* [PATCH nft 00/12] move more keywords away from initial scope
@ 2021-03-11 13:23 Florian Westphal
2021-03-11 13:23 ` [PATCH nft 01/12] scanner: ct: move to own scope Florian Westphal
` (11 more replies)
0 siblings, 12 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
These patches move more keywords away from the initial flex scope.
Just like the preceding patches they follow the same pattern:
1. New scope is entered from flex when encountering a start token, e.g.
"ip".
2. Scope is left from bison once a complete expression has been parsed.
Unlike the initial patches which only did this for a few expressions
this series also covers tokens that can appear in object context.
Florian Westphal (12):
scanner: ct: move to own scope
scanner: ip: move to own scope
scanner: ip6: move to own scope
scanner: add fib scope
scanner: add ether scope
scanner: arp: move to own scope
scanner: remove saddr/daddr from initial state
scanner: vlan: move to own scope
scanner: limit: move to own scope
scanner: quota: move to own scope
scanner: move until,over,used keywords away from init state
scanner: secmark: move to own scope
include/parser.h | 10 +++
src/parser_bison.y | 176 ++++++++++++++++++++++++---------------------
src/scanner.l | 122 ++++++++++++++++++-------------
3 files changed, 177 insertions(+), 131 deletions(-)
--
2.26.2
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH nft 01/12] scanner: ct: move to own scope
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
2021-03-11 13:23 ` [PATCH nft 02/12] scanner: ip: " Florian Westphal
` (10 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
This allows moving multiple ct specific keywords out of INITIAL scope.
Next few patches follow same pattern:
1. add a scope_close_XXX rule
2. add a SCANSTATE_XXX & make flex switch to it when
encountering XXX keyword
3. make bison leave SCANSTATE_XXXX when it has seen the complete
expression.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 43 ++++++++++++++++++++++---------------------
src/scanner.l | 37 ++++++++++++++++++++-----------------
3 files changed, 43 insertions(+), 38 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index fd5006d35c0d..be29f400c023 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -28,6 +28,7 @@ struct parser_state {
enum startcond_type {
PARSER_SC_BEGIN,
+ PARSER_SC_CT,
PARSER_SC_EXPR_HASH,
PARSER_SC_EXPR_IPSEC,
PARSER_SC_EXPR_NUMGEN,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 2a8ac215a284..2d2563c823ea 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -861,6 +861,7 @@ opt_newline : NEWLINE
| /* empty */
;
+close_scope_ct : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CT); };
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
@@ -1038,15 +1039,15 @@ add_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_QUOTA, &$2, &@$, $3);
}
- | CT HELPER obj_spec ct_obj_alloc '{' ct_helper_block '}'
+ | CT HELPER obj_spec ct_obj_alloc '{' ct_helper_block '}' close_scope_ct
{
$$ = cmd_alloc_obj_ct(CMD_ADD, NFT_OBJECT_CT_HELPER, &$3, &@$, $4);
}
- | CT TIMEOUT obj_spec ct_obj_alloc '{' ct_timeout_block '}'
+ | CT TIMEOUT obj_spec ct_obj_alloc '{' ct_timeout_block '}' close_scope_ct
{
$$ = cmd_alloc_obj_ct(CMD_ADD, NFT_OBJECT_CT_TIMEOUT, &$3, &@$, $4);
}
- | CT EXPECTATION obj_spec ct_obj_alloc '{' ct_expect_block '}'
+ | CT EXPECTATION obj_spec ct_obj_alloc '{' ct_expect_block '}' close_scope_ct
{
$$ = cmd_alloc_obj_ct(CMD_ADD, NFT_OBJECT_CT_EXPECT, &$3, &@$, $4);
}
@@ -1147,15 +1148,15 @@ create_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_QUOTA, &$2, &@$, $3);
}
- | CT HELPER obj_spec ct_obj_alloc '{' ct_helper_block '}'
+ | CT HELPER obj_spec ct_obj_alloc '{' ct_helper_block '}' close_scope_ct
{
$$ = cmd_alloc_obj_ct(CMD_CREATE, NFT_OBJECT_CT_HELPER, &$3, &@$, $4);
}
- | CT TIMEOUT obj_spec ct_obj_alloc '{' ct_timeout_block '}'
+ | CT TIMEOUT obj_spec ct_obj_alloc '{' ct_timeout_block '}' close_scope_ct
{
$$ = cmd_alloc_obj_ct(CMD_CREATE, NFT_OBJECT_CT_TIMEOUT, &$3, &@$, $4);
}
- | CT EXPECTATION obj_spec ct_obj_alloc '{' ct_expect_block '}'
+ | CT EXPECTATION obj_spec ct_obj_alloc '{' ct_expect_block '}' close_scope_ct
{
$$ = cmd_alloc_obj_ct(CMD_CREATE, NFT_OBJECT_CT_EXPECT, &$3, &@$, $4);
}
@@ -1242,7 +1243,7 @@ delete_cmd : TABLE table_or_id_spec
{
$$ = cmd_alloc(CMD_DELETE, CMD_OBJ_QUOTA, &$2, &@$, NULL);
}
- | CT ct_obj_type obj_spec ct_obj_alloc
+ | CT ct_obj_type obj_spec ct_obj_alloc close_scope_ct
{
$$ = cmd_alloc_obj_ct(CMD_DELETE, $2, &$3, &@$, $4);
}
@@ -1390,11 +1391,11 @@ list_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_LIST, CMD_OBJ_MAP, &$2, &@$, NULL);
}
- | CT ct_obj_type obj_spec
+ | CT ct_obj_type obj_spec close_scope_ct
{
$$ = cmd_alloc_obj_ct(CMD_LIST, $2, &$3, &@$, NULL);
}
- | CT ct_cmd_type TABLE table_spec
+ | CT ct_cmd_type TABLE table_spec close_scope_ct
{
$$ = cmd_alloc(CMD_LIST, $2, &$4, &@$, NULL);
}
@@ -1631,7 +1632,7 @@ table_block : /* empty */ { $$ = $<table>-1; }
list_add_tail(&$4->list, &$1->objs);
$$ = $1;
}
- | table_block CT HELPER obj_identifier obj_block_alloc '{' ct_helper_block '}' stmt_separator
+ | table_block CT HELPER obj_identifier obj_block_alloc '{' ct_helper_block '}' close_scope_ct stmt_separator
{
$5->location = @4;
$5->type = NFT_OBJECT_CT_HELPER;
@@ -1640,7 +1641,7 @@ table_block : /* empty */ { $$ = $<table>-1; }
list_add_tail(&$5->list, &$1->objs);
$$ = $1;
}
- | table_block CT TIMEOUT obj_identifier obj_block_alloc '{' ct_timeout_block '}' stmt_separator
+ | table_block CT TIMEOUT obj_identifier obj_block_alloc '{' ct_timeout_block '}' close_scope_ct stmt_separator
{
$5->location = @4;
$5->type = NFT_OBJECT_CT_TIMEOUT;
@@ -1649,7 +1650,7 @@ table_block : /* empty */ { $$ = $<table>-1; }
list_add_tail(&$5->list, &$1->objs);
$$ = $1;
}
- | table_block CT EXPECTATION obj_identifier obj_block_alloc '{' ct_expect_block '}' stmt_separator
+ | table_block CT EXPECTATION obj_identifier obj_block_alloc '{' ct_expect_block '}' close_scope_ct stmt_separator
{
$5->location = @4;
$5->type = NFT_OBJECT_CT_EXPECT;
@@ -2756,12 +2757,12 @@ verdict_map_list_member_expr: opt_newline set_elem_expr COLON verdict_expr opt_n
}
;
