diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-11-06 13:34:48 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-11-10 18:11:43 +0100 |
commit | 850e311d98a2340a9d2d86d28a4d2280fa6cf76c (patch) | |
tree | 55b9e60c5021b2c057e5f686c91a18b33ebef13b /src/parser.y | |
parent | 0aae6c77f9b57d6347a1a7df0ee9f98a5148b526 (diff) |
rename parser.y to parser_bison.y
The conversion to the autotools need this.
Make sure you remove the autogenerated parser.c and parser.h from
your tree.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/parser.y')
-rw-r--r-- | src/parser.y | 2249 |
1 files changed, 0 insertions, 2249 deletions
diff --git a/src/parser.y b/src/parser.y deleted file mode 100644 index 9108dd22..00000000 --- a/src/parser.y +++ /dev/null @@ -1,2249 +0,0 @@ -/* - * Copyright (c) 2007-2012 Patrick McHardy <kaber@trash.net> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. - * - * Development of this code funded by Astaro AG (http://www.astaro.com/) - */ - -%{ - -#include <stddef.h> -#include <stdio.h> -#include <inttypes.h> -#include <syslog.h> -#include <netinet/ip.h> -#include <netinet/if_ether.h> -#include <linux/netfilter.h> -#include <linux/netfilter/nf_tables.h> -#include <linux/netfilter/nf_conntrack_tuple_common.h> -#include <linux/netfilter/nf_nat.h> -#include <netinet/ip_icmp.h> -#include <netinet/icmp6.h> -#include <libnftnl/common.h> -#include <libnftnl/set.h> - -#include <rule.h> -#include <statement.h> -#include <expression.h> -#include <utils.h> -#include <parser.h> -#include <erec.h> - -#include "parser.h" -#include "scanner.h" - -void parser_init(struct parser_state *state, struct list_head *msgs) -{ - memset(state, 0, sizeof(*state)); - init_list_head(&state->cmds); - init_list_head(&state->top_scope.symbols); - state->msgs = msgs; - state->scopes[0] = scope_init(&state->top_scope, NULL); - state->ectx.msgs = msgs; -} - -static void yyerror(struct location *loc, void *scanner, - struct parser_state *state, const char *s) -{ - erec_queue(error(loc, "%s", s), state->msgs); -} - -static struct scope *current_scope(const struct parser_state *state) -{ - return state->scopes[state->scope]; -} - -static void open_scope(struct parser_state *state, struct scope *scope) -{ - assert(state->scope < array_size(state->scopes) - 1); - scope_init(scope, current_scope(state)); - state->scopes[++state->scope] = scope; -} - -static void close_scope(struct parser_state *state) -{ - assert(state->scope > 0); - state->scope--; -} - -static void location_init(void *scanner, struct parser_state *state, - struct location *loc) -{ - memset(loc, 0, sizeof(*loc)); - loc->indesc = state->indesc; -} - -static void location_update(struct location *loc, struct location *rhs, int n) -{ - if (n) { - loc->indesc = rhs[n].indesc; - loc->token_offset = rhs[1].token_offset; - loc->line_offset = rhs[1].line_offset; - loc->first_line = rhs[1].first_line; - loc->first_column = rhs[1].first_column; - loc->last_line = rhs[n].last_line; - loc->last_column = rhs[n].last_column; - } else { - loc->indesc = rhs[0].indesc; - loc->token_offset = rhs[0].token_offset; - loc->line_offset = rhs[0].line_offset; - loc->first_line = loc->last_line = rhs[0].last_line; - loc->first_column = loc->last_column = rhs[0].last_column; - } -} - -#define YYLLOC_DEFAULT(Current, Rhs, N) location_update(&Current, Rhs, N) - -%} - -/* Declaration section */ - -%name-prefix "nft_" -%debug -%pure-parser -%parse-param { void *scanner } -%parse-param { struct parser_state *state } -%lex-param { scanner } -%error-verbose -%locations - -%initial-action { - location_init(scanner, state, &yylloc); -#ifdef DEBUG - if (debug_level & DEBUG_SCANNER) - nft_set_debug(1, scanner); - if (debug_level & DEBUG_PARSER) - yydebug = 1; -#endif -} - -%union { - uint64_t val; - const char * string; - - struct list_head *list; - struct cmd *cmd; - struct handle handle; - struct table *table; - struct chain *chain; - struct rule *rule; - struct stmt *stmt; - struct expr *expr; - struct set *set; -} - -%token TOKEN_EOF 0 "end of file" -%token JUNK "junk" - -%token NEWLINE "newline" -%token COLON "colon" -%token SEMICOLON "semicolon" -%token COMMA "comma" -%token DOT "." - -%token EQ "==" -%token NEQ "!=" -%token LT "<" -%token GT ">" -%token GTE ">=" -%token LTE "<=" -%token LSHIFT "<<" -%token RSHIFT ">>" -%token AMPERSAND "&" -%token CARET "^" -%token NOT "!" -%token SLASH "/" -%token ASTERISK "*" -%token DASH "-" -%token AT "@" -%token VMAP "vmap" - -%token INCLUDE "include" -%token DEFINE "define" - -%token HOOK "hook" -%token TABLE "table" -%token TABLES "tables" -%token CHAIN "chain" -%token CHAINS "chains" -%token RULE "rule" -%token RULES "rules" -%token SETS "sets" -%token SET "set" -%token ELEMENT "element" -%token MAP "map" -%token HANDLE "handle" -%token RULESET "ruleset" - -%token INET "inet" - -%token ADD "add" -%token CREATE "create" -%token INSERT "insert" -%token DELETE "delete" -%token LIST "list" -%token FLUSH "flush" -%token RENAME "rename" -%token DESCRIBE "describe" -%token EXPORT "export" -%token MONITOR "monitor" - -%token ACCEPT "accept" -%token DROP "drop" -%token CONTINUE "continue" -%token JUMP "jump" -%token GOTO "goto" -%token RETURN "return" - -%token CONSTANT "constant" -%token INTERVAL "interval" -%token ELEMENTS "elements" - -%token POLICY "policy" -%token MEMORY "memory" -%token PERFORMANCE "performance" -%token SIZE "size" - -%token <val> NUM "number" -%token <string> STRING "string" -%token <string> QUOTED_STRING -%destructor { xfree($$); } STRING QUOTED_STRING - -%token LL_HDR "ll" -%token NETWORK_HDR "nh" -%token TRANSPORT_HDR "th" - -%token BRIDGE "bridge" - -%token ETHER "ether" -%token SADDR "saddr" -%token DADDR "daddr" -%token TYPE "type" - -%token VLAN "vlan" -%token ID "id" -%token CFI "cfi" -%token PCP "pcp" - -%token ARP "arp" -%token HTYPE "htype" -%token PTYPE "ptype" -%token HLEN "hlen" -%token PLEN "plen" -%token OPERATION "operation" - -%token IP "ip" -%token VERSION "version" -%token HDRLENGTH "hdrlength" -%token TOS "tos" -%token LENGTH "length" -%token FRAG_OFF "frag-off" -%token TTL "ttl" -%token PROTOCOL "protocol" -%token CHECKSUM "checksum" - -%token ICMP "icmp" -%token CODE "code" -%token SEQUENCE "seq" -%token GATEWAY "gateway" -%token MTU "mtu" - -%token IP6 "ip6" -%token PRIORITY "priority" -%token FLOWLABEL "flowlabel" -%token NEXTHDR "nexthdr" -%token HOPLIMIT "hoplimit" - -%token ICMP6 "icmpv6" -%token PPTR "param-problem" -%token MAXDELAY "max-delay" - -%token AH "ah" -%token RESERVED "reserved" -%token SPI "spi" - -%token ESP "esp" - -%token COMP "comp" -%token FLAGS "flags" -%token CPI "cpi" - -%token UDP "udp" -%token SPORT "sport" -%token DPORT "dport" -%token UDPLITE "udplite" -%token CSUMCOV "csumcov" - -%token TCP "tcp" -%token ACKSEQ "ackseq" -%token DOFF "doff" -%token WINDOW "window" -%token URGPTR "urgptr" - -%token DCCP "dccp" - -%token SCTP "sctp" -%token VTAG "vtag" - -%token RT "rt" -%token RT0 "rt0" -%token RT2 "rt2" -%token SEG_LEFT "seg-left" -%token ADDR "addr" - -%token HBH "hbh" - -%token FRAG "frag" -%token RESERVED2 "reserved2" -%token MORE_FRAGMENTS "more-fragments" - -%token DST "dst" - -%token MH "mh" - -%token META "meta" -%token NFPROTO "nfproto" -%token L4PROTO "l4proto" -%token MARK "mark" -%token IIF "iif" -%token IIFNAME "iifname" -%token IIFTYPE "iiftype" -%token OIF "oif" -%token OIFNAME "oifname" -%token OIFTYPE "oiftype" -%token SKUID "skuid" -%token SKGID "skgid" -%token NFTRACE "nftrace" -%token RTCLASSID "rtclassid" -%token IBRIPORT "ibriport" -%token OBRIPORT "obriport" -%token PKTTYPE "pkttype" -%token CPU "cpu" -%token IIFGROUP "iifgroup" -%token OIFGROUP "oifgroup" -%token CGROUP "cgroup" - -%token CT "ct" -%token DIRECTION "direction" -%token STATE "state" -%token STATUS "status" -%token EXPIRATION "expiration" -%token HELPER "helper" -%token L3PROTOCOL "l3proto" -%token PROTO_SRC "proto-src" -%token PROTO_DST "proto-dst" -%token LABEL "label" - -%token COUNTER "counter" -%token PACKETS "packets" -%token BYTES "bytes" - -%token LOG "log" -%token PREFIX "prefix" -%token GROUP "group" -%token SNAPLEN "snaplen" -%token QUEUE_THRESHOLD "queue-threshold" -%token LEVEL "level" -%token LEVEL_EMERG "emerg" -%token LEVEL_ALERT "alert" -%token LEVEL_CRIT "crit" -%token LEVEL_ERR "err" -%token LEVEL_WARN "warn" -%token LEVEL_NOTICE "notice" -%token LEVEL_INFO "info" -%token LEVEL_DEBUG "debug" - -%token LIMIT "limit" -%token RATE "rate" - -%token NANOSECOND "nanosecond" -%token MICROSECOND "microsecond" -%token MILLISECOND "millisecond" -%token SECOND "second" -%token MINUTE "minute" -%token HOUR "hour" -%token DAY "day" -%token WEEK "week" - -%token _REJECT "reject" -%token RESET "reset" -%token WITH "with" -%token ICMPX "icmpx" - -%token SNAT "snat" -%token DNAT "dnat" -%token MASQUERADE "masquerade" -%token REDIRECT "redirect" -%token RANDOM "random" -%token RANDOM_FULLY "random-fully" -%token PERSISTENT "persistent" - -%token QUEUE "queue" -%token QUEUENUM "num" -%token BYPASS "bypass" -%token FANOUT "fanout" - -%token POSITION "position" -%token COMMENT "comment" - -%token XML "xml" -%token JSON "json" - -%type <string> identifier string comment_spec -%destructor { xfree($$); } identifier string comment_spec - -%type <cmd> line -%destructor { cmd_free($$); } line - -%type <cmd> base_cmd add_cmd create_cmd insert_cmd delete_cmd list_cmd flush_cmd rename_cmd export_cmd monitor_cmd describe_cmd -%destructor { cmd_free($$); } base_cmd add_cmd create_cmd insert_cmd delete_cmd list_cmd flush_cmd rename_cmd export_cmd monitor_cmd describe_cmd - -%type <handle> table_spec tables_spec chain_spec chain_identifier ruleid_spec ruleset_spec -%destructor { handle_free(&$$); } table_spec tables_spec chain_spec chain_identifier ruleid_spec ruleset_spec -%type <handle> set_spec set_identifier -%destructor { handle_free(&$$); } set_spec set_identifier -%type <val> handle_spec family_spec family_spec_explicit position_spec - -%type <table> table_block_alloc