[PATCH nft 0/6] scanner rework part 1

[PATCH nft 0/6] scanner rework part 1

[Florian Westphal]

This is the initial batch of patches to rework the nft scanner.
This adds a start condition stack and moves a few expressions to
use start conditions.

This first batch only comes with inclusive start conditions, i.e.
the rules in INITIAL scope are still recognized; the only change is that
the tokens moved to per-expression start conditions disappear from the
INITIAL scope.

For example, after this series 'chain mod' is no longer a syntax error
because the MOD token isn't part of the initial scope anymore.

The next set of patches (not included here) adds start conditions for ip, ip6, arp,
ether and makes saddr/daddr recognized as STRING unless part of a
'ip/ip6 ...' expression.

The plan is to introduce exclusive scopes to deal with table/chain
names, i.e. 'TABLE' and 'CHAIN' keywords switch nft into a mode where
all default rules are disabled.

This will then allow to handle really weird rulesets like

table ip chain {
	chain netdev {
		meta iifname saddr ip saddr 1.2.3.4 ...
	}

and so on.

Main motivation is to avoid breakage of existing rulesets, e.g.

table inet filter {
	chain vid {

... when a future version of nft adds a 'vid' token.

Another effect is that this reduces the need for workarounds like e.g.
'parser: allow classid as set key' and other workarounds that needed to
(re-) enable keywords in STRING context.


Florian Westphal (6):
  scanner: remove unused tokens
  scanner: introduce start condition stack
  scanner: queue: move to own scope
  scanner: ipsec: move to own scope
  scanner: rt: move to own scope
  scanner: socket: move to own scope

 include/parser.h   | 12 +++++++
 src/parser_bison.y | 41 +++++++++++-----------
 src/scanner.l      | 86 ++++++++++++++++++++++++++++++----------------
 3 files changed, 89 insertions(+), 50 deletions(-)

-- 
2.26.2

[PATCH nft 1/6] scanner: remove unused tokens

[Florian Westphal]

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/parser_bison.y | 6 ------
 src/scanner.l      | 6 ------
 2 files changed, 12 deletions(-)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index bfb181747ca1..abfcccc4a021 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -511,9 +511,6 @@ int nft_lex(void *, void *, void *);
 %token SECMARK			"secmark"
 %token SECMARKS			"secmarks"
 
-%token NANOSECOND		"nanosecond"
-%token MICROSECOND		"microsecond"
-%token MILLISECOND		"millisecond"
 %token SECOND			"second"
 %token MINUTE			"minute"
 %token HOUR			"hour"
@@ -565,11 +562,8 @@ int nft_lex(void *, void *, void *);
 %token EXTHDR			"exthdr"
 
 %token IPSEC		"ipsec"
-%token MODE			"mode"
 %token REQID		"reqid"
 %token SPNUM		"spnum"
-%token TRANSPORT	"transport"
-%token TUNNEL		"tunnel"
 
 %token IN			"in"
 %token OUT			"out"
diff --git a/src/scanner.l b/src/scanner.l
index 8bde1fbe912d..1da3b5e0628c 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -355,9 +355,6 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 "quota"			{ return QUOTA; }
 "used"			{ return USED; }
 
-"nanosecond"		{ return NANOSECOND; }
-"microsecond"		{ return MICROSECOND; }
-"millisecond"		{ return MILLISECOND; }
 "second"		{ return SECOND; }
 "minute"		{ return MINUTE; }
 "hour"			{ return HOUR; }
@@ -585,11 +582,8 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 "exthdr"		{ return EXTHDR; }
 
 "ipsec"			{ return IPSEC; }
-"mode"			{ return MODE; }
 "reqid"			{ return REQID; }
 "spnum"			{ return SPNUM; }
-"transport"		{ return TRANSPORT; }
-"tunnel"		{ return TUNNEL; }
 
 "in"			{ return IN; }
 "out"			{ return OUT; }
-- 
2.26.2

[PATCH nft 2/6] scanner: introduce start condition stack

[Florian Westphal]

Add a small initial chunk of flex start conditionals.