-connlimit_stmt : CT COUNT NUM
+connlimit_stmt : CT COUNT NUM close_scope_ct
{
$$ = connlimit_stmt_alloc(&@$);
$$->connlimit.count = $3;
}
- | CT COUNT OVER NUM
+ | CT COUNT OVER NUM close_scope_ct
{
$$ = connlimit_stmt_alloc(&@$);
$$->connlimit.count = $4;
@@ -4925,15 +4926,15 @@ rt_key : CLASSID { $$ = NFT_RT_CLASSID; }
| IPSEC close_scope_ipsec { $$ = NFT_RT_XFRM; }
;
-ct_expr : CT ct_key
+ct_expr : CT ct_key close_scope_ct
{
$$ = ct_expr_alloc(&@$, $2, -1);
}
- | CT ct_dir ct_key_dir
+ | CT ct_dir ct_key_dir close_scope_ct
{
$$ = ct_expr_alloc(&@$, $3, $2);
}
- | CT ct_dir ct_key_proto_field
+ | CT ct_dir ct_key_proto_field close_scope_ct
{
$$ = ct_expr_alloc(&@$, $3, $2);
}
@@ -5001,7 +5002,7 @@ list_stmt_expr : symbol_stmt_expr COMMA symbol_stmt_expr
}
;
-ct_stmt : CT ct_key SET stmt_expr
+ct_stmt : CT ct_key SET stmt_expr close_scope_ct
{
switch ($2) {
case NFT_CT_HELPER:
@@ -5014,20 +5015,20 @@ ct_stmt : CT ct_key SET stmt_expr
break;
}
}
- | CT TIMEOUT SET stmt_expr
+ | CT TIMEOUT SET stmt_expr close_scope_ct
{
$$ = objref_stmt_alloc(&@$);
$$->objref.type = NFT_OBJECT_CT_TIMEOUT;
$$->objref.expr = $4;
}
- | CT EXPECTATION SET stmt_expr
+ | CT EXPECTATION SET stmt_expr close_scope_ct
{
$$ = objref_stmt_alloc(&@$);
$$->objref.type = NFT_OBJECT_CT_EXPECT;
$$->objref.expr = $4;
}
- | CT ct_dir ct_key_dir_optional SET stmt_expr
+ | CT ct_dir ct_key_dir_optional SET stmt_expr close_scope_ct
{
$$ = ct_stmt_alloc(&@$, $3, $2, $5);
}
diff --git a/src/scanner.l b/src/scanner.l
index 6a909e928bf4..1358f9d01d6a 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -196,6 +196,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%option nodefault
%option warn
%option stack
+%s SCANSTATE_CT
%s SCANSTATE_EXPR_HASH
%s SCANSTATE_EXPR_IPSEC
%s SCANSTATE_EXPR_NUMGEN
@@ -337,7 +338,6 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"name" { return NAME; }
"packets" { return PACKETS; }
"bytes" { return BYTES; }
-"avgpkt" { return AVGPKT; }
"counters" { return COUNTERS; }
"quotas" { return QUOTAS; }
@@ -544,22 +544,25 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"nexthop" { return NEXTHOP; }
}
-"ct" { return CT; }
-"l3proto" { return L3PROTOCOL; }
-"proto-src" { return PROTO_SRC; }
-"proto-dst" { return PROTO_DST; }
-"zone" { return ZONE; }
-"original" { return ORIGINAL; }
-"reply" { return REPLY; }
-"direction" { return DIRECTION; }
-"event" { return EVENT; }
-"expectation" { return EXPECTATION; }
-"expiration" { return EXPIRATION; }
-"helper" { return HELPER; }
-"helpers" { return HELPERS; }
-"label" { return LABEL; }
-"state" { return STATE; }
-"status" { return STATUS; }
+"ct" { scanner_push_start_cond(yyscanner, SCANSTATE_CT); return CT; }
+<SCANSTATE_CT>{
+ "avgpkt" { return AVGPKT; }
+ "l3proto" { return L3PROTOCOL; }
+ "proto-src" { return PROTO_SRC; }
+ "proto-dst" { return PROTO_DST; }
+ "zone" { return ZONE; }
+ "original" { return ORIGINAL; }
+ "reply" { return REPLY; }
+ "direction" { return DIRECTION; }
+ "event" { return EVENT; }
+ "expectation" { return EXPECTATION; }
+ "expiration" { return EXPIRATION; }
+ "helper" { return HELPER; }
+ "helpers" { return HELPERS; }
+ "label" { return LABEL; }
+ "state" { return STATE; }
+ "status" { return STATUS; }
+}
"numgen" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_NUMGEN); return NUMGEN; }
<SCANSTATE_EXPR_NUMGEN>{
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH nft 02/12] scanner: ip: move to own scope
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
2021-03-11 13:23 ` [PATCH nft 01/12] scanner: ct: move to own scope Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
2021-03-11 13:23 ` [PATCH nft 03/12] scanner: ip6: " Florian Westphal
` (9 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Move the ip option names (rr, lsrr, ...) out of INITIAL scope.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 23 ++++++++++++-----------
src/scanner.l | 17 ++++++++++-------
3 files changed, 23 insertions(+), 18 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index be29f400c023..a778cb59c2c9 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -29,6 +29,7 @@ struct parser_state {
enum startcond_type {
PARSER_SC_BEGIN,
PARSER_SC_CT,
+ PARSER_SC_IP,
PARSER_SC_EXPR_HASH,
PARSER_SC_EXPR_IPSEC,
PARSER_SC_EXPR_NUMGEN,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 2d2563c823ea..ba15366cb3db 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -863,6 +863,7 @@ opt_newline : NEWLINE
close_scope_ct : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CT); };
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
+close_scope_ip : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP); };
close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
@@ -2424,7 +2425,7 @@ family_spec : /* empty */ { $$ = NFPROTO_IPV4; }
| family_spec_explicit
;
-family_spec_explicit : IP { $$ = NFPROTO_IPV4; }
+family_spec_explicit : IP close_scope_ip { $$ = NFPROTO_IPV4; }
| IP6 { $$ = NFPROTO_IPV6; }
| INET { $$ = NFPROTO_INET; }
| ARP { $$ = NFPROTO_ARP; }
@@ -3004,7 +3005,7 @@ log_flags : TCP log_flags_tcp
{
$$ = $2;
}
- | IP OPTIONS
+ | IP OPTIONS close_scope_ip
{
$$ = NF_LOG_IPOPT;
}
@@ -4537,7 +4538,7 @@ boolean_expr : boolean_keys
;
keyword_expr : ETHER { $$ = symbol_value(&@$, "ether"); }
- | IP { $$ = symbol_value(&@$, "ip"); }
+ | IP close_scope_ip { $$ = symbol_value(&@$, "ip"); }
| IP6 { $$ = symbol_value(&@$, "ip6"); }
| VLAN { $$ = symbol_value(&@$, "vlan"); }
| ARP { $$ = symbol_value(&@$, "arp"); }
@@ -4892,7 +4893,7 @@ hash_expr : JHASH expr MOD NUM SEED NUM offset_opt close_scope_hash
}
;
-nf_key_proto : IP { $$ = NFPROTO_IPV4; }
+nf_key_proto : IP close_scope_ip { $$ = NFPROTO_IPV4; }
| IP6 { $$ = NFPROTO_IPV6; }
;
@@ -4972,8 +4973,8 @@ ct_key_dir : SADDR { $$ = NFT_CT_SRC; }
| ct_key_dir_optional
;
-ct_key_proto_field : IP SADDR { $$ = NFT_CT_SRC_IP; }
- | IP DADDR { $$ = NFT_CT_DST_IP; }
+ct_key_proto_field : IP SADDR close_scope_ip { $$ = NFT_CT_SRC_IP; }
+ | IP DADDR close_scope_ip { $$ = NFT_CT_DST_IP; }
| IP6 SADDR { $$ = NFT_CT_SRC_IP6; }
| IP6 DADDR { $$ = NFT_CT_DST_IP6; }
;
@@ -5113,19 +5114,19 @@ arp_hdr_field : HTYPE { $$ = ARPHDR_HRD; }
| OPERATION { $$ = ARPHDR_OP; }
