* [PATCH nft 0/6] scanner rework part 1
@ 2021-03-08 17:18 Florian Westphal
2021-03-08 17:18 ` [PATCH nft 1/6] scanner: remove unused tokens Florian Westphal
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: Florian Westphal @ 2021-03-08 17:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
This is the initial batch of patches to rework the nft scanner.
This adds a start condition stack and moves a few expressions to
use start conditions.
This first batch only comes with inclusive start conditions, i.e.
the rules in INITIAL scope are still recognized; the only change is that
the tokens moved to per-expression start conditions disappear from the
INITIAL scope.
For example, after this series 'chain mod' is no longer a syntax error
because the MOD token isn't part of the initial scope anymore.
The next set of patches (not included here) adds start conditions for ip, ip6, arp,
ether and makes saddr/daddr recognized as STRING unless part of a
'ip/ip6 ...' expression.
The plan is to introduce exclusive scopes to deal with table/chain
names, i.e. 'TABLE' and 'CHAIN' keywords switch nft into a mode where
all default rules are disabled.
This will then allow to handle really weird rulesets like
table ip chain {
chain netdev {
meta iifname saddr ip saddr 1.2.3.4 ...
}
and so on.
Main motivation is to avoid breakage of existing rulesets, e.g.
table inet filter {
chain vid {
... when a future version of nft adds a 'vid' token.
Another effect is that this reduces the need for workarounds like e.g.
'parser: allow classid as set key' and other workarounds that needed to
(re-) enable keywords in STRING context.
Florian Westphal (6):
scanner: remove unused tokens
scanner: introduce start condition stack
scanner: queue: move to own scope
scanner: ipsec: move to own scope
scanner: rt: move to own scope
scanner: socket: move to own scope
include/parser.h | 12 +++++++
src/parser_bison.y | 41 +++++++++++-----------
src/scanner.l | 86 ++++++++++++++++++++++++++++++----------------
3 files changed, 89 insertions(+), 50 deletions(-)
--
2.26.2
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH nft 1/6] scanner: remove unused tokens
2021-03-08 17:18 [PATCH nft 0/6] scanner rework part 1 Florian Westphal
@ 2021-03-08 17:18 ` Florian Westphal
2021-03-08 17:18 ` [PATCH nft 2/6] scanner: introduce start condition stack Florian Westphal
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Florian Westphal @ 2021-03-08 17:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/parser_bison.y | 6 ------
src/scanner.l | 6 ------
2 files changed, 12 deletions(-)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index bfb181747ca1..abfcccc4a021 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -511,9 +511,6 @@ int nft_lex(void *, void *, void *);
%token SECMARK "secmark"
%token SECMARKS "secmarks"
-%token NANOSECOND "nanosecond"
-%token MICROSECOND "microsecond"
-%token MILLISECOND "millisecond"
%token SECOND "second"
%token MINUTE "minute"
%token HOUR "hour"
@@ -565,11 +562,8 @@ int nft_lex(void *, void *, void *);
%token EXTHDR "exthdr"
%token IPSEC "ipsec"
-%token MODE "mode"
%token REQID "reqid"
%token SPNUM "spnum"
-%token TRANSPORT "transport"
-%token TUNNEL "tunnel"
%token IN "in"
%token OUT "out"
diff --git a/src/scanner.l b/src/scanner.l
index 8bde1fbe912d..1da3b5e0628c 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -355,9 +355,6 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"quota" { return QUOTA; }
"used" { return USED; }
-"nanosecond" { return NANOSECOND; }
-"microsecond" { return MICROSECOND; }
-"millisecond" { return MILLISECOND; }
"second" { return SECOND; }
"minute" { return MINUTE; }
"hour" { return HOUR; }
@@ -585,11 +582,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"exthdr" { return EXTHDR; }
"ipsec" { return IPSEC; }
-"mode" { return MODE; }
"reqid" { return REQID; }
"spnum" { return SPNUM; }
-"transport" { return TRANSPORT; }
-"tunnel" { return TUNNEL; }
"in" { return IN; }
"out" { return OUT; }
--
2.26.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH nft 2/6] scanner: introduce start condition stack
2021-03-08 17:18 [PATCH nft 0/6] scanner rework part 1 Florian Westphal
2021-03-08 17:18 ` [PATCH nft 1/6] scanner: remove unused tokens Florian Westphal
@ 2021-03-08 17:18 ` Florian Westphal
2021-03-08 17:18 ` [PATCH nft 3/6] scanner: queue: move to own scope Florian Westphal
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Florian Westphal @ 2021-03-08 17:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Add a small initial chunk of flex start conditionals.