This starts with two low-hanging fruits, numgen and j/symhash.

NUMGEN and HASH start conditions are entered from flex when
the corresponding expression token is encountered.

Flex returns to the INIT condition when the bison parser
has seen a complete numgen/hash statement.

This intentionally uses a stack rather than BEGIN()
to eventually support nested states.

The scanner_pop_start_cond() function argument is not used yet, but
will need to be used later to deal with nesting.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/parser.h   |  8 ++++++++
 src/parser_bison.y | 11 +++++++----
 src/scanner.l      | 36 +++++++++++++++++++++++++++++-------
 3 files changed, 44 insertions(+), 11 deletions(-)

diff --git a/include/parser.h b/include/parser.h
index 9baa3a4db789..b2ebd7aa226c 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -26,6 +26,12 @@ struct parser_state {
 	struct list_head		*cmds;
 };
 
+enum startcond_type {
+	PARSER_SC_BEGIN,
+	PARSER_SC_EXPR_HASH,
+	PARSER_SC_EXPR_NUMGEN,
+};
+
 struct mnl_socket;
 
 extern void parser_init(struct nft_ctx *nft, struct parser_state *state,
@@ -45,4 +51,6 @@ extern void scanner_push_buffer(void *scanner,
 				const struct input_descriptor *indesc,
 				const char *buffer);
 
+extern void scanner_pop_start_cond(void *scanner, enum startcond_type sc);
+
 #endif /* NFTABLES_PARSER_H */
diff --git a/src/parser_bison.y b/src/parser_bison.y
index abfcccc4a021..1ac4dbe43c84 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -861,6 +861,9 @@ opt_newline		:	NEWLINE
 		 	|	/* empty */
 			;
 
+close_scope_hash	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
+close_scope_numgen	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
+
 common_block		:	INCLUDE		QUOTED_STRING	stmt_separator
 			{
 				if (scanner_include_file(nft, scanner, $2, &@$) < 0) {
@@ -4811,7 +4814,7 @@ numgen_type		:	INC		{ $$ = NFT_NG_INCREMENTAL; }
 			|	RANDOM		{ $$ = NFT_NG_RANDOM; }
 			;
 
-numgen_expr		:	NUMGEN	numgen_type	MOD	NUM	offset_opt
+numgen_expr		:	NUMGEN	numgen_type	MOD	NUM	offset_opt	close_scope_numgen
 			{
 				$$ = numgen_expr_alloc(&@$, $2, $4, $5);
 			}
@@ -4868,17 +4871,17 @@ xfrm_expr		:	IPSEC	xfrm_dir	xfrm_spnum	xfrm_state_key
 			}
 			;
 
-hash_expr		:	JHASH		expr	MOD	NUM	SEED	NUM	offset_opt
+hash_expr		:	JHASH		expr	MOD	NUM	SEED	NUM	offset_opt	close_scope_hash
 			{
 				$$ = hash_expr_alloc(&@$, $4, true, $6, $7, NFT_HASH_JENKINS);
 				$$->hash.expr = $2;
 			}
-			|	JHASH		expr	MOD	NUM	offset_opt
+			|	JHASH		expr	MOD	NUM	offset_opt	close_scope_hash
 			{
 				$$ = hash_expr_alloc(&@$, $4, false, 0, $5, NFT_HASH_JENKINS);
 				$$->hash.expr = $2;
 			}
-			|	SYMHASH		MOD	NUM	offset_opt
+			|	SYMHASH		MOD	NUM	offset_opt	close_scope_hash
 			{
 				$$ = hash_expr_alloc(&@$, $3, false, 0, $4, NFT_HASH_SYM);
 			}
diff --git a/src/scanner.l b/src/scanner.l
index 1da3b5e0628c..94225c296a3b 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -98,6 +98,8 @@ static void reset_pos(struct parser_state *state, struct location *loc)
 	state->indesc->column		= 1;
 }
 