| SADDR ETHER { $$ = ARPHDR_SADDR_ETHER; }
| DADDR ETHER { $$ = ARPHDR_DADDR_ETHER; }
- | SADDR IP { $$ = ARPHDR_SADDR_IP; }
- | DADDR IP { $$ = ARPHDR_DADDR_IP; }
+ | SADDR IP close_scope_ip { $$ = ARPHDR_SADDR_IP; }
+ | DADDR IP close_scope_ip { $$ = ARPHDR_DADDR_IP; }
;
-ip_hdr_expr : IP ip_hdr_field
+ip_hdr_expr : IP ip_hdr_field close_scope_ip
{
$$ = payload_expr_alloc(&@$, &proto_ip, $2);
}
- | IP OPTION ip_option_type ip_option_field
+ | IP OPTION ip_option_type ip_option_field close_scope_ip
{
$$ = ipopt_expr_alloc(&@$, $3, $4, 0);
}
- | IP OPTION ip_option_type
+ | IP OPTION ip_option_type close_scope_ip
{
$$ = ipopt_expr_alloc(&@$, $3, IPOPT_FIELD_TYPE, 0);
$$->exthdr.flags = NFT_EXTHDR_F_PRESENT;
diff --git a/src/scanner.l b/src/scanner.l
index 1358f9d01d6a..262945064e80 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -197,6 +197,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%option warn
%option stack
%s SCANSTATE_CT
+%s SCANSTATE_IP
%s SCANSTATE_EXPR_HASH
%s SCANSTATE_EXPR_IPSEC
%s SCANSTATE_EXPR_NUMGEN
@@ -408,7 +409,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"plen" { return PLEN; }
"operation" { return OPERATION; }
-"ip" { return IP; }
+"ip" { scanner_push_start_cond(yyscanner, SCANSTATE_IP); return IP; }
"version" { return HDRVERSION; }
"hdrlength" { return HDRLENGTH; }
"dscp" { return DSCP; }
@@ -419,13 +420,15 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"protocol" { return PROTOCOL; }
"checksum" { return CHECKSUM; }
-"lsrr" { return LSRR; }
-"rr" { return RR; }
-"ssrr" { return SSRR; }
-"ra" { return RA; }
+<SCANSTATE_IP>{
+ "lsrr" { return LSRR; }
+ "rr" { return RR; }
+ "ssrr" { return SSRR; }
+ "ra" { return RA; }
-"value" { return VALUE; }
-"ptr" { return PTR; }
+ "ptr" { return PTR; }
+ "value" { return VALUE; }
+}
"echo" { return ECHO; }
"eol" { return EOL; }
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH nft 03/12] scanner: ip6: move to own scope
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
2021-03-11 13:23 ` [PATCH nft 01/12] scanner: ct: move to own scope Florian Westphal
2021-03-11 13:23 ` [PATCH nft 02/12] scanner: ip: " Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
2021-03-11 13:23 ` [PATCH nft 04/12] scanner: add fib scope Florian Westphal
` (8 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
move flowlabel and hoplimit.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 21 +++++++++++----------
src/scanner.l | 9 ++++++---
3 files changed, 18 insertions(+), 13 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index a778cb59c2c9..586a984875c4 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -30,6 +30,7 @@ enum startcond_type {
PARSER_SC_BEGIN,
PARSER_SC_CT,
PARSER_SC_IP,
+ PARSER_SC_IP6,
PARSER_SC_EXPR_HASH,
PARSER_SC_EXPR_IPSEC,
PARSER_SC_EXPR_NUMGEN,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index ba15366cb3db..9ef2602e22bd 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -864,6 +864,7 @@ opt_newline : NEWLINE
close_scope_ct : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CT); };
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
close_scope_ip : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP); };
+close_scope_ip6 : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP6); };
close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
@@ -2426,11 +2427,11 @@ family_spec : /* empty */ { $$ = NFPROTO_IPV4; }
;
family_spec_explicit : IP close_scope_ip { $$ = NFPROTO_IPV4; }
- | IP6 { $$ = NFPROTO_IPV6; }
- | INET { $$ = NFPROTO_INET; }
- | ARP { $$ = NFPROTO_ARP; }
- | BRIDGE { $$ = NFPROTO_BRIDGE; }
- | NETDEV { $$ = NFPROTO_NETDEV; }
+ | IP6 close_scope_ip6 { $$ = NFPROTO_IPV6; }
+ | INET { $$ = NFPROTO_INET; }
+ | ARP { $$ = NFPROTO_ARP; }
+ | BRIDGE { $$ = NFPROTO_BRIDGE; }
+ | NETDEV { $$ = NFPROTO_NETDEV; }
;
table_spec : family_spec identifier
@@ -4539,7 +4540,7 @@ boolean_expr : boolean_keys
keyword_expr : ETHER { $$ = symbol_value(&@$, "ether"); }
| IP close_scope_ip { $$ = symbol_value(&@$, "ip"); }
- | IP6 { $$ = symbol_value(&@$, "ip6"); }
+ | IP6 close_scope_ip6 { $$ = symbol_value(&@$, "ip6"); }
| VLAN { $$ = symbol_value(&@$, "vlan"); }
| ARP { $$ = symbol_value(&@$, "arp"); }
| DNAT { $$ = symbol_value(&@$, "dnat"); }
@@ -4894,7 +4895,7 @@ hash_expr : JHASH expr MOD NUM SEED NUM offset_opt close_scope_hash
;
nf_key_proto : IP close_scope_ip { $$ = NFPROTO_IPV4; }
- | IP6 { $$ = NFPROTO_IPV6; }
+ | IP6 close_scope_ip6 { $$ = NFPROTO_IPV6; }
;
rt_expr : RT rt_key close_scope_rt
@@ -4975,8 +4976,8 @@ ct_key_dir : SADDR { $$ = NFT_CT_SRC; }
ct_key_proto_field : IP SADDR close_scope_ip { $$ = NFT_CT_SRC_IP; }
| IP DADDR close_scope_ip { $$ = NFT_CT_DST_IP; }
- | IP6 SADDR { $$ = NFT_CT_SRC_IP6; }
- | IP6 DADDR { $$ = NFT_CT_DST_IP6; }
+ | IP6 SADDR close_scope_ip6 { $$ = NFT_CT_SRC_IP6; }
+ | IP6 DADDR close_scope_ip6 { $$ = NFT_CT_DST_IP6; }
;
ct_key_dir_optional : BYTES { $$ = NFT_CT_BYTES; }
@@ -5187,7 +5188,7 @@ igmp_hdr_field : TYPE { $$ = IGMPHDR_TYPE; }
| GROUP { $$ = IGMPHDR_GROUP; }
;
-ip6_hdr_expr : IP6 ip6_hdr_field
+ip6_hdr_expr : IP6 ip6_hdr_field close_scope_ip6
{
$$ = payload_expr_alloc(&@$, &proto_ip6, $2);
}
diff --git a/src/scanner.l b/src/scanner.l
index 262945064e80..15d1beca601d 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -198,6 +198,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%option stack
%s SCANSTATE_CT
%s SCANSTATE_IP
+%s SCANSTATE_IP6
%s SCANSTATE_EXPR_HASH
%s SCANSTATE_EXPR_IPSEC
%s SCANSTATE_EXPR_NUMGEN
@@ -462,11 +463,13 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"igmp" { return IGMP; }
"mrt" { return MRT; }
-"ip6" { return IP6; }
+"ip6" { scanner_push_start_cond(yyscanner, SCANSTATE_IP6); return IP6; }
"priority" { return PRIORITY; }
-"flowlabel" { return FLOWLABEL; }
+<SCANSTATE_IP6>{
+ "flowlabel" { return FLOWLABEL; }
+ "hoplimit" { return HOPLIMIT; }
+}
"nexthdr" { return NEXTHDR; }
-"hoplimit" { return HOPLIMIT; }
"icmpv6" { return ICMP6; }
"param-problem" { return PPTR; }
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH nft 04/12] scanner: add fib scope
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
` (2 preceding siblings ...)