This starts with two low-hanging fruits, numgen and j/symhash.
NUMGEN and HASH start conditions are entered from flex when
the corresponding expression token is encountered.
Flex returns to the INIT condition when the bison parser
has seen a complete numgen/hash statement.
This intentionally uses a stack rather than BEGIN()
to eventually support nested states.
The scanner_pop_start_cond() function argument is not used yet, but
will need to be used later to deal with nesting.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 8 ++++++++
src/parser_bison.y | 11 +++++++----
src/scanner.l | 36 +++++++++++++++++++++++++++++-------
3 files changed, 44 insertions(+), 11 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 9baa3a4db789..b2ebd7aa226c 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -26,6 +26,12 @@ struct parser_state {
struct list_head *cmds;
};
+enum startcond_type {
+ PARSER_SC_BEGIN,
+ PARSER_SC_EXPR_HASH,
+ PARSER_SC_EXPR_NUMGEN,
+};
+
struct mnl_socket;
extern void parser_init(struct nft_ctx *nft, struct parser_state *state,
@@ -45,4 +51,6 @@ extern void scanner_push_buffer(void *scanner,
const struct input_descriptor *indesc,
const char *buffer);
+extern void scanner_pop_start_cond(void *scanner, enum startcond_type sc);
+
#endif /* NFTABLES_PARSER_H */
diff --git a/src/parser_bison.y b/src/parser_bison.y
index abfcccc4a021..1ac4dbe43c84 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -861,6 +861,9 @@ opt_newline : NEWLINE
| /* empty */
;
+close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
+close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
+
common_block : INCLUDE QUOTED_STRING stmt_separator
{
if (scanner_include_file(nft, scanner, $2, &@$) < 0) {
@@ -4811,7 +4814,7 @@ numgen_type : INC { $$ = NFT_NG_INCREMENTAL; }
| RANDOM { $$ = NFT_NG_RANDOM; }
;
-numgen_expr : NUMGEN numgen_type MOD NUM offset_opt
+numgen_expr : NUMGEN numgen_type MOD NUM offset_opt close_scope_numgen
{
$$ = numgen_expr_alloc(&@$, $2, $4, $5);
}
@@ -4868,17 +4871,17 @@ xfrm_expr : IPSEC xfrm_dir xfrm_spnum xfrm_state_key
}
;
-hash_expr : JHASH expr MOD NUM SEED NUM offset_opt
+hash_expr : JHASH expr MOD NUM SEED NUM offset_opt close_scope_hash
{
$$ = hash_expr_alloc(&@$, $4, true, $6, $7, NFT_HASH_JENKINS);
$$->hash.expr = $2;
}
- | JHASH expr MOD NUM offset_opt
+ | JHASH expr MOD NUM offset_opt close_scope_hash
{
$$ = hash_expr_alloc(&@$, $4, false, 0, $5, NFT_HASH_JENKINS);
$$->hash.expr = $2;
}
- | SYMHASH MOD NUM offset_opt
+ | SYMHASH MOD NUM offset_opt close_scope_hash
{
$$ = hash_expr_alloc(&@$, $3, false, 0, $4, NFT_HASH_SYM);
}
diff --git a/src/scanner.l b/src/scanner.l
index 1da3b5e0628c..94225c296a3b 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -98,6 +98,8 @@ static void reset_pos(struct parser_state *state, struct location *loc)
state->indesc->column = 1;
}
+static void scanner_push_start_cond(void *scanner, enum startcond_type type);
+
#define YY_USER_ACTION { \
update_pos(yyget_extra(yyscanner), yylloc, yyleng); \
update_offset(yyget_extra(yyscanner), yylloc, yyleng); \
@@ -193,6 +195,9 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%option yylineno
%option nodefault
%option warn
+%option stack
+%s SCANSTATE_EXPR_HASH
+%s SCANSTATE_EXPR_NUMGEN
%%
@@ -548,15 +553,21 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"state" { return STATE; }
"status" { return STATUS; }
-"numgen" { return NUMGEN; }
-"inc" { return INC; }
-"mod" { return MOD; }
-"offset" { return OFFSET; }
+"numgen" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_NUMGEN); return NUMGEN; }
+<SCANSTATE_EXPR_NUMGEN>{
+ "inc" { return INC; }
+}
