* [PATCH nft] evaluate: expand variable containing set into multiple mappings
@ 2021-08-12 14:50 Pablo Neira Ayuso
0 siblings, 0 replies; only message in thread
From: Pablo Neira Ayuso @ 2021-08-12 14:50 UTC (permalink / raw)
To: netfilter-devel
# cat x.nft
define interfaces = { eth0, eth1 }
table ip x {
chain y {
type filter hook input priority 0; policy accept;
iifname vmap { lo : accept, $interfaces : drop }
}
}
# nft -f x.nft
# nft list ruleset
table ip x {
chain y {
type filter hook input priority 0; policy accept;
iifname vmap { "lo" : accept, "eth0" : drop, "eth1" : drop }
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
supersedes: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210811103344.23073-1-pablo@netfilter.org/
src/evaluate.c | 17 +++++++++++++++++
tests/shell/testcases/maps/0012map_0 | 17 +++++++++++++++++
tests/shell/testcases/maps/dumps/0012map_0.nft | 12 ++++++++++++
3 files changed, 46 insertions(+)
create mode 100755 tests/shell/testcases/maps/0012map_0
create mode 100644 tests/shell/testcases/maps/dumps/0012map_0.nft
diff --git a/src/evaluate.c b/src/evaluate.c
index 8b5f51cee01c..8ebc75617b1c 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1431,6 +1431,23 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
if (list_member_evaluate(ctx, &i) < 0)
return -1;
+ if (i->etype == EXPR_MAPPING &&
+ i->left->etype == EXPR_SET_ELEM &&
+ i->left->key->etype == EXPR_SET) {
+ struct expr *new, *j;
+
+ list_for_each_entry(j, &i->left->key->expressions, list) {
+ new = mapping_expr_alloc(&i->location,
+ expr_get(j),
+ expr_clone(i->right));
+ list_add_tail(&new->list, &set->expressions);
+ set->size++;
+ }
+ list_del(&i->list);
+ expr_free(i);
+ continue;
+ }
+
elem = expr_set_elem(i);
if (elem->etype == EXPR_SET_ELEM &&
diff --git a/tests/shell/testcases/maps/0012map_0 b/tests/shell/testcases/maps/0012map_0
new file mode 100755
index 000000000000..dd93c482f441
--- /dev/null
+++ b/tests/shell/testcases/maps/0012map_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="define interfaces = { eth0, eth1 }
+
+table ip x {
+ map z {
+ type ifname : verdict
+ elements = { \$interfaces : drop, lo : accept }
+ }
+ chain y {
+ iifname vmap { lo : accept, \$interfaces : drop }
+ }
+}"
+
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/maps/dumps/0012map_0.nft b/tests/shell/testcases/maps/dumps/0012map_0.nft
new file mode 100644
index 000000000000..e734fc1c70b9
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0012map_0.nft
@@ -0,0 +1,12 @@
+table ip x {
+ map z {
+ type ifname : verdict
+ elements = { "lo" : accept,
+ "eth0" : drop,
+ "eth1" : drop }
+ }
+
+ chain y {
+ iifname vmap { "lo" : accept, "eth0" : drop, "eth1" : drop }
+ }
+}
--
2.20.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-08-12 14:51 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-08-12 14:50 [PATCH nft] evaluate: expand variable containing set into multiple mappings Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).