2021-03-11 13:23 ` [PATCH nft 03/12] scanner: ip6: " Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
2021-03-11 13:23 ` [PATCH nft 05/12] scanner: add ether scope Florian Westphal
` (7 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
makes no sense as-is because all keywords need to stay
in the INITIAL scope.
This can be changed after all saddr/daddr users have been scoped.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 3 ++-
src/scanner.l | 3 ++-
3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 586a984875c4..e338713dad32 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -31,6 +31,7 @@ enum startcond_type {
PARSER_SC_CT,
PARSER_SC_IP,
PARSER_SC_IP6,
+ PARSER_SC_EXPR_FIB,
PARSER_SC_EXPR_HASH,
PARSER_SC_EXPR_IPSEC,
PARSER_SC_EXPR_NUMGEN,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 9ef2602e22bd..74ab69dd8820 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -862,6 +862,7 @@ opt_newline : NEWLINE
;
close_scope_ct : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CT); };
+close_scope_fib : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FIB); };
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
close_scope_ip : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP); };
close_scope_ip6 : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP6); };
@@ -3873,7 +3874,7 @@ primary_expr : symbol_expr { $$ = $1; }
| '(' basic_expr ')' { $$ = $2; }
;
-fib_expr : FIB fib_tuple fib_result
+fib_expr : FIB fib_tuple fib_result close_scope_fib
{
if (($2 & (NFTA_FIB_F_SADDR|NFTA_FIB_F_DADDR)) == 0) {
erec_queue(error(&@2, "fib: need either saddr or daddr"), state->msgs);
diff --git a/src/scanner.l b/src/scanner.l
index 15d1beca601d..c78f34b625c2 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -199,6 +199,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_CT
%s SCANSTATE_IP
%s SCANSTATE_IP6
+%s SCANSTATE_EXPR_FIB
%s SCANSTATE_EXPR_HASH
%s SCANSTATE_EXPR_IPSEC
%s SCANSTATE_EXPR_NUMGEN
@@ -588,7 +589,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"dup" { return DUP; }
"fwd" { return FWD; }
-"fib" { return FIB; }
+"fib" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_FIB); return FIB; }
"osf" { return OSF; }
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH nft 05/12] scanner: add ether scope
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
` (3 preceding siblings ...)
2021-03-11 13:23 ` [PATCH nft 04/12] scanner: add fib scope Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
2021-03-11 13:23 ` [PATCH nft 06/12] scanner: arp: move to own scope Florian Westphal
` (6 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
just like previous change: useless as-is, but prepares
for removal of saddr/daddr from INITIAL scope.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 11 ++++++-----
src/scanner.l | 3 ++-
3 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index e338713dad32..cdc5fd094af5 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -29,6 +29,7 @@ struct parser_state {
enum startcond_type {
PARSER_SC_BEGIN,
PARSER_SC_CT,
+ PARSER_SC_ETH,
PARSER_SC_IP,
PARSER_SC_IP6,
PARSER_SC_EXPR_FIB,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 74ab69dd8820..9cfa336643e5 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -862,6 +862,7 @@ opt_newline : NEWLINE
;
close_scope_ct : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CT); };
+close_scope_eth : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ETH); };
close_scope_fib : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FIB); };
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
close_scope_ip : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP); };
@@ -3015,7 +3016,7 @@ log_flags : TCP log_flags_tcp
{
$$ = NF_LOG_UID;
}
- | ETHER
+ | ETHER close_scope_eth
{
$$ = NF_LOG_MACDECODE;
}
@@ -4539,7 +4540,7 @@ boolean_expr : boolean_keys
}
;
-keyword_expr : ETHER { $$ = symbol_value(&@$, "ether"); }
+keyword_expr : ETHER close_scope_eth { $$ = symbol_value(&@$, "ether"); }
| IP close_scope_ip { $$ = symbol_value(&@$, "ip"); }
| IP6 close_scope_ip6 { $$ = symbol_value(&@$, "ip6"); }
| VLAN { $$ = symbol_value(&@$, "vlan"); }
@@ -5080,7 +5081,7 @@ payload_base_spec : LL_HDR { $$ = PROTO_BASE_LL_HDR; }
| TRANSPORT_HDR { $$ = PROTO_BASE_TRANSPORT_HDR; }
;
-eth_hdr_expr : ETHER eth_hdr_field
+eth_hdr_expr : ETHER eth_hdr_field close_scope_eth
{
$$ = payload_expr_alloc(&@$, &proto_eth, $2);
}
@@ -5114,8 +5115,8 @@ arp_hdr_field : HTYPE { $$ = ARPHDR_HRD; }
| HLEN { $$ = ARPHDR_HLN; }
| PLEN { $$ = ARPHDR_PLN; }
| OPERATION { $$ = ARPHDR_OP; }
- | SADDR ETHER { $$ = ARPHDR_SADDR_ETHER; }
- | DADDR ETHER { $$ = ARPHDR_DADDR_ETHER; }
+ | SADDR ETHER close_scope_eth { $$ = ARPHDR_SADDR_ETHER; }
+ | DADDR ETHER close_scope_eth { $$ = ARPHDR_DADDR_ETHER; }
| SADDR IP close_scope_ip { $$ = ARPHDR_SADDR_IP; }
| DADDR IP close_scope_ip { $$ = ARPHDR_DADDR_IP; }
;
diff --git a/src/scanner.l b/src/scanner.l
index c78f34b625c2..b1b03b951263 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -197,6 +197,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%option warn
%option stack
%s SCANSTATE_CT
+%s SCANSTATE_ETH
%s SCANSTATE_IP
%s SCANSTATE_IP6
%s SCANSTATE_EXPR_FIB
@@ -393,7 +394,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"bridge" { return BRIDGE; }
-"ether" { return ETHER; }
+"ether" { scanner_push_start_cond(yyscanner, SCANSTATE_ETH); return ETHER; }
"saddr" { return SADDR; }
"daddr" { return DADDR; }
"type" { return TYPE; }
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH nft 06/12] scanner: arp: move to own scope
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
` (4 preceding siblings ...)