-"jhash" { return JHASH; }
-"symhash" { return SYMHASH; }
-"seed" { return SEED; }
+"jhash" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_HASH); return JHASH; }
+"symhash" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_HASH); return SYMHASH; }
+<SCANSTATE_EXPR_HASH>{
+ "seed" { return SEED; }
+}
+<SCANSTATE_EXPR_HASH,SCANSTATE_EXPR_NUMGEN>{
+ "mod" { return MOD; }
+ "offset" { return OFFSET; }
+}
"dup" { return DUP; }
"fwd" { return FWD; }
@@ -967,3 +978,14 @@ void scanner_destroy(struct nft_ctx *nft)
input_descriptor_list_destroy(state);
yylex_destroy(nft->scanner);
}
+
+static void scanner_push_start_cond(void *scanner, enum startcond_type type)
+{
+ yy_push_state((int)type, scanner);
+}
+
+void scanner_pop_start_cond(void *scanner, enum startcond_type t)
+{
+ yy_pop_state(scanner);
+ (void)yy_top_state(scanner); /* suppress gcc warning wrt. unused function */
+}
--
2.26.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH nft 3/6] scanner: queue: move to own scope
2021-03-08 17:18 [PATCH nft 0/6] scanner rework part 1 Florian Westphal
2021-03-08 17:18 ` [PATCH nft 1/6] scanner: remove unused tokens Florian Westphal
2021-03-08 17:18 ` [PATCH nft 2/6] scanner: introduce start condition stack Florian Westphal
@ 2021-03-08 17:18 ` Florian Westphal
2021-03-08 17:18 ` [PATCH nft 4/6] scanner: ipsec: " Florian Westphal
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Florian Westphal @ 2021-03-08 17:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
allows to remove 3 queue specific keywords from INITIAL scope.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 5 +++--
src/scanner.l | 12 +++++++-----
3 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index b2ebd7aa226c..c3a85a4cf4c2 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -30,6 +30,7 @@ enum startcond_type {
PARSER_SC_BEGIN,
PARSER_SC_EXPR_HASH,
PARSER_SC_EXPR_NUMGEN,
+ PARSER_SC_EXPR_QUEUE,
};
struct mnl_socket;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 1ac4dbe43c84..423dddfc2c6d 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -863,6 +863,7 @@ opt_newline : NEWLINE
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
+close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
common_block : INCLUDE QUOTED_STRING stmt_separator
{
@@ -3635,8 +3636,8 @@ nf_nat_flag : RANDOM { $$ = NF_NAT_RANGE_PROTO_RANDOM; }
| PERSISTENT { $$ = NF_NAT_RANGE_PERSISTENT; }
;
-queue_stmt : queue_stmt_alloc
- | queue_stmt_alloc queue_stmt_args
+queue_stmt : queue_stmt_alloc close_scope_queue
+ | queue_stmt_alloc queue_stmt_args close_scope_queue
;
queue_stmt_alloc : QUEUE
diff --git a/src/scanner.l b/src/scanner.l
index 94225c296a3b..893364b7b9e7 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -198,6 +198,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%option stack
%s SCANSTATE_EXPR_HASH
%s SCANSTATE_EXPR_NUMGEN
+%s SCANSTATE_EXPR_QUEUE
%%
@@ -346,11 +347,12 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"queue-threshold" { return QUEUE_THRESHOLD; }
"level" { return LEVEL; }
-"queue" { return QUEUE;}
-"num" { return QUEUENUM;}
-"bypass" { return BYPASS;}
-"fanout" { return FANOUT;}
-
+"queue" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_QUEUE); return QUEUE;}
+<SCANSTATE_EXPR_QUEUE>{
+ "num" { return QUEUENUM;}
+ "bypass" { return BYPASS;}
+ "fanout" { return FANOUT;}
+}
"limit" { return LIMIT; }
"rate" { return RATE; }
"burst" { return BURST; }
--
2.26.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH nft 4/6] scanner: ipsec: move to own scope
2021-03-08 17:18 [PATCH nft 0/6] scanner rework part 1 Florian Westphal
` (2 preceding siblings ...)