+static void scanner_push_start_cond(void *scanner, enum startcond_type type);
+
 #define YY_USER_ACTION {					\
 	update_pos(yyget_extra(yyscanner), yylloc, yyleng);	\
 	update_offset(yyget_extra(yyscanner), yylloc, yyleng);	\
@@ -193,6 +195,9 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 %option yylineno
 %option nodefault
 %option warn
+%option stack
+%s SCANSTATE_EXPR_HASH
+%s SCANSTATE_EXPR_NUMGEN
 
 %%
 
@@ -548,15 +553,21 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 "state"			{ return STATE; }
 "status"		{ return STATUS; }
 
-"numgen"		{ return NUMGEN; }
-"inc"			{ return INC; }
-"mod"			{ return MOD; }
-"offset"		{ return OFFSET; }
+"numgen"		{ scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_NUMGEN); return NUMGEN; }
+<SCANSTATE_EXPR_NUMGEN>{
+	"inc"		{ return INC; }
+}
 
-"jhash"			{ return JHASH; }
-"symhash"		{ return SYMHASH; }
-"seed"			{ return SEED; }
+"jhash"			{ scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_HASH); return JHASH; }
+"symhash"		{ scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_HASH); return SYMHASH; }
 
+<SCANSTATE_EXPR_HASH>{
+	"seed"		{ return SEED; }
+}
+<SCANSTATE_EXPR_HASH,SCANSTATE_EXPR_NUMGEN>{
+	"mod"		{ return MOD; }
+	"offset"	{ return OFFSET; }
+}
 "dup"			{ return DUP; }
 "fwd"			{ return FWD; }
 
@@ -967,3 +978,14 @@ void scanner_destroy(struct nft_ctx *nft)
 	input_descriptor_list_destroy(state);
 	yylex_destroy(nft->scanner);
 }
+
+static void scanner_push_start_cond(void *scanner, enum startcond_type type)
+{
+	yy_push_state((int)type, scanner);
+}
+
+void scanner_pop_start_cond(void *scanner, enum startcond_type t)
+{
+	yy_pop_state(scanner);
+	(void)yy_top_state(scanner); /* suppress gcc warning wrt. unused function */
+}
-- 
2.26.2

[PATCH nft 3/6] scanner: queue: move to own scope

[Florian Westphal]

allows to remove 3 queue specific keywords from INITIAL scope.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/parser.h   |  1 +
 src/parser_bison.y |  5 +++--
 src/scanner.l      | 12 +++++++-----
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/include/parser.h b/include/parser.h
index b2ebd7aa226c..c3a85a4cf4c2 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -30,6 +30,7 @@ enum startcond_type {
 	PARSER_SC_BEGIN,
 	PARSER_SC_EXPR_HASH,
 	PARSER_SC_EXPR_NUMGEN,
+	PARSER_SC_EXPR_QUEUE,
 };
 
 struct mnl_socket;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 1ac4dbe43c84..423dddfc2c6d 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -863,6 +863,7 @@ opt_newline		:	NEWLINE
 
 close_scope_hash	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
 close_scope_numgen	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
+close_scope_queue	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
 
 common_block		:	INCLUDE		QUOTED_STRING	stmt_separator
 			{
@@ -3635,8 +3636,8 @@ nf_nat_flag		:	RANDOM		{ $$ = NF_NAT_RANGE_PROTO_RANDOM; }
 			|	PERSISTENT 	{ $$ = NF_NAT_RANGE_PERSISTENT; }
 			;
 