2021-03-11 13:23 ` [PATCH nft 05/12] scanner: add ether scope Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
2021-03-11 13:23 ` [PATCH nft 07/12] scanner: remove saddr/daddr from initial state Florian Westphal
` (5 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
allows to move the arp specific tokens out of the INITIAL scope.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 7 ++++---
src/scanner.l | 15 +++++++++------
3 files changed, 14 insertions(+), 9 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index cdc5fd094af5..38039677cd1d 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -28,6 +28,7 @@ struct parser_state {
enum startcond_type {
PARSER_SC_BEGIN,
+ PARSER_SC_ARP,
PARSER_SC_CT,
PARSER_SC_ETH,
PARSER_SC_IP,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 9cfa336643e5..a22f61c4c99b 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -861,6 +861,7 @@ opt_newline : NEWLINE
| /* empty */
;
+close_scope_arp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ARP); };
close_scope_ct : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CT); };
close_scope_eth : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ETH); };
close_scope_fib : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FIB); };
@@ -2431,7 +2432,7 @@ family_spec : /* empty */ { $$ = NFPROTO_IPV4; }
family_spec_explicit : IP close_scope_ip { $$ = NFPROTO_IPV4; }
| IP6 close_scope_ip6 { $$ = NFPROTO_IPV6; }
| INET { $$ = NFPROTO_INET; }
- | ARP { $$ = NFPROTO_ARP; }
+ | ARP close_scope_arp { $$ = NFPROTO_ARP; }
| BRIDGE { $$ = NFPROTO_BRIDGE; }
| NETDEV { $$ = NFPROTO_NETDEV; }
;
@@ -4544,7 +4545,7 @@ keyword_expr : ETHER close_scope_eth { $$ = symbol_value(&@$, "ether"); }
| IP close_scope_ip { $$ = symbol_value(&@$, "ip"); }
| IP6 close_scope_ip6 { $$ = symbol_value(&@$, "ip6"); }
| VLAN { $$ = symbol_value(&@$, "vlan"); }
- | ARP { $$ = symbol_value(&@$, "arp"); }
+ | ARP close_scope_arp { $$ = symbol_value(&@$, "arp"); }
| DNAT { $$ = symbol_value(&@$, "dnat"); }
| SNAT { $$ = symbol_value(&@$, "snat"); }
| ECN { $$ = symbol_value(&@$, "ecn"); }
@@ -5104,7 +5105,7 @@ vlan_hdr_field : ID { $$ = VLANHDR_VID; }
| TYPE { $$ = VLANHDR_TYPE; }
;
-arp_hdr_expr : ARP arp_hdr_field
+arp_hdr_expr : ARP arp_hdr_field close_scope_arp
{
$$ = payload_expr_alloc(&@$, &proto_arp, $2);
}
diff --git a/src/scanner.l b/src/scanner.l
index b1b03b951263..509b1b0d77a2 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -196,6 +196,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%option nodefault
%option warn
%option stack
+%s SCANSTATE_ARP
%s SCANSTATE_CT
%s SCANSTATE_ETH
%s SCANSTATE_IP
@@ -405,12 +406,14 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"cfi" { return CFI; }
"pcp" { return PCP; }
-"arp" { return ARP; }
-"htype" { return HTYPE; }
-"ptype" { return PTYPE; }
-"hlen" { return HLEN; }
-"plen" { return PLEN; }
-"operation" { return OPERATION; }
+"arp" { scanner_push_start_cond(yyscanner, SCANSTATE_ARP); return ARP; }
+<SCANSTATE_ARP>{
+ "htype" { return HTYPE; }
+ "ptype" { return PTYPE; }
+ "hlen" { return HLEN; }
+ "plen" { return PLEN; }
+ "operation" { return OPERATION; }
+}
"ip" { scanner_push_start_cond(yyscanner, SCANSTATE_IP); return IP; }
"version" { return HDRVERSION; }
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH nft 07/12] scanner: remove saddr/daddr from initial state
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
` (5 preceding siblings ...)
2021-03-11 13:23 ` [PATCH nft 06/12] scanner: arp: move to own scope Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
2021-03-11 13:23 ` [PATCH nft 08/12] scanner: vlan: move to own scope Florian Westphal
` (4 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
This can now be reduced to expressions that can expect saddr/daddr tokens.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/scanner.l | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/scanner.l b/src/scanner.l
index 509b1b0d77a2..728b2c79b395 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -396,8 +396,10 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"bridge" { return BRIDGE; }
"ether" { scanner_push_start_cond(yyscanner, SCANSTATE_ETH); return ETHER; }
-"saddr" { return SADDR; }
-"daddr" { return DADDR; }
+<SCANSTATE_ARP,SCANSTATE_CT,SCANSTATE_ETH,SCANSTATE_IP,SCANSTATE_IP6,SCANSTATE_EXPR_FIB,SCANSTATE_EXPR_IPSEC>{
+ "saddr" { return SADDR; }
+ "daddr" { return DADDR; }
+}
"type" { return TYPE; }
"typeof" { return TYPEOF; }
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH nft 08/12] scanner: vlan: move to own scope
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
` (6 preceding siblings ...)
2021-03-11 13:23 ` [PATCH nft 07/12] scanner: remove saddr/daddr from initial state Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
2021-03-11 13:23 ` [PATCH nft 09/12] scanner: limit: " Florian Westphal
` (3 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
ID needs to remain exposed as its used by ct, icmp, icmp6 and so on.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 5 +++--
src/scanner.l | 9 ++++++---
3 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 38039677cd1d..889f9418a864 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -33,6 +33,7 @@ enum startcond_type {
PARSER_SC_ETH,
PARSER_SC_IP,
PARSER_SC_IP6,
+ PARSER_SC_VLAN,
PARSER_SC_EXPR_FIB,
PARSER_SC_EXPR_HASH,
PARSER_SC_EXPR_IPSEC,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index a22f61c4c99b..a6ce506bf5b5 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -868,6 +868,7 @@ close_scope_fib : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FIB); }
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
close_scope_ip : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP); };
close_scope_ip6 : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP6); };
+close_scope_vlan : { scanner_pop_start_cond(nft->scanner, PARSER_SC_VLAN); };
close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
@@ -4544,7 +4545,7 @@ boolean_expr : boolean_keys
keyword_expr : ETHER close_scope_eth { $$ = symbol_value(&@$, "ether"); }
| IP close_scope_ip { $$ = symbol_value(&@$, "ip"); }
| IP6 close_scope_ip6 { $$ = symbol_value(&@$, "ip6"); }
- | VLAN { $$ = symbol_value(&@$, "vlan"); }
+ | VLAN close_scope_vlan { $$ = symbol_value(&@$, "vlan"); }
| ARP close_scope_arp { $$ = symbol_value(&@$, "arp"); }
| DNAT { $$ = symbol_value(&@$, "dnat"); }
| SNAT { $$ = symbol_value(&@$, "snat"); }
@@ -5093,7 +5094,7 @@ eth_hdr_field : SADDR { $$ = ETHHDR_SADDR; }
| TYPE { $$ = ETHHDR_TYPE; }
;
-vlan_hdr_expr : VLAN vlan_hdr_field
+vlan_hdr_expr : VLAN vlan_hdr_field close_scope_vlan
{
$$ = payload_expr_alloc(&@$, &proto_vlan, $2);
}
diff --git a/src/scanner.l b/src/scanner.l
index 728b2c79b395..b664a794184f 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -201,6 +201,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_ETH
%s SCANSTATE_IP
%s SCANSTATE_IP6
+%s SCANSTATE_VLAN
%s SCANSTATE_EXPR_FIB
%s SCANSTATE_EXPR_HASH
%s SCANSTATE_EXPR_IPSEC
@@ -403,10 +404,12 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"type" { return TYPE; }
"typeof" { return TYPEOF; }
-"vlan" { return VLAN; }
+"vlan" { scanner_push_start_cond(yyscanner, SCANSTATE_VLAN); return VLAN; }
"id" { return ID; }
-"cfi" { return CFI; }
-"pcp" { return PCP; }
+<SCANSTATE_VLAN>{
+ "cfi" { return CFI; }
+ "pcp" { return PCP; }
+}
"arp" { scanner_push_start_cond(yyscanner, SCANSTATE_ARP); return ARP; }
<SCANSTATE_ARP>{
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH nft 09/12] scanner: limit: move to own scope
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
` (7 preceding siblings ...)