2021-03-08 17:18 ` [PATCH nft 3/6] scanner: queue: move to own scope Florian Westphal
@ 2021-03-08 17:18 ` Florian Westphal
2021-03-08 17:18 ` [PATCH nft 5/6] scanner: rt: " Florian Westphal
2021-03-08 17:18 ` [PATCH nft 6/6] scanner: socket: " Florian Westphal
5 siblings, 0 replies; 7+ messages in thread
From: Florian Westphal @ 2021-03-08 17:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
... and hide the ipsec specific tokens from the INITITAL scope.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 9 +++++----
src/scanner.l | 13 ++++++++-----
3 files changed, 14 insertions(+), 9 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index c3a85a4cf4c2..001698db259b 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -29,6 +29,7 @@ struct parser_state {
enum startcond_type {
PARSER_SC_BEGIN,
PARSER_SC_EXPR_HASH,
+ PARSER_SC_EXPR_IPSEC,
PARSER_SC_EXPR_NUMGEN,
PARSER_SC_EXPR_QUEUE,
};
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 423dddfc2c6d..83d78a23b2ac 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -862,6 +862,7 @@ opt_newline : NEWLINE
;
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
+close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
@@ -4738,7 +4739,7 @@ meta_key_unqualified : MARK { $$ = NFT_META_MARK; }
| IIFGROUP { $$ = NFT_META_IIFGROUP; }
| OIFGROUP { $$ = NFT_META_OIFGROUP; }
| CGROUP { $$ = NFT_META_CGROUP; }
- | IPSEC { $$ = NFT_META_SECPATH; }
+ | IPSEC close_scope_ipsec { $$ = NFT_META_SECPATH; }
| TIME { $$ = NFT_META_TIME_NS; }
| DAY { $$ = NFT_META_TIME_DAY; }
| HOUR { $$ = NFT_META_TIME_HOUR; }
@@ -4837,7 +4838,7 @@ xfrm_state_proto_key : DADDR { $$ = NFT_XFRM_KEY_DADDR_IP4; }
| SADDR { $$ = NFT_XFRM_KEY_SADDR_IP4; }
;
-xfrm_expr : IPSEC xfrm_dir xfrm_spnum xfrm_state_key
+xfrm_expr : IPSEC xfrm_dir xfrm_spnum xfrm_state_key close_scope_ipsec
{
if ($3 > 255) {
erec_queue(error(&@3, "value too large"), state->msgs);
@@ -4845,7 +4846,7 @@ xfrm_expr : IPSEC xfrm_dir xfrm_spnum xfrm_state_key
}
$$ = xfrm_expr_alloc(&@$, $2, $3, $4);
}
- | IPSEC xfrm_dir xfrm_spnum nf_key_proto xfrm_state_proto_key
+ | IPSEC xfrm_dir xfrm_spnum nf_key_proto xfrm_state_proto_key close_scope_ipsec
{
enum nft_xfrm_keys xfrmk = $5;
@@ -4919,7 +4920,7 @@ rt_expr : RT rt_key
rt_key : CLASSID { $$ = NFT_RT_CLASSID; }
| NEXTHOP { $$ = NFT_RT_NEXTHOP4; }
| MTU { $$ = NFT_RT_TCPMSS; }
- | IPSEC { $$ = NFT_RT_XFRM; }
+ | IPSEC close_scope_ipsec { $$ = NFT_RT_XFRM; }
;
ct_expr : CT ct_key
diff --git a/src/scanner.l b/src/scanner.l
index 893364b7b9e7..cf3d7d52b4c5 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -197,6 +197,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%option warn
%option stack
%s SCANSTATE_EXPR_HASH
+%s SCANSTATE_EXPR_IPSEC
%s SCANSTATE_EXPR_NUMGEN
%s SCANSTATE_EXPR_QUEUE
@@ -594,12 +595,14 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"exthdr" { return EXTHDR; }
-"ipsec" { return IPSEC; }
-"reqid" { return REQID; }
-"spnum" { return SPNUM; }
+"ipsec" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_IPSEC); return IPSEC; }
+<SCANSTATE_EXPR_IPSEC>{
+ "reqid" { return REQID; }
+ "spnum" { return SPNUM; }
-"in" { return IN; }
-"out" { return OUT; }
