Re: nft parser and problems with icmp type names (redirect and param-problem)

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Alexander Holler <holler@ahsoftware.de>
To: netfilter-devel@vger.kernel.org
Cc: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>,
	Eric Leblond <eric@regit.org>
Subject: Re: nft parser and problems with icmp type names (redirect and param-problem)
Date: Wed, 01 Apr 2015 15:15:43 +0200	[thread overview]
Message-ID: <551BEF7F.3050908@ahsoftware.de> (raw)
In-Reply-To: <551BA511.6010901@ahsoftware.de>

Am 01.04.2015 um 09:58 schrieb Alexander Holler:
> Hello,
>
> are the problems with some named icmp types known?
>
> I'm talking about
>
> host ~ # nft add rule ip6 filter input icmpv6 type { param-problem } accept
> <cmdline>:1:41-53: Error: syntax error, unexpected param-problem
> add rule ip6 filter input icmpv6 type { param-problem } accept
>                                          ^^^^^^^^^^^^^
> host ~ # nft add rule filter input icmp type { redirect } accept
> <cmdline>:1:35-42: Error: syntax error, unexpected redirect
> add rule filter input icmp type { redirect } accept

This message is basically to get Eric Leblond on board, who seems to 
have written the stuff which made it possible to use icmp type names.

But to add something useful to this message too:

Having digged a bit further I see two solutions.

- Change all the icmp type names to not get in conflict with tokens 
(keywords), e.g. by prefixing them with "icmp_" or "icmpv6_" like 
"icmp_redirect". That would be a clean and straight forward solution. 
Unfortunately it would mean old (icmp type) rules won't work and 
personally I think the longer names would be a bit unhandy to use.

- Add context dependency to the parser. The relevant part in the bison 
manual would be the chapter "Handling Context Dependencies": 
http://www.chemie.fu-berlin.de/chemnet/use/info/bison/bison_10.html

Personally I would prefer the second solution, also it means the code 
would become a bit more complicated.

Any comments which solution would be prefered by other people?

Regards,

Alexander Holler

BTW: I think this currently a bit a show stopper. One definitely wants 
to filter icmp and one definitely wants to save/restore rulesets. It is 
no problem for people which are writing their rulesets by hand, but 
those which are dynamically changing rules, likely are relying on the 
possibility to save and restore the whole ruleset (and being able to 
filter icmp).

next prev parent reply	other threads:[~2015-04-01 13:15 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-04-01  7:58 nft parser and problems with icmp type names (redirect and param-problem) Alexander Holler
2015-04-01 13:15 ` Alexander Holler [this message]
2015-04-03 17:50   ` [PATCH] parser: add kludges for "param-problem" and "redirect" Alexander Holler
2015-04-03 18:06     ` Alexander Holler
2015-04-04 10:50       ` Alexander Holler
2015-04-04 11:13         ` [PATCH v2] " Alexander Holler
2015-04-04 11:55           ` Pablo Neira Ayuso
2015-04-04 12:30             ` Alexander Holler
2015-04-05 11:42               ` Patrick McHardy
2015-04-05 11:32             ` Patrick McHardy
2015-04-05 12:11               ` Patrick McHardy
2015-04-05 19:07                 ` Alexander Holler
2015-04-06  1:51                   ` Patrick McHardy
2015-04-06  8:44                     ` Alexander Holler
2015-04-06  9:01                       ` Alexander Holler
2015-04-06  9:14                         ` Alexander Holler
2015-04-06 11:25                           ` Patrick McHardy
2015-04-06 20:41                             ` Alexander Holler
2015-04-09 10:52                             ` nft parser and names for constants (was [PATCH v2] parser: add kludges for "param-problem" and "redirect") Alexander Holler
2015-04-09 11:07                               ` Patrick McHardy
2015-04-09 17:50                                 ` Alexander Holler
2015-04-09 19:15                                   ` Patrick McHardy
2015-04-10  5:38                                     ` Alexander Holler
2015-04-06  7:12                 ` [PATCH v2] parser: add kludges for "param-problem" and "redirect" Arturo Borrero Gonzalez
2015-04-06 11:23                   ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=551BEF7F.3050908@ahsoftware.de \
    --to=holler@ahsoftware.de \
    --cc=arturo.borrero.glez@gmail.com \
    --cc=eric@regit.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).