2021-03-11 13:23 ` [PATCH nft 08/12] scanner: vlan: move to own scope Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
2021-03-11 13:23 ` [PATCH nft 10/12] scanner: quota: " Florian Westphal
` (2 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Moves rate and burst out of INITIAL.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 25 +++++++++++++------------
src/scanner.l | 9 ++++++---
3 files changed, 20 insertions(+), 15 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 889f9418a864..a5ea208ecfc8 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -33,6 +33,7 @@ enum startcond_type {
PARSER_SC_ETH,
PARSER_SC_IP,
PARSER_SC_IP6,
+ PARSER_SC_LIMIT,
PARSER_SC_VLAN,
PARSER_SC_EXPR_FIB,
PARSER_SC_EXPR_HASH,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index a6ce506bf5b5..67afc32a547f 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -870,6 +870,7 @@ close_scope_ip : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP); };
close_scope_ip6 : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP6); };
close_scope_vlan : { scanner_pop_start_cond(nft->scanner, PARSER_SC_VLAN); };
close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
+close_scope_limit : { scanner_pop_start_cond(nft->scanner, PARSER_SC_LIMIT); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
close_scope_rt : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_RT); };
@@ -1057,11 +1058,11 @@ add_cmd : TABLE table_spec
{
$$ = cmd_alloc_obj_ct(CMD_ADD, NFT_OBJECT_CT_EXPECT, &$3, &@$, $4);
}
- | LIMIT obj_spec limit_obj limit_config
+ | LIMIT obj_spec limit_obj limit_config close_scope_limit
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_LIMIT, &$2, &@$, $3);
}
- | LIMIT obj_spec limit_obj '{' limit_block '}'
+ | LIMIT obj_spec limit_obj '{' limit_block '}' close_scope_limit
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_LIMIT, &$2, &@$, $3);
}
@@ -1166,7 +1167,7 @@ create_cmd : TABLE table_spec
{
$$ = cmd_alloc_obj_ct(CMD_CREATE, NFT_OBJECT_CT_EXPECT, &$3, &@$, $4);
}
- | LIMIT obj_spec limit_obj limit_config
+ | LIMIT obj_spec limit_obj limit_config close_scope_limit
{
$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_LIMIT, &$2, &@$, $3);
}
@@ -1253,7 +1254,7 @@ delete_cmd : TABLE table_or_id_spec
{
$$ = cmd_alloc_obj_ct(CMD_DELETE, $2, &$3, &@$, $4);
}
- | LIMIT obj_or_id_spec
+ | LIMIT obj_or_id_spec close_scope_limit
{
$$ = cmd_alloc(CMD_DELETE, CMD_OBJ_LIMIT, &$2, &@$, NULL);
}
@@ -1333,7 +1334,7 @@ list_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_LIST, CMD_OBJ_LIMITS, &$3, &@$, NULL);
}
- | LIMIT obj_spec
+ | LIMIT obj_spec close_scope_limit
{
$$ = cmd_alloc(CMD_LIST, CMD_OBJ_LIMIT, &$2, &@$, NULL);
}
@@ -1667,7 +1668,7 @@ table_block : /* empty */ { $$ = $<table>-1; }
}
| table_block LIMIT obj_identifier
obj_block_alloc '{' limit_block '}'
- stmt_separator
+ stmt_separator close_scope_limit
{
$4->location = @3;
$4->type = NFT_OBJECT_LIMIT;
@@ -1880,7 +1881,7 @@ map_block_alloc : /* empty */
map_block_obj_type : COUNTER { $$ = NFT_OBJECT_COUNTER; }
| QUOTA { $$ = NFT_OBJECT_QUOTA; }
- | LIMIT { $$ = NFT_OBJECT_LIMIT; }
+ | LIMIT close_scope_limit { $$ = NFT_OBJECT_LIMIT; }
| SECMARK { $$ = NFT_OBJECT_SECMARK; }
;
@@ -3045,7 +3046,7 @@ log_flag_tcp : SEQUENCE
}
;
-limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts
+limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts close_scope_limit
{
if ($7 == 0) {
erec_queue(error(&@7, "limit burst must be > 0"),
@@ -3059,7 +3060,7 @@ limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts
$$->limit.type = NFT_LIMIT_PKTS;
$$->limit.flags = $3;
}
- | LIMIT RATE limit_mode NUM STRING limit_burst_bytes
+ | LIMIT RATE limit_mode NUM STRING limit_burst_bytes close_scope_limit
{
struct error_record *erec;
uint64_t rate, unit;
@@ -3084,7 +3085,7 @@ limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts
$$->limit.type = NFT_LIMIT_PKT_BYTES;
$$->limit.flags = $3;
}
- | LIMIT NAME stmt_expr
+ | LIMIT NAME stmt_expr close_scope_limit
{
$$ = objref_stmt_alloc(&@$);
$$->objref.type = NFT_OBJECT_LIMIT;
@@ -4140,7 +4141,7 @@ set_elem_stmt : COUNTER
$$->counter.packets = $3;
$$->counter.bytes = $5;
}
- | LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts
+ | LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts close_scope_limit
{
if ($7 == 0) {
erec_queue(error(&@7, "limit burst must be > 0"),
@@ -4154,7 +4155,7 @@ set_elem_stmt : COUNTER
$$->limit.type = NFT_LIMIT_PKTS;
$$->limit.flags = $3;
}
- | LIMIT RATE limit_mode NUM STRING limit_burst_bytes
+ | LIMIT RATE limit_mode NUM STRING limit_burst_bytes close_scope_limit
{
struct error_record *erec;
uint64_t rate, unit;
diff --git a/src/scanner.l b/src/scanner.l
index b664a794184f..2c5aae846d4f 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -201,6 +201,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_ETH
%s SCANSTATE_IP
%s SCANSTATE_IP6
+%s SCANSTATE_LIMIT
%s SCANSTATE_VLAN
%s SCANSTATE_EXPR_FIB
%s SCANSTATE_EXPR_HASH
@@ -363,9 +364,11 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"bypass" { return BYPASS;}
"fanout" { return FANOUT;}
}
-"limit" { return LIMIT; }
-"rate" { return RATE; }
-"burst" { return BURST; }
+"limit" { scanner_push_start_cond(yyscanner, SCANSTATE_LIMIT); return LIMIT; }
+<SCANSTATE_LIMIT>{
+ "rate" { return RATE; }
+ "burst" { return BURST; }
+}
"until" { return UNTIL; }
"over" { return OVER; }
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH nft 10/12] scanner: quota: move to own scope
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
` (8 preceding siblings ...)
