_ENDIAN,
 					      4 * BITS_PER_BYTE),
diff --git a/src/meta.c b/src/meta.c
index d7b024b..6d42525 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -331,8 +331,6 @@ static const struct meta_template meta_templates[] = {
 						1    , BYTEORDER_HOST_ENDIAN),
 	[NFT_META_RTCLASSID]	= META_TEMPLATE("rtclassid", &realm_type,
 						4 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_SECMARK]	= META_TEMPLATE("secmark",   &integer_type,
-						4 * 8, BYTEORDER_HOST_ENDIAN),
 };
 
 static void meta_expr_print(const struct expr *expr)
diff --git a/src/parser.y b/src/parser.y
index 7c18875..2e5f6c1 100644
--- a/src/parser.y
+++ b/src/parser.y
@@ -294,7 +294,6 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %token SKGID			"skgid"
 %token NFTRACE			"nftrace"
 %token RTCLASSID		"rtclassid"
-%token SECMARK			"secmark"
 
 %token CT			"ct"
 %token DIRECTION		"direction"
@@ -1393,7 +1392,6 @@ meta_key		:	LENGTH		{ $$ = NFT_META_LEN; }
 			|	SKGID		{ $$ = NFT_META_SKGID; }
 			|	NFTRACE		{ $$ = NFT_META_NFTRACE; }
 			|	RTCLASSID	{ $$ = NFT_META_RTCLASSID; }
-			|	SECMARK		{ $$ = NFT_META_SECMARK; }
 			;
 
 meta_stmt		:	META	meta_key	SET	expr
@@ -1412,7 +1410,6 @@ ct_key			:	STATE		{ $$ = NFT_CT_STATE; }
 			|	DIRECTION	{ $$ = NFT_CT_DIRECTION; }
 			|	STATUS		{ $$ = NFT_CT_STATUS; }
 			|	MARK		{ $$ = NFT_CT_MARK; }
-			|	SECMARK		{ $$ = NFT_CT_SECMARK; }
 			|	EXPIRATION	{ $$ = NFT_CT_EXPIRATION; }
 			|	HELPER		{ $$ = NFT_CT_HELPER; }
 			|	L3PROTOCOL	{ $$ = NFT_CT_L3PROTOCOL; }
diff --git a/src/scanner.l b/src/scanner.l
index 0b8abac..e813140 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -384,7 +384,6 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 "skgid"			{ return SKGID; }
 "nftrace"		{ return NFTRACE; }
 "rtclassid"		{ return RTCLASSID; }
-"secmark"		{ return SECMARK; }
 
 "ct"			{ return CT; }
 "direction"		{ return DIRECTION; }
-- 
1.8.4.2

[PATCH 2/2] meta: don't require "meta" keyword for a subset of meta expressions

[Patrick McHardy]

Don't require the meta keyword for mark, iif, oif, iifname, oifname,
skuid, skgid, nftrace, rtclassid and secmark.

The protocol and length types still need the meta keyword to avoid
grammar conflicts.

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 src/meta.c   | 13 ++++++++++++-
 src/parser.y | 20 +++++++++++++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/meta.c b/src/meta.c
index 6d42525..098728b 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -335,7 +335,18 @@ static const struct meta_template meta_templates[] = {
 
 static void meta_expr_print(const struct expr *expr)
 {
-	printf("meta %s", meta_templates[expr->meta.key].token);
+	switch (expr->meta.key) {
+	case NFT_META_LEN:
+	case NFT_META_NFPROTO:
+	case NFT_META_L4PROTO:
+	case NFT_META_PROTOCOL:
+	case NFT_META_PRIORITY:
+		printf("meta %s", meta_templates[expr->meta.key].token);
+		break;
+	default:
+		printf("%s", meta_templates[expr->meta.key].token);
+		break;
+	}
 }
 
 static void meta_expr_clone(struct expr *new, const struct expr *expr)
diff --git a/src/parser.y b/src/parser.y
index 2e5f6c1..632970b 100644
--- a/src/parser.y
+++ b/src/parser.y
@@ -463,7 +463,7 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 
 %type <expr>			meta_expr
 %destructor { expr_free($$); }	meta_expr
-%type <val>			meta_key
+%type <val>			meta_key	meta_key_qualified	meta_key_unqualified
 
 %type <expr>			ct_expr
 %destructor { expr_free($$); }	ct_expr
@@ -1374,14 +1374,24 @@ meta_expr		:	META	meta_key
 			{
 				$$ = meta_expr_alloc(&@$, $2);
 			}
+			|	meta_key_unqualified
+			{
+				$$ = meta_expr_alloc(&@$, $1);
+			}
+			;
+
+meta_key		:	meta_key_qualified
+			|	meta_key_unqualified
 			;
 
-meta_key		:	LENGTH		{ $$ = NFT_META_LEN; }
+meta_key_qualified	:	LENGTH		{ $$ = NFT_META_LEN; }
 			|	NFPROTO		{ $$ = NFT_META_NFPROTO; }
 			|	L4PROTO		{ $$ = NFT_META_L4PROTO; }
 			|	PROTOCOL	{ $$ = NFT_META_PROTOCOL; }
 			|	PRIORITY	{ $$ = NFT_META_PRIORITY; }
-			|	MARK		{ $$ = NFT_META_MARK; }
+			;
+
+meta_key_unqualified	:	MARK		{ $$ = NFT_META_MARK; }
 			|	IIF		{ $$ = NFT_META_IIF; }
 			|	IIFNAME		{ $$ = NFT_META_IIFNAME; }
 			|	IIFTYPE		{ $$ = NFT_META_IIFTYPE; }
@@ -1398,6 +1408,10 @@ meta_stmt		:	META	meta_key	SET	expr
 			{
 				$$ = meta_stmt_alloc(&@$, $2, $4);
 			}
+			|	meta_key_unqualified	SET	expr
+			{
+				$$ = meta_stmt_alloc(&@$, $1, $3);
+			}
 			;
 
 ct_expr			:	CT	ct_key
-- 
1.8.4.2