-queue_stmt		:	queue_stmt_alloc
-			|	queue_stmt_alloc	queue_stmt_args
+queue_stmt		:	queue_stmt_alloc	close_scope_queue
+			|	queue_stmt_alloc	queue_stmt_args	close_scope_queue
 			;
 
 queue_stmt_alloc	:	QUEUE
diff --git a/src/scanner.l b/src/scanner.l
index 94225c296a3b..893364b7b9e7 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -198,6 +198,7 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 %option stack
 %s SCANSTATE_EXPR_HASH
 %s SCANSTATE_EXPR_NUMGEN
+%s SCANSTATE_EXPR_QUEUE
 
 %%
 
@@ -346,11 +347,12 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 "queue-threshold"	{ return QUEUE_THRESHOLD; }
 "level"			{ return LEVEL; }
 
-"queue"			{ return QUEUE;}
-"num"			{ return QUEUENUM;}
-"bypass"		{ return BYPASS;}
-"fanout"		{ return FANOUT;}
-
+"queue"			{ scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_QUEUE); return QUEUE;}
+<SCANSTATE_EXPR_QUEUE>{
+	"num"		{ return QUEUENUM;}
+	"bypass"	{ return BYPASS;}
+	"fanout"	{ return FANOUT;}
+}
 "limit"			{ return LIMIT; }
 "rate"			{ return RATE; }
 "burst"			{ return BURST; }
-- 
2.26.2

[PATCH nft 4/6] scanner: ipsec: move to own scope

[Florian Westphal]

... and hide the ipsec specific tokens from the INITITAL scope.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/parser.h   |  1 +
 src/parser_bison.y |  9 +++++----
 src/scanner.l      | 13 ++++++++-----
 3 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/include/parser.h b/include/parser.h
index c3a85a4cf4c2..001698db259b 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -29,6 +29,7 @@ struct parser_state {
 enum startcond_type {
 	PARSER_SC_BEGIN,
 	PARSER_SC_EXPR_HASH,
+	PARSER_SC_EXPR_IPSEC,
 	PARSER_SC_EXPR_NUMGEN,
 	PARSER_SC_EXPR_QUEUE,
 };
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 423dddfc2c6d..83d78a23b2ac 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -862,6 +862,7 @@ opt_newline		:	NEWLINE
 			;
 
 close_scope_hash	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
+close_scope_ipsec	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
 close_scope_numgen	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
 close_scope_queue	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
 
@@ -4738,7 +4739,7 @@ meta_key_unqualified	:	MARK		{ $$ = NFT_META_MARK; }
 			|       IIFGROUP	{ $$ = NFT_META_IIFGROUP; }
 			|       OIFGROUP	{ $$ = NFT_META_OIFGROUP; }
 			|       CGROUP		{ $$ = NFT_META_CGROUP; }
-			|       IPSEC		{ $$ = NFT_META_SECPATH; }
+			|       IPSEC	close_scope_ipsec { $$ = NFT_META_SECPATH; }
 			|       TIME		{ $$ = NFT_META_TIME_NS; }
 			|       DAY		{ $$ = NFT_META_TIME_DAY; }
 			|       HOUR		{ $$ = NFT_META_TIME_HOUR; }
@@ -4837,7 +4838,7 @@ xfrm_state_proto_key	:	DADDR		{ $$ = NFT_XFRM_KEY_DADDR_IP4; }
 			|	SADDR		{ $$ = NFT_XFRM_KEY_SADDR_IP4; }
 			;
 
-xfrm_expr		:	IPSEC	xfrm_dir	xfrm_spnum	xfrm_state_key
+xfrm_expr		:	IPSEC	xfrm_dir	xfrm_spnum	xfrm_state_key	close_scope_ipsec
 			{
 				if ($3 > 255) {
 					erec_queue(error(&@3, "value too large"), state->msgs);
@@ -4845,7 +4846,7 @@ xfrm_expr		:	IPSEC	xfrm_dir	xfrm_spnum	xfrm_state_key
 				}
 				$$ = xfrm_expr_alloc(&@$, $2, $3, $4);
 			}
-			|	IPSEC	xfrm_dir	xfrm_spnum	nf_key_proto	xfrm_state_proto_key
+			|	IPSEC	xfrm_dir	xfrm_spnum	nf_key_proto	xfrm_state_proto_key	close_scope_ipsec
 			{
 				enum nft_xfrm_keys xfrmk = $5;
 
