[PATCH nft 1/2] parser_bison: update flow table syntax

[PATCH nft 1/2] parser_bison: update flow table syntax

[Pablo Neira Ayuso]

Before we release next nft version, update the syntax to wrap the flow
table definition between brackets, eg.

 # nft add rule filter input tcp dport 22 ct state new \
	flow table ssh { ip saddr limit rate 10/second }

 # nft add rule filter input \
        flow table acct { iif . ip saddr timeout 60s counter }

When playing around with this in your initial patchset I found very
confusing that it may not look obvious to users that they can only use
one single statement.

For example:

 # nft add rule filter input \
        flow table acct iif . ip saddr timeout 60s counter limit rate 10/second
                                                           ~~~~~~~~~~~~~~~~~~~~

Note that this limit rate applies globally, so this patch resolves this
ambiguity.

This may cause us problems in the future too if we extend this to
support more than one single statement per flowtable entry (Not
telling we need this now, but if someone comes up with a useful
usecase, we should be capable of extending this).

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/parser_bison.y | 12 ++++++------
 src/statement.c    |  2 ++
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 8a7785b..76cf65c 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1765,17 +1765,17 @@ set_stmt_op		:	ADD	{ $$ = NFT_DYNSET_OP_ADD; }
 			|	UPDATE	{ $$ = NFT_DYNSET_OP_UPDATE; }
 			;
 
-flow_stmt		:	flow_stmt_alloc		flow_stmt_opts	flow_key_expr	stmt
+flow_stmt		:	flow_stmt_alloc		flow_stmt_opts	'{' flow_key_expr stmt '}'
 			{
-				$1->flow.key  = $3;
-				$1->flow.stmt = $4;
+				$1->flow.key  = $4;
+				$1->flow.stmt = $5;
 				$$->location  = @$;
 				$$ = $1;
 			}
-			|	flow_stmt_alloc		flow_key_expr	stmt
+			|	flow_stmt_alloc		'{' flow_key_expr stmt '}'
 			{
-				$1->flow.key  = $2;
-				$1->flow.stmt = $3;
+				$1->flow.key  = $3;
+				$1->flow.stmt = $4;
 				$$->location  = @$;
 				$$ = $1;
 			}
diff --git a/src/statement.c b/src/statement.c
index 988cfeb..76f528b 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -112,9 +112,11 @@ static void flow_stmt_print(const struct stmt *stmt)
 		expr_print(stmt->flow.set);
 		printf(" ");
 	}
+	printf("{ ");
 	expr_print(stmt->flow.key);
 	printf(" ");
 	stmt_print(stmt->flow.stmt);
+	printf("} ");
 }
 
 static void flow_stmt_destroy(struct stmt *stmt)
-- 
2.1.4

[PATCH nft 2/2] include: constify nlexpr field in location structure

[Pablo Neira Ayuso]

The location shouldn't ever alter the expression.

And this fixes this compilation warning:

netlink_delinearize.c: In function ‘netlink_parse_expr’:
netlink_delinearize.c:1008:10: warning: assignment discards ‘const’ qualifier from pointer target type
  loc.nle = nle;
          ^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/nftables.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/nftables.h b/include/nftables.h
index cf19de8..d3f471b 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -52,7 +52,7 @@ struct location {
 			unsigned int		last_column;
 		};
 		struct {
-			void			*nle;
+			const void		*nle;
 		};
 	};
 };
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html