From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH nft 0/6] scanner rework part 1
Date: Mon, 8 Mar 2021 18:18:31 +0100 [thread overview]
Message-ID: <20210308171837.8542-1-fw@strlen.de> (raw)
This is the initial batch of patches to rework the nft scanner.
This adds a start condition stack and moves a few expressions to
use start conditions.
This first batch only comes with inclusive start conditions, i.e.
the rules in INITIAL scope are still recognized; the only change is that
the tokens moved to per-expression start conditions disappear from the
INITIAL scope.
For example, after this series 'chain mod' is no longer a syntax error
because the MOD token isn't part of the initial scope anymore.
The next set of patches (not included here) adds start conditions for ip, ip6, arp,
ether and makes saddr/daddr recognized as STRING unless part of a
'ip/ip6 ...' expression.
The plan is to introduce exclusive scopes to deal with table/chain
names, i.e. 'TABLE' and 'CHAIN' keywords switch nft into a mode where
all default rules are disabled.
This will then allow to handle really weird rulesets like
table ip chain {
chain netdev {
meta iifname saddr ip saddr 1.2.3.4 ...
}
and so on.
Main motivation is to avoid breakage of existing rulesets, e.g.
table inet filter {
chain vid {
... when a future version of nft adds a 'vid' token.
Another effect is that this reduces the need for workarounds like e.g.
'parser: allow classid as set key' and other workarounds that needed to
(re-) enable keywords in STRING context.
Florian Westphal (6):
scanner: remove unused tokens
scanner: introduce start condition stack
scanner: queue: move to own scope
scanner: ipsec: move to own scope
scanner: rt: move to own scope
scanner: socket: move to own scope
include/parser.h | 12 +++++++
src/parser_bison.y | 41 +++++++++++-----------
src/scanner.l | 86 ++++++++++++++++++++++++++++++----------------
3 files changed, 89 insertions(+), 50 deletions(-)
--
2.26.2
next reply other threads:[~2021-03-08 17:19 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-08 17:18 Florian Westphal [this message]
2021-03-08 17:18 ` [PATCH nft 1/6] scanner: remove unused tokens Florian Westphal
2021-03-08 17:18 ` [PATCH nft 2/6] scanner: introduce start condition stack Florian Westphal
2021-03-08 17:18 ` [PATCH nft 3/6] scanner: queue: move to own scope Florian Westphal
2021-03-08 17:18 ` [PATCH nft 4/6] scanner: ipsec: " Florian Westphal
2021-03-08 17:18 ` [PATCH nft 5/6] scanner: rt: " Florian Westphal
2021-03-08 17:18 ` [PATCH nft 6/6] scanner: socket: " Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210308171837.8542-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).