2021-03-11 13:23 ` [PATCH nft 09/12] scanner: limit: " Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
2021-03-11 13:23 ` [PATCH nft 11/12] scanner: move until,over,used keywords away from init state Florian Westphal
2021-03-11 13:23 ` [PATCH nft 12/12] scanner: secmark: move to own scope Florian Westphal
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
... and move "used" keyword to it.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 21 +++++++++++----------
src/scanner.l | 5 +++--
3 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index a5ea208ecfc8..cc9790f62dc1 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -34,6 +34,7 @@ enum startcond_type {
PARSER_SC_IP,
PARSER_SC_IP6,
PARSER_SC_LIMIT,
+ PARSER_SC_QUOTA,
PARSER_SC_VLAN,
PARSER_SC_EXPR_FIB,
PARSER_SC_EXPR_HASH,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 67afc32a547f..239838c2cbc2 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -872,6 +872,7 @@ close_scope_vlan : { scanner_pop_start_cond(nft->scanner, PARSER_SC_VLAN); };
close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
close_scope_limit : { scanner_pop_start_cond(nft->scanner, PARSER_SC_LIMIT); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
+close_scope_quota : { scanner_pop_start_cond(nft->scanner, PARSER_SC_QUOTA); };
close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
close_scope_rt : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_RT); };
close_scope_socket : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_SOCKET); }
@@ -1038,11 +1039,11 @@ add_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_COUNTER, &$2, &@$, $3);
}
- | QUOTA obj_spec quota_obj quota_config
+ | QUOTA obj_spec quota_obj quota_config close_scope_quota
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_QUOTA, &$2, &@$, $3);
}
- | QUOTA obj_spec quota_obj '{' quota_block '}'
+ | QUOTA obj_spec quota_obj '{' quota_block '}' close_scope_quota
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_QUOTA, &$2, &@$, $3);
}
@@ -1151,7 +1152,7 @@ create_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_COUNTER, &$2, &@$, $3);
}
- | QUOTA obj_spec quota_obj quota_config
+ | QUOTA obj_spec quota_obj quota_config close_scope_quota
{
$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_QUOTA, &$2, &@$, $3);
}
@@ -1246,7 +1247,7 @@ delete_cmd : TABLE table_or_id_spec
{
$$ = cmd_alloc(CMD_DELETE, CMD_OBJ_COUNTER, &$2, &@$, NULL);
}
- | QUOTA obj_or_id_spec
+ | QUOTA obj_or_id_spec close_scope_quota
{
$$ = cmd_alloc(CMD_DELETE, CMD_OBJ_QUOTA, &$2, &@$, NULL);
}
@@ -1322,7 +1323,7 @@ list_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_LIST, CMD_OBJ_QUOTAS, &$3, &@$, NULL);
}
- | QUOTA obj_spec
+ | QUOTA obj_spec close_scope_quota
{
$$ = cmd_alloc(CMD_LIST, CMD_OBJ_QUOTA, &$2, &@$, NULL);
}
@@ -1428,7 +1429,7 @@ reset_cmd : COUNTERS ruleset_spec
{
$$ = cmd_alloc(CMD_RESET, CMD_OBJ_QUOTAS, &$3, &@$, NULL);
}
- | QUOTA obj_spec
+ | QUOTA obj_spec close_scope_quota
{
$$ = cmd_alloc(CMD_RESET, CMD_OBJ_QUOTA, &$2, &@$, NULL);
}
@@ -1630,7 +1631,7 @@ table_block : /* empty */ { $$ = $<table>-1; }
}
| table_block QUOTA obj_identifier
obj_block_alloc '{' quota_block '}'
- stmt_separator
+ stmt_separator close_scope_quota
{
$4->location = @3;
$4->type = NFT_OBJECT_QUOTA;
@@ -1880,7 +1881,7 @@ map_block_alloc : /* empty */
;
map_block_obj_type : COUNTER { $$ = NFT_OBJECT_COUNTER; }
- | QUOTA { $$ = NFT_OBJECT_QUOTA; }
+ | QUOTA close_scope_quota { $$ = NFT_OBJECT_QUOTA; }
| LIMIT close_scope_limit { $$ = NFT_OBJECT_LIMIT; }
| SECMARK { $$ = NFT_OBJECT_SECMARK; }
;
@@ -3118,7 +3119,7 @@ quota_used : /* empty */ { $$ = 0; }
}
;
-quota_stmt : QUOTA quota_mode NUM quota_unit quota_used
+quota_stmt : QUOTA quota_mode NUM quota_unit quota_used close_scope_quota
{
struct error_record *erec;
uint64_t rate;
@@ -3134,7 +3135,7 @@ quota_stmt : QUOTA quota_mode NUM quota_unit quota_used
$$->quota.used = $5;
$$->quota.flags = $2;
}
- | QUOTA NAME stmt_expr
+ | QUOTA NAME stmt_expr close_scope_quota
{
$$ = objref_stmt_alloc(&@$);
$$->objref.type = NFT_OBJECT_QUOTA;
diff --git a/src/scanner.l b/src/scanner.l
index 2c5aae846d4f..e373ff848ba9 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -202,6 +202,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_IP
%s SCANSTATE_IP6
%s SCANSTATE_LIMIT
+%s SCANSTATE_QUOTA
%s SCANSTATE_VLAN
%s SCANSTATE_EXPR_FIB
%s SCANSTATE_EXPR_HASH
@@ -372,8 +373,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"until" { return UNTIL; }
"over" { return OVER; }
-"quota" { return QUOTA; }
-"used" { return USED; }
+"quota" { scanner_push_start_cond(yyscanner, SCANSTATE_QUOTA); return QUOTA; }
+<SCANSTATE_QUOTA>"used" { return USED; }
"second" { return SECOND; }
"minute" { return MINUTE; }
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH nft 11/12] scanner: move until,over,used keywords away from init state
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
` (9 preceding siblings ...)
2021-03-11 13:23 ` [PATCH nft 10/12] scanner: quota: " Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
2021-03-11 13:23 ` [PATCH nft 12/12] scanner: secmark: move to own scope Florian Westphal
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Only applicable for limit and quota. "ct count" also needs 'over'.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/scanner.l | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/scanner.l b/src/scanner.l
index e373ff848ba9..d09189ae4492 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -370,11 +370,13 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"rate" { return RATE; }
"burst" { return BURST; }
}
-"until" { return UNTIL; }
-"over" { return OVER; }
+<SCANSTATE_CT,SCANSTATE_LIMIT,SCANSTATE_QUOTA>"over" { return OVER; }
"quota" { scanner_push_start_cond(yyscanner, SCANSTATE_QUOTA); return QUOTA; }
-<SCANSTATE_QUOTA>"used" { return USED; }
+<SCANSTATE_QUOTA>{
+ "used" { return USED; }
+ "until" { return UNTIL; }
+}
"second" { return SECOND; }
"minute" { return MINUTE; }
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH nft 12/12] scanner: secmark: move to own scope
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
` (10 preceding siblings ...)