+ "in" { return IN; }
+ "out" { return OUT; }
+}
"secmark" { return SECMARK; }
"secmarks" { return SECMARKS; }
--
2.26.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH nft 5/6] scanner: rt: move to own scope
2021-03-08 17:18 [PATCH nft 0/6] scanner rework part 1 Florian Westphal
` (3 preceding siblings ...)
2021-03-08 17:18 ` [PATCH nft 4/6] scanner: ipsec: " Florian Westphal
@ 2021-03-08 17:18 ` Florian Westphal
2021-03-08 17:18 ` [PATCH nft 6/6] scanner: socket: " Florian Westphal
5 siblings, 0 replies; 7+ messages in thread
From: Florian Westphal @ 2021-03-08 17:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
classid and nexthop can be moved out of INIT scope.
Rest are still needed because tehy are used by other expressions as
well.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 7 ++++---
src/scanner.l | 9 ++++++---
3 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 001698db259b..2cdccaf5fb3d 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -32,6 +32,7 @@ enum startcond_type {
PARSER_SC_EXPR_IPSEC,
PARSER_SC_EXPR_NUMGEN,
PARSER_SC_EXPR_QUEUE,
+ PARSER_SC_EXPR_RT,
};
struct mnl_socket;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 83d78a23b2ac..0f4d51ad30bc 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -865,6 +865,7 @@ close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH);
close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
+close_scope_rt : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_RT); };
common_block : INCLUDE QUOTED_STRING stmt_separator
{
@@ -4893,11 +4894,11 @@ nf_key_proto : IP { $$ = NFPROTO_IPV4; }
| IP6 { $$ = NFPROTO_IPV6; }
;
-rt_expr : RT rt_key
+rt_expr : RT rt_key close_scope_rt
{
$$ = rt_expr_alloc(&@$, $2, true);
}
- | RT nf_key_proto rt_key
+ | RT nf_key_proto rt_key close_scope_rt
{
enum nft_rt_keys rtk = $3;
@@ -5391,7 +5392,7 @@ hbh_hdr_field : NEXTHDR { $$ = HBHHDR_NEXTHDR; }
| HDRLENGTH { $$ = HBHHDR_HDRLENGTH; }
;
-rt_hdr_expr : RT rt_hdr_field
+rt_hdr_expr : RT rt_hdr_field close_scope_rt
{
$$ = exthdr_expr_alloc(&@$, &exthdr_rt, $2);
}
diff --git a/src/scanner.l b/src/scanner.l
index cf3d7d52b4c5..faf180ca4701 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -200,6 +200,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_EXPR_IPSEC
%s SCANSTATE_EXPR_NUMGEN
%s SCANSTATE_EXPR_QUEUE
+%s SCANSTATE_EXPR_RT
%%
@@ -494,7 +495,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"sctp" { return SCTP; }
"vtag" { return VTAG; }
-"rt" { return RT; }
+"rt" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_RT); return RT; }
"rt0" { return RT0; }
"rt2" { return RT2; }
"srh" { return RT4; }
@@ -536,8 +537,10 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"oifgroup" { return OIFGROUP; }
"cgroup" { return CGROUP; }
-"classid" { return CLASSID; }
-"nexthop" { return NEXTHOP; }
+<SCANSTATE_EXPR_RT>{
+ "classid" { return CLASSID; }
+ "nexthop" { return NEXTHOP; }
+}
"ct" { return CT; }
"l3proto" { return L3PROTOCOL; }
--
2.26.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH nft 6/6] scanner: socket: move to own scope
2021-03-08 17:18 [PATCH nft 0/6] scanner rework part 1 Florian Westphal
` (4 preceding siblings ...)