table_block -%destructor { close_scope(state); table_free($$); } table_block_alloc -%type <chain> chain_block_alloc chain_block -%destructor { close_scope(state); chain_free($$); } chain_block_alloc -%type <rule> rule -%destructor { rule_free($$); } rule - -%type <val> set_flag_list set_flag - -%type <val> set_policy_spec - -%type <set> set_block_alloc set_block -%destructor { set_free($$); } set_block_alloc - -%type <set> map_block_alloc map_block -%destructor { set_free($$); } map_block_alloc - -%type <list> stmt_list -%destructor { stmt_list_free($$); xfree($$); } stmt_list -%type <stmt> stmt match_stmt verdict_stmt -%destructor { stmt_free($$); } stmt match_stmt verdict_stmt -%type <stmt> counter_stmt counter_stmt_alloc -%destructor { stmt_free($$); } counter_stmt counter_stmt_alloc -%type <stmt> ct_stmt -%destructor { stmt_free($$); } ct_stmt -%type <stmt> meta_stmt -%destructor { stmt_free($$); } meta_stmt -%type <stmt> log_stmt log_stmt_alloc -%destructor { stmt_free($$); } log_stmt log_stmt_alloc -%type <val> level_type -%type <stmt> limit_stmt -%destructor { stmt_free($$); } limit_stmt -%type <val> time_unit -%type <stmt> reject_stmt reject_stmt_alloc -%destructor { stmt_free($$); } reject_stmt reject_stmt_alloc -%type <stmt> nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc redir_stmt redir_stmt_alloc -%destructor { stmt_free($$); } nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc redir_stmt redir_stmt_alloc -%type <val> nf_nat_flags nf_nat_flag -%type <stmt> queue_stmt queue_stmt_alloc -%destructor { stmt_free($$); } queue_stmt queue_stmt_alloc -%type <val> queue_stmt_flags queue_stmt_flag - -%type <expr> symbol_expr verdict_expr integer_expr -%destructor { expr_free($$); } symbol_expr verdict_expr integer_expr -%type <expr> primary_expr shift_expr and_expr -%destructor { expr_free($$); } primary_expr shift_expr and_expr -%type <expr> exclusive_or_expr inclusive_or_expr -%destructor { expr_free($$); } exclusive_or_expr inclusive_or_expr -%type <expr> basic_expr -%destructor { expr_free($$); } basic_expr - -%type <expr> multiton_expr -%destructor { expr_free($$); } multiton_expr -%type <expr> prefix_expr range_expr wildcard_expr -%destructor { expr_free($$); } prefix_expr range_expr wildcard_expr -%type <expr> list_expr -%destructor { expr_free($$); } list_expr -%type <expr> concat_expr map_lhs_expr -%destructor { expr_free($$); } concat_expr map_lhs_expr - -%type <expr> map_expr -%destructor { expr_free($$); } map_expr - -%type <expr> verdict_map_stmt -%destructor { expr_free($$); } verdict_map_stmt - -%type <expr> verdict_map_expr verdict_map_list_expr verdict_map_list_member_expr -%destructor { expr_free($$); } verdict_map_expr verdict_map_list_expr verdict_map_list_member_expr - -%type <expr> set_expr set_list_expr set_list_member_expr -%destructor { expr_free($$); } set_expr set_list_expr set_list_member_expr - -%type <expr> expr initializer_expr -%destructor { expr_free($$); } expr initializer_expr - -%type <expr> relational_expr -%destructor { expr_free($$); } relational_expr -%type <val> relational_op - -%type <expr> payload_expr payload_raw_expr -%destructor { expr_free($$); } payload_expr payload_raw_expr -%type <val> payload_base_spec -%type <expr> eth_hdr_expr vlan_hdr_expr -%destructor { expr_free($$); } eth_hdr_expr vlan_hdr_expr -%type <val> eth_hdr_field vlan_hdr_field -%type <expr> arp_hdr_expr -%destructor { expr_free($$); } arp_hdr_expr -%type <val> arp_hdr_field -%type <expr> ip_hdr_expr icmp_hdr_expr -%destructor { expr_free($$); } ip_hdr_expr icmp_hdr_expr -%type <val> ip_hdr_field icmp_hdr_field -%type <expr> ip6_hdr_expr icmp6_hdr_expr -%destructor { expr_free($$); } ip6_hdr_expr icmp6_hdr_expr -%type <val> ip6_hdr_field icmp6_hdr_field -%type <expr> auth_hdr_expr esp_hdr_expr comp_hdr_expr -%destructor { expr_free($$); } auth_hdr_expr esp_hdr_expr comp_hdr_expr -%type <val> auth_hdr_field esp_hdr_field comp_hdr_field -%type <expr> udp_hdr_expr udplite_hdr_expr tcp_hdr_expr -%destructor { expr_free($$); } udp_hdr_expr udplite_hdr_expr tcp_hdr_expr -%type <val> udp_hdr_field udplite_hdr_field tcp_hdr_field -%type <expr> dccp_hdr_expr sctp_hdr_expr -%destructor { expr_free($$); } dccp_hdr_expr sctp_hdr_expr -%type <val> dccp_hdr_field sctp_hdr_field - -%type <expr> exthdr_expr -%destructor { expr_free($$); } exthdr_expr -%type <expr> hbh_hdr_expr frag_hdr_expr dst_hdr_expr -%destructor { expr_free($$); } hbh_hdr_expr frag_hdr_expr dst_hdr_expr -%type <val> hbh_hdr_field frag_hdr_field dst_hdr_field -%type <expr> rt_hdr_expr rt0_hdr_expr rt2_hdr_expr -%destructor { expr_free($$); } rt_hdr_expr rt0_hdr_expr rt2_hdr_expr -%type <val> rt_hdr_field rt0_hdr_field rt2_hdr_field -%type <expr> mh_hdr_expr -%destructor { expr_free($$); } mh_hdr_expr -%type <val> mh_hdr_field - -%type <expr> meta_expr -%destructor { expr_free($$); } meta_expr -%type <val> meta_key meta_key_qualified meta_key_unqualified - -%type <expr> ct_expr -%destructor { expr_free($$); } ct_expr -%type <val> ct_key - -%type <val> export_format -%type <string> monitor_event -%destructor { xfree($$); } monitor_event -%type <val> monitor_object monitor_format - -%% - -input : /* empty */ - | input line - { - if ($2 != NULL) { - LIST_HEAD(list); - - $2->location = @2; - - list_add_tail(&$2->list, &list); - if (cmd_evaluate(&state->ectx, $2) < 0) { - if (++state->nerrs == max_errors) - YYABORT; - } else - list_splice_tail(&list, &state->cmds); - } - } - ; - -stmt_seperator : NEWLINE - | SEMICOLON - ; - -opt_newline : NEWLINE - | /* empty */ - ; - -common_block : INCLUDE QUOTED_STRING stmt_seperator - { - if (scanner_include_file(scanner, $2, &@$) < 0) { - xfree($2); - YYERROR; - } - xfree($2); - } - | DEFINE identifier '=' initializer_expr stmt_seperator - { - struct scope *scope = current_scope(state); - - if (symbol_lookup(scope, $2) != NULL) { - erec_queue(error(&@2, "redfinition of symbol '%s'", $2), - state->msgs); - YYERROR; - } - - symbol_bind(scope, $2, $4); - xfree($2); - } - | error stmt_seperator - { - if (++state->nerrs == max_errors) - YYABORT; - yyerrok; - } - ; - -line : common_block { $$ = NULL; } - | stmt_seperator { $$ = NULL; } - | base_cmd stmt_seperator { $$ = $1; } - | base_cmd TOKEN_EOF - { - /* - * Very hackish workaround for bison >= 2.4: previous versions - * terminated parsing after EOF, 2.4+ tries to get further input - * in 'input' and calls the scanner again, causing a crash when - * the final input buffer has been popped. Terminate manually to - * avoid this. The correct fix should be to adjust the grammar - * to accept EOF in input, but for unknown reasons it does not - * work. - */ - if ($1 != NULL) { - LIST_HEAD(list); - - $1->location = @1; - - list_add_tail(&$1->list, &list); - if (cmd_evaluate(&state->ectx, $1) < 0) { - if (++state->nerrs == max_errors) - YYABORT; - } else - list_splice_tail(&list, &state->cmds); - } - $$ = NULL; - - YYACCEPT; - } - ; - -base_cmd : /* empty */ add_cmd { $$ = $1; } - | ADD add_cmd { $$ = $2; } - | CREATE create_cmd { $$ = $2; } - | INSERT insert_cmd { $$ = $2; } - | DELETE delete_cmd { $$ = $2; } - | LIST list_cmd { $$ = $2; } - | FLUSH flush_cmd { $$ = $2; } - | RENAME rename_cmd { $$ = $2; } - | EXPORT export_cmd { $$ = $2; } - | MONITOR monitor_cmd { $$ = $2; } - | DESCRIBE describe_cmd { $$ = $2; } - ; - -add_cmd : TABLE table_spec - { - $$ = cmd_alloc(CMD_ADD, CMD_OBJ_TABLE, &$2, &@$, NULL); - } - | TABLE table_spec table_block_alloc - '{' table_block '}' - { - handle_merge(&$3->handle, &$2); - close_scope(state); - $$ = cmd_alloc(CMD_ADD, CMD_OBJ_TABLE, &$2, &@$, $5); - } - | CHAIN chain_spec - { - $$ = cmd_alloc(CMD_ADD, CMD_OBJ_CHAIN, &$2, &@$, NULL); - } - | CHAIN chain_spec chain_block_alloc - '{' chain_block '}' - { - $5->location = @5; - handle_merge(&$3->handle, &$2); - close_scope(state); - $$ = cmd_alloc(CMD_ADD, CMD_OBJ_CHAIN, &$2, &@$, $5); - } - | RULE ruleid_spec rule - { - $$ = cmd_alloc(CMD_ADD, CMD_OBJ_RULE, &$2, &@$, $3); - } - | /* empty */ ruleid_spec rule - { - $$ = cmd_alloc(CMD_ADD, CMD_OBJ_RULE, &$1, &@$, $2); - } - | SET set_spec set_block_alloc - '{' set_block '}' - { - $5->location = @5; - handle_merge(&$3->handle, &$2); - $$ = cmd_alloc(CMD_ADD, CMD_OBJ_SET, &$2, &@$, $5); - } - | MAP set_spec map_block_alloc - '{' map_block '}' - { - $5->location = @5; - handle_merge(&$3->handle, &$2); - $$ = cmd_alloc(CMD_ADD, CMD_OBJ_SET, &$2, &@$, $5); - } - | ELEMENT set_spec set_expr - { - $$ = cmd_alloc(CMD_ADD, CMD_OBJ_SETELEM, &$2, &@$, $3); - } - ; - -create_cmd : TABLE table_spec - { - $$ = cmd_alloc(CMD_CREATE, CMD_OBJ_TABLE, &$2, &@$, NULL); - } - | TABLE table_spec table_block_alloc - '{' table_block '}' - { - handle_merge(&$3->handle, &$2); - close_scope(state); - $$ = cmd_alloc(CMD_CREATE, CMD_OBJ_TABLE, &$2, &@$, $5); - } - | CHAIN chain_spec - { - $$ = cmd_alloc(CMD_CREATE, CMD_OBJ_CHAIN, &$2, &@$, NULL); - } - | CHAIN chain_spec chain_block_alloc - '{' chain_block '}' - { - $5->location = @5; - handle_merge(&$3->handle, &$2); - close_scope(state); - $$ = cmd_alloc(CMD_CREATE, CMD_OBJ_CHAIN, &$2, &@$, $5); - } - ; - -insert_cmd : RULE ruleid_spec rule - { - $$ = cmd_alloc(CMD_INSERT, CMD_OBJ_RULE, &$2, &@$, $3); - } - ; - -delete_cmd : TABLE table_spec - { - $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_TABLE, &$2, &@$, NULL); - } - | CHAIN chain_spec - { - $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_CHAIN, &$2, &@$, NULL); - } - | RULE ruleid_spec - { - $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_RULE, &$2, &@$, NULL); - } - | SET set_spec - { - $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_SET, &$2, &@$, NULL); - } - | MAP set_spec - { - $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_SET, &$2, &@$, NULL); - } - | ELEMENT set_spec set_expr - { - $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_SETELEM, &$2, &@$, $3); - } - ; - -list_cmd : TABLE table_spec - { - $$ = cmd_alloc(CMD_LIST, CMD_OBJ_TABLE, &$2, &@$, NULL); - } - | TABLES