From: Phil Sutter <phil@nwl.cc>
To: Florian Westphal <fw@strlen.de>
Cc: Martin Gignac <martin.gignac@gmail.com>,
netfilter@vger.kernel.org,
netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: Re: Unable to create a chain called "trace"
Date: Tue, 9 Feb 2021 14:56:25 +0100 [thread overview]
Message-ID: <20210209135625.GN3158@orbyte.nwl.cc> (raw)
In-Reply-To: <20210208171444.GH16570@breakpoint.cc>
[-- Attachment #1: Type: text/plain, Size: 1176 bytes --]
Hi,
On Mon, Feb 08, 2021 at 06:14:44PM +0100, Florian Westphal wrote:
> Phil Sutter <phil@nwl.cc> wrote:
> > In general, shells eating the quotes is problematic and users may not be
> > aware of it. This includes scripts that mangle ruleset dumps by
> > accident, etc. (Not sure if it is really a problem as we quote some
> > strings already).
> >
> > Using JSON, there are no such limits, BTW. I really wonder if there's
> > really no fix for bison parser to make it "context aware".
>
> Right. We can probably make lots of keywords available for table/chain names
> by only recognizing them while parsing rules, i.e. via 'start conditions'
> in flex. But I don't think there is anyone with the time to do the
> needed scanner changes.
Oh, I wasn't aware of start conditions at all, thanks for the pointer.
Instead of reducing most keyword's scope to rule context, I tried a less
intrusive approach, namely recognizing "only strings plus some extra" in
certain conditions. See attached patch for reference. With it in place,
I was at least able to:
# nft add table inet table
# nft add chain inet table chain
# nft add rule inet table chain iifname rule
Cheers, Phil
[-- Attachment #2: nftables_start_condition.diff --]
[-- Type: text/plain, Size: 3954 bytes --]
diff --git a/src/scanner.l b/src/scanner.l
index 8bde1fbe912d8..c873cb7c1d226 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -107,6 +107,8 @@ static void reset_pos(struct parser_state *state, struct location *loc)
extern int yyget_column(yyscan_t);
extern void yyset_column(int, yyscan_t);
+static int nspec;
+
%}
space [ ]
@@ -194,6 +196,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%option nodefault
%option warn
+%x spec
+
%%
"==" { return EQ; }
@@ -250,19 +254,19 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"hook" { return HOOK; }
"device" { return DEVICE; }
"devices" { return DEVICES; }
-"table" { return TABLE; }
+"table" { BEGIN(spec); nspec = 1; return TABLE; }
"tables" { return TABLES; }
-"chain" { return CHAIN; }
+"chain" { BEGIN(spec); nspec = 2; return CHAIN; }
"chains" { return CHAINS; }
-"rule" { return RULE; }
+"rule" { BEGIN(spec); nspec = 2; return RULE; }
"rules" { return RULES; }
"sets" { return SETS; }
-"set" { return SET; }
+"set" { BEGIN(spec); nspec = 2; return SET; }
"element" { return ELEMENT; }
-"map" { return MAP; }
+"map" { BEGIN(spec); nspec = 2; return MAP; }
"maps" { return MAPS; }
"flowtable" { return FLOWTABLE; }
-"handle" { return HANDLE; }
+<*>"handle" { return HANDLE; }
"ruleset" { return RULESET; }
"trace" { return TRACE; }
@@ -280,8 +284,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"return" { return RETURN; }
"to" { return TO; }
-"inet" { return INET; }
-"netdev" { return NETDEV; }
+<*>"inet" { return INET; }
+<*>"netdev" { return NETDEV; }
"add" { return ADD; }
"replace" { return REPLACE; }
@@ -380,7 +384,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"nh" { return NETWORK_HDR; }
"th" { return TRANSPORT_HDR; }
-"bridge" { return BRIDGE; }
+<*>"bridge" { return BRIDGE; }
"ether" { return ETHER; }
"saddr" { return SADDR; }
@@ -400,7 +404,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"plen" { return PLEN; }
"operation" { return OPERATION; }
-"ip" { return IP; }
+<*>"ip" { return IP; }
"version" { return HDRVERSION; }
"hdrlength" { return HDRLENGTH; }
"dscp" { return DSCP; }
@@ -451,7 +455,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"igmp" { return IGMP; }
"mrt" { return MRT; }
-"ip6" { return IP6; }
+<*>"ip6" { return IP6; }
"priority" { return PRIORITY; }
"flowlabel" { return FLOWLABEL; }
"nexthdr" { return NEXTHDR; }
@@ -512,10 +516,10 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"meta" { return META; }
"mark" { return MARK; }
"iif" { return IIF; }
-"iifname" { return IIFNAME; }
+"iifname" { BEGIN(spec); nspec = 1; return IIFNAME; }
"iiftype" { return IIFTYPE; }
"oif" { return OIF; }
-"oifname" { return OIFNAME; }
+"oifname" { BEGIN(spec); nspec = 1; return OIFNAME; }
"oiftype" { return OIFTYPE; }
"skuid" { return SKUID; }
"skgid" { return SKGID; }
@@ -613,7 +617,9 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
return STRING;
}
-{numberstring} {
+<*>{numberstring} {
+ if (nspec && !--nspec)
+ BEGIN(0);
errno = 0;
yylval->val = strtoull(yytext, NULL, 0);
if (errno != 0) {
@@ -639,7 +645,9 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
return ASTERISK_STRING;
}
-{string} {
+<*>{string} {
+ if (nspec && !--nspec)
+ BEGIN(0);
yylval->string = xstrdup(yytext);
return STRING;
}
@@ -648,23 +656,23 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
reset_pos(yyget_extra(yyscanner), yylloc);
}
-{newline} {
+<*>{newline} {
reset_pos(yyget_extra(yyscanner), yylloc);
return NEWLINE;
}
-{tab}+
-{space}+
-{comment}
+<*>{tab}+
+<*>{space}+
+<*>{comment}
-<<EOF>> {
+<*><<EOF>> {
update_pos(yyget_extra(yyscanner), yylloc, 1);
scanner_pop_buffer(yyscanner);
if (YY_CURRENT_BUFFER == NULL)
return TOKEN_EOF;
}
-. { return JUNK; }
+<*>. { return JUNK; }
%%
next prev parent reply other threads:[~2021-02-09 13:58 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CANf9dFMJN5ZsihtygUnEWB_9T=WLbEHrZY1a5mTqLgN7J39D5w@mail.gmail.com>
2021-02-08 15:49 ` Unable to create a chain called "trace" Florian Westphal
2021-02-08 16:47 ` Phil Sutter
2021-02-08 17:14 ` Florian Westphal
2021-02-09 13:56 ` Phil Sutter [this message]
2021-02-12 0:05 ` Florian Westphal
2021-02-12 11:40 ` Phil Sutter
2021-02-12 12:20 ` Florian Westphal
2021-02-12 17:09 ` Pablo Neira Ayuso
2021-02-12 17:32 ` Phil Sutter
2021-02-12 17:54 ` Pablo Neira Ayuso
2021-02-12 21:07 ` Phil Sutter
2021-02-12 18:02 ` Balazs Scheidler
2021-02-17 19:59 ` Phil Sutter
2021-02-17 20:16 ` Florian Westphal
2021-02-12 12:29 ` Florian Westphal
2021-02-12 12:48 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210209135625.GN3158@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=martin.gignac@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).