2021-03-11 13:23 ` [PATCH nft 11/12] scanner: move until,over,used keywords away from init state Florian Westphal
@ 2021-03-11 13:23 ` Florian Westphal
11 siblings, 0 replies; 13+ messages in thread
From: Florian Westphal @ 2021-03-11 13:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/parser.h | 1 +
src/parser_bison.y | 19 ++++++++++---------
src/scanner.l | 3 ++-
3 files changed, 13 insertions(+), 10 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index cc9790f62dc1..9fdebcd11dd2 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -35,6 +35,7 @@ enum startcond_type {
PARSER_SC_IP6,
PARSER_SC_LIMIT,
PARSER_SC_QUOTA,
+ PARSER_SC_SECMARK,
PARSER_SC_VLAN,
PARSER_SC_EXPR_FIB,
PARSER_SC_EXPR_HASH,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 239838c2cbc2..08a2599e5374 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -875,6 +875,7 @@ close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGE
close_scope_quota : { scanner_pop_start_cond(nft->scanner, PARSER_SC_QUOTA); };
close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
close_scope_rt : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_RT); };
+close_scope_secmark : { scanner_pop_start_cond(nft->scanner, PARSER_SC_SECMARK); };
close_scope_socket : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_SOCKET); }
common_block : INCLUDE QUOTED_STRING stmt_separator
@@ -1067,11 +1068,11 @@ add_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_LIMIT, &$2, &@$, $3);
}
- | SECMARK obj_spec secmark_obj secmark_config
+ | SECMARK obj_spec secmark_obj secmark_config close_scope_secmark
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_SECMARK, &$2, &@$, $3);
}
- | SECMARK obj_spec secmark_obj '{' secmark_block '}'
+ | SECMARK obj_spec secmark_obj '{' secmark_block '}' close_scope_secmark
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_SECMARK, &$2, &@$, $3);
}
@@ -1172,7 +1173,7 @@ create_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_LIMIT, &$2, &@$, $3);
}
- | SECMARK obj_spec secmark_obj secmark_config
+ | SECMARK obj_spec secmark_obj secmark_config close_scope_secmark
{
$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_SECMARK, &$2, &@$, $3);
}
@@ -1259,7 +1260,7 @@ delete_cmd : TABLE table_or_id_spec
{
$$ = cmd_alloc(CMD_DELETE, CMD_OBJ_LIMIT, &$2, &@$, NULL);
}
- | SECMARK obj_or_id_spec
+ | SECMARK obj_or_id_spec close_scope_secmark
{
$$ = cmd_alloc(CMD_DELETE, CMD_OBJ_SECMARK, &$2, &@$, NULL);
}
@@ -1347,7 +1348,7 @@ list_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_LIST, CMD_OBJ_SECMARKS, &$3, &@$, NULL);
}
- | SECMARK obj_spec
+ | SECMARK obj_spec close_scope_secmark
{
$$ = cmd_alloc(CMD_LIST, CMD_OBJ_SECMARK, &$2, &@$, NULL);
}
@@ -1680,7 +1681,7 @@ table_block : /* empty */ { $$ = $<table>-1; }
}
| table_block SECMARK obj_identifier
obj_block_alloc '{' secmark_block '}'
- stmt_separator
+ stmt_separator close_scope_secmark
{
$4->location = @3;
$4->type = NFT_OBJECT_SECMARK;
@@ -1883,7 +1884,7 @@ map_block_alloc : /* empty */
map_block_obj_type : COUNTER { $$ = NFT_OBJECT_COUNTER; }
| QUOTA close_scope_quota { $$ = NFT_OBJECT_QUOTA; }
| LIMIT close_scope_limit { $$ = NFT_OBJECT_LIMIT; }
- | SECMARK { $$ = NFT_OBJECT_SECMARK; }
+ | SECMARK close_scope_secmark { $$ = NFT_OBJECT_SECMARK; }
;
map_block : /* empty */ { $$ = $<set>-1; }
@@ -4727,7 +4728,7 @@ meta_key_qualified : LENGTH { $$ = NFT_META_LEN; }
| PROTOCOL { $$ = NFT_META_PROTOCOL; }
| PRIORITY { $$ = NFT_META_PRIORITY; }
| RANDOM { $$ = NFT_META_PRANDOM; }
- | SECMARK { $$ = NFT_META_SECMARK; }
+ | SECMARK close_scope_secmark { $$ = NFT_META_SECMARK; }
;
meta_key_unqualified : MARK { $$ = NFT_META_MARK; }
@@ -4966,7 +4967,7 @@ ct_key : L3PROTOCOL { $$ = NFT_CT_L3PROTOCOL; }
| PROTO_DST { $$ = NFT_CT_PROTO_DST; }
| LABEL { $$ = NFT_CT_LABELS; }
| EVENT { $$ = NFT_CT_EVENTMASK; }
- | SECMARK { $$ = NFT_CT_SECMARK; }
+ | SECMARK close_scope_secmark { $$ = NFT_CT_SECMARK; }
| ID { $$ = NFT_CT_ID; }
| ct_key_dir_optional
;
diff --git a/src/scanner.l b/src/scanner.l
index d09189ae4492..a73ce1b819d8 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -203,6 +203,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_IP6
%s SCANSTATE_LIMIT
%s SCANSTATE_QUOTA
+%s SCANSTATE_SECMARK
%s SCANSTATE_VLAN
%s SCANSTATE_EXPR_FIB
%s SCANSTATE_EXPR_HASH
@@ -634,7 +635,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"out" { return OUT; }
}
-"secmark" { return SECMARK; }
+"secmark" { scanner_push_start_cond(yyscanner, SCANSTATE_SECMARK); return SECMARK; }
"secmarks" { return SECMARKS; }
{addrstring} {
--
2.26.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
end of thread, other threads:[~2021-03-11 13:25 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-03-11 13:23 [PATCH nft 00/12] move more keywords away from initial scope Florian Westphal
2021-03-11 13:23 ` [PATCH nft 01/12] scanner: ct: move to own scope Florian Westphal
2021-03-11 13:23 ` [PATCH nft 02/12] scanner: ip: " Florian Westphal
2021-03-11 13:23 ` [PATCH nft 03/12] scanner: ip6: " Florian Westphal
2021-03-11 13:23 ` [PATCH nft 04/12] scanner: add fib scope Florian Westphal
2021-03-11 13:23 ` [PATCH nft 05/12] scanner: add ether scope Florian Westphal
2021-03-11 13:23 ` [PATCH nft 06/12] scanner: arp: move to own scope Florian Westphal
2021-03-11 13:23 ` [PATCH nft 07/12] scanner: remove saddr/daddr from initial state Florian Westphal
2021-03-11 13:23 ` [PATCH nft 08/12] scanner: vlan: move to own scope Florian Westphal
2021-03-11 13:23 ` [PATCH nft 09/12] scanner: limit: " Florian Westphal
2021-03-11 13:23 ` [PATCH nft 10/12] scanner: quota: " Florian Westphal
2021-03-11 13:23 ` [PATCH nft 11/12] scanner: move until,over,used keywords away from init state Florian Westphal
2021-03-11 13:23 ` [PATCH nft 12/12] scanner: secmark: move to own scope Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).