@@ -4919,7 +4920,7 @@ rt_expr			:	RT	rt_key
 rt_key			:	CLASSID		{ $$ = NFT_RT_CLASSID; }
 			|	NEXTHOP		{ $$ = NFT_RT_NEXTHOP4; }
 			|	MTU		{ $$ = NFT_RT_TCPMSS; }
-			|	IPSEC		{ $$ = NFT_RT_XFRM; }
+			|	IPSEC	close_scope_ipsec { $$ = NFT_RT_XFRM; }
 			;
 
 ct_expr			: 	CT	ct_key
diff --git a/src/scanner.l b/src/scanner.l
index 893364b7b9e7..cf3d7d52b4c5 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -197,6 +197,7 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 %option warn
 %option stack
 %s SCANSTATE_EXPR_HASH
+%s SCANSTATE_EXPR_IPSEC
 %s SCANSTATE_EXPR_NUMGEN
 %s SCANSTATE_EXPR_QUEUE
 
@@ -594,12 +595,14 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 
 "exthdr"		{ return EXTHDR; }
 
-"ipsec"			{ return IPSEC; }
-"reqid"			{ return REQID; }
-"spnum"			{ return SPNUM; }
+"ipsec"			{ scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_IPSEC); return IPSEC; }
+<SCANSTATE_EXPR_IPSEC>{
+	"reqid"			{ return REQID; }
+	"spnum"			{ return SPNUM; }
 
-"in"			{ return IN; }
-"out"			{ return OUT; }
+	"in"			{ return IN; }
+	"out"			{ return OUT; }
+}
 
 "secmark"		{ return SECMARK; }
 "secmarks"		{ return SECMARKS; }
-- 
2.26.2

[PATCH nft 5/6] scanner: rt: move to own scope

[Florian Westphal]

classid and nexthop can be moved out of INIT scope.
Rest are still needed because tehy are used by other expressions as
well.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/parser.h   | 1 +
 src/parser_bison.y | 7 ++++---
 src/scanner.l      | 9 ++++++---
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/include/parser.h b/include/parser.h
index 001698db259b..2cdccaf5fb3d 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -32,6 +32,7 @@ enum startcond_type {
 	PARSER_SC_EXPR_IPSEC,
 	PARSER_SC_EXPR_NUMGEN,
 	PARSER_SC_EXPR_QUEUE,
+	PARSER_SC_EXPR_RT,
 };
 
 struct mnl_socket;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 83d78a23b2ac..0f4d51ad30bc 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -865,6 +865,7 @@ close_scope_hash	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH);
 close_scope_ipsec	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
 close_scope_numgen	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
 close_scope_queue	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
+close_scope_rt		: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_RT); };
 
 common_block		:	INCLUDE		QUOTED_STRING	stmt_separator
 			{
@@ -4893,11 +4894,11 @@ nf_key_proto		:	IP		{ $$ = NFPROTO_IPV4; }
 			|	IP6		{ $$ = NFPROTO_IPV6; }
 			;
 
-rt_expr			:	RT	rt_key
+rt_expr			:	RT	rt_key	close_scope_rt
 			{
 				$$ = rt_expr_alloc(&@$, $2, true);
 			}
-			|	RT	nf_key_proto	rt_key
+			|	RT	nf_key_proto	rt_key	close_scope_rt
 			{
 				enum nft_rt_keys rtk = $3;
 
@@ -5391,7 +5392,7 @@ hbh_hdr_field		:	NEXTHDR		{ $$ = HBHHDR_NEXTHDR; }
 			|	HDRLENGTH	{ $$ = HBHHDR_HDRLENGTH; }
 			;
 