2021-03-08 17:18 ` [PATCH nft 5/6] scanner: rt: " Florian Westphal
@ 2021-03-08 17:18 ` Florian Westphal
5 siblings, 0 replies; 7+ messages in thread
From: Florian Westphal @ 2021-03-08 17:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 3 ++-
src/scanner.l | 10 ++++++----
3 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 2cdccaf5fb3d..fd5006d35c0d 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -33,6 +33,7 @@ enum startcond_type {
PARSER_SC_EXPR_NUMGEN,
PARSER_SC_EXPR_QUEUE,
PARSER_SC_EXPR_RT,
+ PARSER_SC_EXPR_SOCKET,
};
struct mnl_socket;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 0f4d51ad30bc..2a8ac215a284 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -866,6 +866,7 @@ close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC)
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
close_scope_rt : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_RT); };
+close_scope_socket : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_SOCKET); }
common_block : INCLUDE QUOTED_STRING stmt_separator
{
@@ -4798,7 +4799,7 @@ meta_stmt : META meta_key SET stmt_expr
}
;
-socket_expr : SOCKET socket_key
+socket_expr : SOCKET socket_key close_scope_socket
{
$$ = socket_expr_alloc(&@$, $2);
}
diff --git a/src/scanner.l b/src/scanner.l
index faf180ca4701..6a909e928bf4 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -201,6 +201,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_EXPR_NUMGEN
%s SCANSTATE_EXPR_QUEUE
%s SCANSTATE_EXPR_RT
+%s SCANSTATE_EXPR_SOCKET
%%
@@ -274,10 +275,11 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"ruleset" { return RULESET; }
"trace" { return TRACE; }
-"socket" { return SOCKET; }
-"transparent" { return TRANSPARENT; }
-"wildcard" { return WILDCARD; }
-
+"socket" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_SOCKET); return SOCKET; }
+<SCANSTATE_EXPR_SOCKET>{
+ "transparent" { return TRANSPARENT; }
+ "wildcard" { return WILDCARD; }
+}
"tproxy" { return TPROXY; }
"accept" { return ACCEPT; }
--
2.26.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-03-08 17:20 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-03-08 17:18 [PATCH nft 0/6] scanner rework part 1 Florian Westphal
2021-03-08 17:18 ` [PATCH nft 1/6] scanner: remove unused tokens Florian Westphal
2021-03-08 17:18 ` [PATCH nft 2/6] scanner: introduce start condition stack Florian Westphal
2021-03-08 17:18 ` [PATCH nft 3/6] scanner: queue: move to own scope Florian Westphal
2021-03-08 17:18 ` [PATCH nft 4/6] scanner: ipsec: " Florian Westphal
2021-03-08 17:18 ` [PATCH nft 5/6] scanner: rt: " Florian Westphal
2021-03-08 17:18 ` [PATCH nft 6/6] scanner: socket: " Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).