-rt_hdr_expr		:	RT	rt_hdr_field
+rt_hdr_expr		:	RT	rt_hdr_field	close_scope_rt
 			{
 				$$ = exthdr_expr_alloc(&@$, &exthdr_rt, $2);
 			}
diff --git a/src/scanner.l b/src/scanner.l
index cf3d7d52b4c5..faf180ca4701 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -200,6 +200,7 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 %s SCANSTATE_EXPR_IPSEC
 %s SCANSTATE_EXPR_NUMGEN
 %s SCANSTATE_EXPR_QUEUE
+%s SCANSTATE_EXPR_RT
 
 %%
 
@@ -494,7 +495,7 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 "sctp"			{ return SCTP; }
 "vtag"			{ return VTAG; }
 
-"rt"			{ return RT; }
+"rt"			{ scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_RT); return RT; }
 "rt0"			{ return RT0; }
 "rt2"			{ return RT2; }
 "srh"			{ return RT4; }
@@ -536,8 +537,10 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 "oifgroup"		{ return OIFGROUP; }
 "cgroup"		{ return CGROUP; }
 
-"classid"		{ return CLASSID; }
-"nexthop"		{ return NEXTHOP; }
+<SCANSTATE_EXPR_RT>{
+	"classid"		{ return CLASSID; }
+	"nexthop"		{ return NEXTHOP; }
+}
 
 "ct"			{ return CT; }
 "l3proto"		{ return L3PROTOCOL; }
-- 
2.26.2

[PATCH nft 6/6] scanner: socket: move to own scope

[Florian Westphal]

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/parser.h   |  1 +
 src/parser_bison.y |  3 ++-
 src/scanner.l      | 10 ++++++----
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/include/parser.h b/include/parser.h
index 2cdccaf5fb3d..fd5006d35c0d 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -33,6 +33,7 @@ enum startcond_type {
 	PARSER_SC_EXPR_NUMGEN,
 	PARSER_SC_EXPR_QUEUE,
 	PARSER_SC_EXPR_RT,
+	PARSER_SC_EXPR_SOCKET,
 };
 
 struct mnl_socket;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 0f4d51ad30bc..2a8ac215a284 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -866,6 +866,7 @@ close_scope_ipsec	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC)
 close_scope_numgen	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
 close_scope_queue	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
 close_scope_rt		: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_RT); };
+close_scope_socket	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_SOCKET); }
 
 common_block		:	INCLUDE		QUOTED_STRING	stmt_separator
 			{
@@ -4798,7 +4799,7 @@ meta_stmt		:	META	meta_key	SET	stmt_expr
 			}
 			;
 
-socket_expr		:	SOCKET	socket_key
+socket_expr		:	SOCKET	socket_key	close_scope_socket
 			{
 				$$ = socket_expr_alloc(&@$, $2);
 			}
diff --git a/src/scanner.l b/src/scanner.l
index faf180ca4701..6a909e928bf4 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -201,6 +201,7 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 %s SCANSTATE_EXPR_NUMGEN
 %s SCANSTATE_EXPR_QUEUE
 %s SCANSTATE_EXPR_RT
+%s SCANSTATE_EXPR_SOCKET
 
 %%
 
@@ -274,10 +275,11 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 "ruleset"		{ return RULESET; }
 "trace"			{ return TRACE; }
 
-"socket"		{ return SOCKET; }
-"transparent"		{ return TRANSPARENT; }
-"wildcard"		{ return WILDCARD; }
-
+"socket"		{ scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_SOCKET); return SOCKET; }
+<SCANSTATE_EXPR_SOCKET>{
+	"transparent"		{ return TRANSPARENT; }
+	"wildcard"		{ return WILDCARD; }
+}
 "tproxy"		{ return TPROXY; }
 
 "accept"		{ return ACCEPT; }
-- 
2.26.2