tables_spec - { - $$ = cmd_alloc(CMD_LIST, CMD_OBJ_TABLE, &$2, &@$, NULL); - } - | CHAIN chain_spec - { - $$ = cmd_alloc(CMD_LIST, CMD_OBJ_CHAIN, &$2, &@$, NULL); - } - | SETS tables_spec - { - $$ = cmd_alloc(CMD_LIST, CMD_OBJ_SETS, &$2, &@$, NULL); - } - | SET set_spec - { - $$ = cmd_alloc(CMD_LIST, CMD_OBJ_SET, &$2, &@$, NULL); - } - | RULESET ruleset_spec - { - $$ = cmd_alloc(CMD_LIST, CMD_OBJ_RULESET, &$2, &@$, NULL); - } - ; - -flush_cmd : TABLE table_spec - { - $$ = cmd_alloc(CMD_FLUSH, CMD_OBJ_TABLE, &$2, &@$, NULL); - } - | CHAIN chain_spec - { - $$ = cmd_alloc(CMD_FLUSH, CMD_OBJ_CHAIN, &$2, &@$, NULL); - } - | SET set_spec - { - $$ = cmd_alloc(CMD_FLUSH, CMD_OBJ_SET, &$2, &@$, NULL); - } - | RULESET ruleset_spec - { - $$ = cmd_alloc(CMD_FLUSH, CMD_OBJ_RULESET, &$2, &@$, NULL); - } - ; - -rename_cmd : CHAIN chain_spec identifier - { - $$ = cmd_alloc(CMD_RENAME, CMD_OBJ_CHAIN, &$2, &@$, NULL); - $$->arg = $3; - } - ; - -export_cmd : export_format - { - struct handle h = { .family = NFPROTO_UNSPEC }; - struct export *export = export_alloc($1); - $$ = cmd_alloc(CMD_EXPORT, CMD_OBJ_EXPORT, &h, &@$, export); - } - ; - -monitor_cmd : monitor_event monitor_object monitor_format - { - struct handle h = { .family = NFPROTO_UNSPEC }; - struct monitor *m = monitor_alloc($3, $2, $1); - m->location = @1; - $$ = cmd_alloc(CMD_MONITOR, CMD_OBJ_MONITOR, &h, &@$, m); - } - ; - -monitor_event : /* empty */ { $$ = NULL; } - | STRING { $$ = $1; } - ; - -monitor_object : /* empty */ { $$ = CMD_MONITOR_OBJ_ANY; } - | TABLES { $$ = CMD_MONITOR_OBJ_TABLES; } - | CHAINS { $$ = CMD_MONITOR_OBJ_CHAINS; } - | SETS { $$ = CMD_MONITOR_OBJ_SETS; } - | RULES { $$ = CMD_MONITOR_OBJ_RULES; } - | ELEMENTS { $$ = CMD_MONITOR_OBJ_ELEMS; } - ; - -monitor_format : /* empty */ { $$ = NFT_OUTPUT_DEFAULT; } - | export_format - ; - -export_format : XML { $$ = NFT_OUTPUT_XML; } - | JSON { $$ = NFT_OUTPUT_JSON; } - ; - -describe_cmd : primary_expr - { - struct handle h = { .family = NFPROTO_UNSPEC }; - $$ = cmd_alloc(CMD_DESCRIBE, CMD_OBJ_EXPR, &h, &@$, NULL); - $$->expr = $1; - } - ; - -table_block_alloc : /* empty */ - { - $$ = table_alloc(); - open_scope(state, &$$->scope); - } - ; - -table_block : /* empty */ { $$ = $<table>-1; } - | table_block common_block - | table_block stmt_seperator - | table_block CHAIN chain_identifier - chain_block_alloc '{' chain_block '}' - stmt_seperator - { - $4->location = @3; - handle_merge(&$4->handle, &$3); - handle_free(&$3); - close_scope(state); - list_add_tail(&$4->list, &$1->chains); - $$ = $1; - } - | table_block SET set_identifier - set_block_alloc '{' set_block '}' - stmt_seperator - { - $4->location = @3; - handle_merge(&$4->handle, &$3); - handle_free(&$3); - list_add_tail(&$4->list, &$1->sets); - $$ = $1; - } - | table_block MAP set_identifier - map_block_alloc '{' map_block '}' - stmt_seperator - { - $4->location = @3; - handle_merge(&$4->handle, &$3); - handle_free(&$3); - list_add_tail(&$4->list, &$1->sets); - $$ = $1; - } - ; - -chain_block_alloc : /* empty */ - { - $$ = chain_alloc(NULL); - open_scope(state, &$$->scope); - } - ; - -chain_block : /* empty */ { $$ = $<chain>-1; } - | chain_block common_block - | chain_block stmt_seperator - | chain_block hook_spec stmt_seperator - | chain_block rule stmt_seperator - { - list_add_tail(&$2->list, &$1->rules); - $$ = $1; - } - ; - -set_block_alloc : /* empty */ - { - $$ = set_alloc(NULL); - } - ; - -set_block : /* empty */ { $$ = $<set>-1; } - | set_block common_block - | set_block stmt_seperator - | set_block TYPE identifier stmt_seperator - { - $1->keytype = datatype_lookup_byname($3); - if ($1->keytype == NULL) { - erec_queue(error(&@3, "unknown datatype %s", $3), - state->msgs); - YYERROR; - } - $$ = $1; - } - | set_block FLAGS set_flag_list stmt_seperator - { - $1->flags = $3; - $$ = $1; - } - | set_block ELEMENTS '=' set_expr - { - $1->init = $4; - $$ = $1; - } - | set_block set_mechanism stmt_seperator - ; - -set_flag_list : set_flag_list COMMA set_flag - { - $$ = $1 | $3; - } - | set_flag - ; - -set_flag : CONSTANT { $$ = SET_F_CONSTANT; } - | INTERVAL { $$ = SET_F_INTERVAL; } - ; - -map_block_alloc : /* empty */ - { - $$ = set_alloc(NULL); - $$->flags |= NFT_SET_MAP; - } - ; - -map_block : /* empty */ { $$ = $<set>-1; } - | map_block common_block - | map_block stmt_seperator - | map_block TYPE - identifier COLON identifier - stmt_seperator - { - $1->keytype = datatype_lookup_byname($3); - if ($1->keytype == NULL) { - erec_queue(error(&@3, "unknown datatype %s", $3), - state->msgs); - YYERROR; - } - - $1->datatype = datatype_lookup_byname($5); - if ($1->datatype == NULL) { - erec_queue(error(&@5, "unknown datatype %s", $5), - state->msgs); - YYERROR; - } - - $$ = $1; - } - | map_block FLAGS set_flag_list stmt_seperator - { - $1->flags = $3; - $$ = $1; - } - | map_block ELEMENTS '=' set_expr - { - $1->init = $4; - $$ = $1; - } - | map_block set_mechanism stmt_seperator - ; - -set_mechanism : POLICY set_policy_spec - { - $<set>0->policy = $2; - } - | SIZE NUM - { - $<set>0->desc.size = $2; - } - ; - -set_policy_spec : PERFORMANCE { $$ = NFT_SET_POL_PERFORMANCE; } - | MEMORY { $$ = NFT_SET_POL_MEMORY; } - ; - -hook_spec : TYPE STRING HOOK STRING PRIORITY NUM - { - $<chain>0->type = chain_type_name_lookup($2); - if ($<chain>0->type == NULL) { - erec_queue(error(&@2, "unknown chain type %s", $2), - state->msgs); - YYERROR; - } - $<chain>0->hookstr = chain_hookname_lookup($4); - if ($<chain>0->hookstr == NULL) { - erec_queue(error(&@4, "unknown chain hook %s", $4), - state->msgs); - YYERROR; - } - $<chain>0->priority = $6; - $<chain>0->flags |= CHAIN_F_BASECHAIN; - } - | TYPE STRING HOOK STRING PRIORITY DASH NUM - { - $<chain>0->type = chain_type_name_lookup($2); - if ($<chain>0->type == NULL) { - erec_queue(error(&@2, "unknown type name %s", $2), - state->msgs); - YYERROR; - } - $<chain>0->hookstr = chain_hookname_lookup($4); - if ($<chain>0->hookstr == NULL) { - erec_queue(error(&@4, "unknown hook name %s", $4), - state->msgs); - YYERROR; - } - $<chain>0->priority = -$7; - $<chain>0->flags |= CHAIN_F_BASECHAIN; - } - ; - -identifier : STRING - ; - -string : STRING - | QUOTED_STRING - ; - -family_spec : /* empty */ { $$ = NFPROTO_IPV4; } - | family_spec_explicit - ; - -family_spec_explicit : IP { $$ = NFPROTO_IPV4; } - | IP6 { $$ = NFPROTO_IPV6; } - | INET { $$ = NFPROTO_INET; } - | ARP { $$ = NFPROTO_ARP; } - | BRIDGE { $$ = NFPROTO_BRIDGE; } - ; - -table_spec : family_spec identifier - { - memset(&$$, 0, sizeof($$)); - $$.family = $1; - $$.table = $2; - } - ; - -tables_spec : family_spec - { - memset(&$$, 0, sizeof($$)); - $$.family = $1; - $$.table = NULL; - } - ; - -chain_spec : table_spec identifier - { - $$ = $1; - $$.chain = $2; - } - ; - -chain_identifier : identifier - { - memset(&$$, 0, sizeof($$)); - $$.chain = $1; - } - ; - -set_spec : table_spec identifier - { - $$ = $1; - $$.set = $2; - } - ; - -set_identifier : identifier - { - memset(&$$, 0, sizeof($$)); - $$.set = $1; - } - ; - -handle_spec : /* empty */ - { - $$ = 0; - } - | HANDLE NUM - { - $$ = $2; - } - ; - -position_spec : /* empty */ - { - $$ = 0; - } - | POSITION NUM - { - $$ = $2; - } - ; - -ruleid_spec : chain_spec handle_spec position_spec - { - $$ = $1; - $$.handle = $2; - $$.position = $3; - } - ; - -comment_spec : /* empty */ - { - $$ = NULL; - } - | COMMENT string - { - $$ = $2; - } - ; - -ruleset_spec : /* empty */ - { - memset(&$$, 0, sizeof($$)); - $$.family = NFPROTO_UNSPEC; - } - | family_spec_explicit - { - memset(&$$, 0, sizeof($$)); - $$.family = $1; - } - ; - -rule : stmt_list comment_spec - { - struct stmt *i; - - $$ = rule_alloc(&@$, NULL); - $$->handle.comment = $2; - list_for_each_entry(i, $1, list) - $$->num_stmts++; - list_splice_tail($1, &$$->stmts); - xfree($1); - } - ; - -stmt_list : stmt - { - $$ = xmalloc(sizeof(*$$)); - init_list_head($$); - list_add_tail(&$1->list, $$); - } - | stmt_list stmt - { - $$ = $1; - list_add_tail(&$2->list, $1); - } - ; - -stmt : verdict_stmt - | match_stmt - | counter_stmt - | meta_stmt - | log_stmt - | limit_stmt - | reject_stmt - | nat_stmt - | queue_stmt - | ct_stmt - | masq_stmt - | redir_stmt - ; - -verdict_stmt : verdict_expr - { - $$ = verdict_stmt_alloc(&@$, $1); - } - | verdict_map_stmt - { - $$ = verdict_stmt_alloc(&@$, $1); - } - ; - -verdict_map_stmt : concat_expr VMAP verdict_map_expr - { - $$ = map_expr_alloc(&@$, $1, $3); - } - ; - -verdict_map_expr : '{' verdict_map_list_expr '}' - { - $2->location = @$; - $$ = $2; - } - ; - -verdict_map_list_expr : verdict_map_list_member_expr - { - $$ = set_expr_alloc(&@$); - compound_expr_add($$, $1); - } - | verdict_map_list_expr COMMA verdict_map_list_member_expr - { - compound_expr_add($1, $3); - $$ = $1; - } - | verdict_map_list_expr COMMA opt_newline - ; - -verdict_map_list_member_expr: opt_newline map_lhs_expr COLON verdict_expr opt_newline - { - $$ = mapping_expr_alloc(&@$, $2, $4); - } - ; - - -counter_stmt : counter_stmt_alloc - | counter_stmt_alloc counter_args - -counter_stmt_alloc : COUNTER - { - $$ = counter_stmt_alloc(&@$); - } - ; - -counter_args : counter_arg - { - $<stmt>$ = $<stmt>0; - } - | counter_args counter_arg - ; - -counter_arg : PACKETS NUM - { - $<stmt>0->counter.packets = $2; - } - | BYTES NUM - { - $<stmt>0->counter.bytes = $2; - } - ; - -log_stmt : log_stmt_alloc - | log_stmt_alloc log_args - ; - -log_stmt_alloc : LOG - { - $$ = log_stmt_alloc(&@$); - } - ; - -log_args : log_arg - { - $<stmt>$ = $<stmt>0; - } - | log_args log_arg - ; - -log_arg : PREFIX string - { - $<stmt>0->log.prefix = $2; - $<stmt>0->log.flags |= STMT_LOG_PREFIX; - } - | GROUP NUM - { - $<stmt>0->log.group = $2; - $<stmt>0->log.flags |= STMT_LOG_GROUP; - } - | SNAPLEN NUM - { - $<stmt>0->log.snaplen = $2; - $<stmt>0->log.flags |= STMT_LOG_SNAPLEN; - } - | QUEUE_THRESHOLD NUM - { - $<stmt>0->log.qthreshold = $2; - $<stmt>0->log.flags |= STMT_LOG_QTHRESHOLD; - } - | LEVEL level_type - { - $<stmt>0->log.level = $2; - $<stmt>0->log.flags |= STMT_LOG_LEVEL; - } - ; - -level_type : LEVEL_EMERG { $$ = LOG_EMERG; } - | LEVEL_ALERT { $$ = LOG_ALERT; } - | LEVEL_CRIT { $$ = LOG_CRIT; } - | LEVEL_ERR { $$ = LOG_ERR; } - | LEVEL_WARN { $$ = LOG_WARNING; } - | LEVEL_NOTICE { $$ = LOG_NOTICE; } - | LEVEL_INFO { $$ = LOG_INFO; } - | LEVEL_DEBUG { $$ = LOG_DEBUG; } - ; - -limit_stmt : LIMIT RATE NUM SLASH time_unit - { - $$ = limit_stmt_alloc(&@$); - $$->limit.rate = $3; - $$->limit.unit = $5; - } - ; - -time_unit : SECOND { $$ = 1ULL; } - | MINUTE { $$ = 1ULL * 60; } - | HOUR { $$ = 1ULL * 60 * 60; } - | DAY { $$ = 1ULL * 60 * 60 * 24; } - | WEEK { $$ = 1ULL * 60 * 60 * 24 * 7; } - ; - -reject_stmt : reject_stmt_alloc reject_opts - ; - -reject_stmt_alloc : _REJECT - { - $$ = reject_stmt_alloc(&@$); - } - ; - -reject_opts : /* empty */ - { - $<stmt>0->reject.type = -1; - $<stmt>0->reject.icmp_code = -1; - } - | WITH ICMP TYPE STRING - { - $<stmt>0->reject.family = NFPROTO_IPV4; - $<stmt>0->reject.type = NFT_REJECT_ICMP_UNREACH; - $<stmt>0->reject.expr = - symbol_expr_alloc(&@$, SYMBOL_VALUE, - current_scope(state), - $4); - $<stmt>0->reject.expr->dtype = &icmp_code_type; - } - | WITH ICMP6 TYPE STRING - { - $<stmt>0->reject.family = NFPROTO_IPV6; - $<stmt>0->reject.type = NFT_REJECT_ICMP_UNREACH; - $<stmt>0->reject.expr = - symbol_expr_alloc(&@$, SYMBOL_VALUE, - current_scope(state), - $4); - $<stmt>0->reject.expr->dtype = &icmpv6_code_type; - } - | WITH ICMPX TYPE STRING - { - $<stmt>0->reject.type = NFT_REJECT_ICMPX_UNREACH; - $<stmt>0->reject.expr = - symbol_expr_alloc(&@$, SYMBOL_VALUE, - current_scope(state), - $4); - $<stmt>0->reject.expr->dtype = &icmpx_code_type; - } - | WITH TCP RESET - { - $<stmt>0->reject.type = NFT_REJECT_TCP_RST; - } - ; - -nat_stmt : nat_stmt_alloc nat_stmt_args - ; - -nat_stmt_alloc : SNAT - { - $$ = nat_stmt_alloc(&@$); - $$->nat.type = NFT_NAT_SNAT; - } - | DNAT - { - $$ = nat_stmt_alloc(&@$); - $$->nat.type = NFT_NAT_DNAT; - } - ; - -nat_stmt_args : expr - { - $<stmt>0->nat.addr = $1; - } - | expr COLON expr - { - $<stmt>0->nat.addr = $1; - $<stmt>0->nat.proto = $3; - } - | COLON expr - { - $<stmt>0->nat.proto = $2; - } - | nat_stmt_args nf_nat_flags - { - $<stmt>0->nat.flags = $2; - } - ; - -masq_stmt : masq_stmt_alloc - | masq_stmt_alloc nf_nat_flags - { - $$ = $1; - $$->masq.flags = $2; - } - ; - -masq_stmt_alloc : MASQUERADE { $$ = masq_stmt_alloc(&@$); } - ; - -redir_stmt : redir_stmt_alloc redir_stmt_arg - | redir_stmt_alloc - ; - -redir_stmt_alloc : REDIRECT { $$ = redir_stmt_alloc(&@$); } - ; - -redir_stmt_arg : COLON expr - { - $<stmt>0->redir.proto = $2; - } - | nf_nat_flags - { - $<stmt>0->redir.flags = $1; - } - | COLON expr nf_nat_flags - { - $<stmt>0->redir.proto = $2; - $<stmt>0->redir.flags = $3; - } - ; - -nf_nat_flags : nf_nat_flag - | nf_nat_flags COMMA nf_nat_flag - { - $$ = $1 | $3; - } - ; - -nf_nat_flag : RANDOM { $$ = NF_NAT_RANGE_PROTO_RANDOM; } - | RANDOM_FULLY { $$ = NF_NAT_RANGE_PROTO_RANDOM_FULLY; } - | PERSISTENT { $$ = NF_NAT_RANGE_PERSISTENT; } - ; - -queue_stmt : queue_stmt_alloc - | queue_stmt_alloc queue_stmt_args - ; - -queue_stmt_alloc : QUEUE - { - $$ = queue_stmt_alloc(&@$); - } - ; - -queue_stmt_args : queue_stmt_arg - { - $<stmt>$ = $<stmt>0; - } - | queue_stmt_args queue_stmt_arg - ; - -queue_stmt_arg : QUEUENUM expr - { - $<stmt>0->queue.queue = $2; - } - | queue_stmt_flags - { - $<stmt>0->queue.flags |= $1; - } - ; - -queue_stmt_flags : queue_stmt_flag - | queue_stmt_flags COMMA queue_stmt_flag - { - $$ = $1 | $3; - } - ; - -queue_stmt_flag : BYPASS { $$ = NFT_QUEUE_FLAG_BYPASS; } - | FANOUT { $$ = NFT_QUEUE_FLAG_CPU_FANOUT; } - ; - -match_stmt : relational_expr - { - $$ = expr_stmt_alloc(&@$, $1); - } - ; - -symbol_expr : string - { - $$ = symbol_expr_alloc(&@$, SYMBOL_VALUE, - current_scope(state), - $1); - xfree($1); - } - | '$' identifier - { - struct scope *scope = current_scope(state); - - if (symbol_lookup(scope, $2) == NULL) { - erec_queue(error(&@2, "unknown identifier '%s'", $2), - state->msgs); - YYERROR; - } - - $$ = symbol_expr_alloc(&@$, SYMBOL_DEFINE, - scope, $2); - xfree($2); - } - | AT identifier - { - $$ = symbol_expr_alloc(&@$, SYMBOL_SET, - current_scope(state), - $2); - xfree($2); - } - ; - -integer_expr : NUM - { - char str[64]; - - snprintf(str, sizeof(str), "%" PRIu64, $1); - $$ = symbol_expr_alloc(&@$, SYMBOL_VALUE, - current_scope(state), - str); - } - ; - -primary_expr : symbol_expr { $$ = $1; } - | integer_expr { $$ = $1; } - | payload_expr { $$ = $1; } - | exthdr_expr { $$ = $1; } - | meta_expr { $$ = $1; } - | ct_expr { $$ = $1; } - | '(' basic_expr ')' { $$ = $2; } - ; - -shift_expr : primary_expr - | shift_expr LSHIFT primary_expr - { - $$ = binop_expr_alloc(&@$, OP_LSHIFT, $1, $3); - } - | shift_expr RSHIFT primary_expr - { - $$ = binop_expr_alloc(&@$, OP_RSHIFT, $1, $3); - } - ; - -and_expr : shift_expr - | and_expr AMPERSAND shift_expr - { - $$ = binop_expr_alloc(&@$, OP_AND, $1, $3); - } - ; - -exclusive_or_expr : and_expr - | exclusive_or_expr CARET and_expr - { - $$ = binop_expr_alloc(&@$, OP_XOR, $1, $3); - } - ; - -inclusive_or_expr : exclusive_or_expr - | inclusive_or_expr '|' exclusive_or_expr - { - $$ = binop_expr_alloc(&@$, OP_OR, $1, $3); - } - ; - -basic_expr : inclusive_or_expr - ; - -concat_expr : basic_expr - | concat_expr DOT basic_expr - { - if ($$->ops->type != EXPR_CONCAT) { - $$ = concat_expr_alloc(&@$); - compound_expr_add($$, $1); - } else { - struct location rhs[] = { - [1] = @2, - [2] = @3, - }; - location_update(&$3->location, rhs, 2); - - $$ = $1; - $$->location = @$; - } - compound_expr_add($$, $3); - } - ; - -list_expr : basic_expr COMMA basic_expr - { - $$ = list_expr_alloc(&@$); - compound_expr_add($$, $1); - compound_expr_add($$, $3); - } - | list_expr COMMA basic_expr - { - $1->location = @$; - compound_expr_add($1, $3); - $$ = $1; - } - ; - -prefix_expr : basic_expr SLASH NUM - { - $$ = prefix_expr_alloc(&@$, $1, $3); - } - ; - -range_expr : basic_expr DASH basic_expr - { - $$ = range_expr_alloc(&@$, $1, $3); - } - ; - -wildcard_expr : ASTERISK - { - struct expr *expr; - - expr = constant_expr_alloc(&@$, &integer_type, - BYTEORDER_HOST_ENDIAN, - 0, NULL); - $$ = prefix_expr_alloc(&@$, expr, 0); - } - ; - -multiton_expr : prefix_expr - | range_expr - | wildcard_expr - ; - -map_lhs_expr : multiton_expr - | concat_expr - ; - -map_expr : concat_expr MAP expr - { - $$ = map_expr_alloc(&@$, $1, $3); - } - ; - -expr : concat_expr - | set_expr - | map_expr - | multiton_expr - ; - -set_expr : '{' set_list_expr '}' - { - $2->location = @$; - $$ = $2; - } - ; - -set_list_expr : set_list_member_expr - { - $$ = set_expr_alloc(&@$); - compound_expr_add($$, $1); - } - | set_list_expr COMMA set_list_member_expr - { - compound_expr_add($1, $3); - $$ = $1; - } - | set_list_expr COMMA opt_newline - ; - -set_list_member_expr : opt_newline expr opt_newline - { - $$ = $2; - } - | opt_newline map_lhs_expr COLON concat_expr opt_newline - { - $$ = mapping_expr_alloc(&@$, $2, $4); - } - ; - -initializer_expr : expr - | list_expr - ; - -relational_expr : expr /* implicit */ expr - { - $$ = relational_expr_alloc(&@$, OP_IMPLICIT, $1, $2); - } - | expr /* implicit */ list_expr - { - $$ = relational_expr_alloc(&@$, OP_FLAGCMP, $1, $2); - } - | expr relational_op expr - { - $$ = relational_expr_alloc(&@2, $2, $1, $3); - } - ; - -relational_op : EQ { $$ = OP_EQ; } - | NEQ { $$ = OP_NEQ; } - | LT { $$ = OP_LT; } - | GT { $$ = OP_GT; } - | GTE { $$ = OP_GTE; } - | LTE { $$ = OP_LTE; } - ; - -verdict_expr : ACCEPT - { - $$ = verdict_expr_alloc(&@$, NF_ACCEPT, NULL); - } - | DROP - { - $$ = verdict_expr_alloc(&@$, NF_DROP, NULL); - } - | CONTINUE - { - $$ = verdict_expr_alloc(&@$, NFT_CONTINUE, NULL); - } - | JUMP identifier - { - $$ = verdict_expr_alloc(&@$, NFT_JUMP, $2); - } - | GOTO identifier - { - $$ = verdict_expr_alloc(&@$, NFT_GOTO, $2); - } - | RETURN - { - $$ = verdict_expr_alloc(&@$, NFT_RETURN, NULL); - } - ; - -meta_expr : META meta_key - { - $$ = meta_expr_alloc(&@$, $2); - } - | meta_key_unqualified - { - $$ = meta_expr_alloc(&@$, $1); - } - ; - -meta_key : meta_key_qualified - | meta_key_unqualified - ; - -meta_key_qualified : LENGTH { $$ = NFT_META_LEN; } - | NFPROTO { $$ = NFT_META_NFPROTO; } - | L4PROTO { $$ = NFT_META_L4PROTO; } - | PROTOCOL { $$ = NFT_META_PROTOCOL; } - | PRIORITY { $$ = NFT_META_PRIORITY; } - ; - -meta_key_unqualified : MARK { $$ = NFT_META_MARK; } - | IIF { $$ = NFT_META_IIF; } - | IIFNAME { $$ = NFT_META_IIFNAME; } - | IIFTYPE { $$ = NFT_META_IIFTYPE; } - | OIF { $$ = NFT_META_OIF; } - | OIFNAME { $$ = NFT_META_OIFNAME; } - | OIFTYPE { $$ = NFT_META_OIFTYPE; } - | SKUID { $$ = NFT_META_SKUID; } - | SKGID { $$ = NFT_META_SKGID; } - | NFTRACE { $$ = NFT_META_NFTRACE; } - | RTCLASSID { $$ = NFT_META_RTCLASSID; } - | IBRIPORT { $$ = NFT_META_BRI_IIFNAME; } - | OBRIPORT { $$ = NFT_META_BRI_OIFNAME; } - | PKTTYPE { $$ = NFT_META_PKTTYPE; } - | CPU { $$ = NFT_META_CPU; } - | IIFGROUP { $$ = NFT_META_IIFGROUP; } - | OIFGROUP { $$ = NFT_META_OIFGROUP; } - | CGROUP { $$ = NFT_META_CGROUP; } - ; - -meta_stmt : META meta_key SET expr - { - $$ = meta_stmt_alloc(&@$, $2, $4); - } - | meta_key_unqualified SET expr - { - $$ = meta_stmt_alloc(&@$, $1, $3); - } - ; - -ct_expr : CT ct_key - { - $$ = ct_expr_alloc(&@$, $2); - } - ; - -ct_key : STATE { $$ = NFT_CT_STATE; } - | DIRECTION { $$ = NFT_CT_DIRECTION; } - | STATUS { $$ = NFT_CT_STATUS; } - | MARK { $$ = NFT_CT_MARK; } - | EXPIRATION { $$ = NFT_CT_EXPIRATION; } - | HELPER { $$ = NFT_CT_HELPER; } - | L3PROTOCOL { $$ = NFT_CT_L3PROTOCOL; } - | SADDR { $$ = NFT_CT_SRC; } - | DADDR { $$ = NFT_CT_DST; } - | PROTOCOL { $$ = NFT_CT_PROTOCOL; } - | PROTO_SRC { $$ = NFT_CT_PROTO_SRC; } - | PROTO_DST { $$ = NFT_CT_PROTO_DST; } - | LABEL { $$ = NFT_CT_LABELS; } - ; - -ct_stmt : CT ct_key SET expr - { - $$ = ct_stmt_alloc(&@$, $2, $4); - } - ; - -payload_expr : payload_raw_expr - | eth_hdr_expr - | vlan_hdr_expr - | arp_hdr_expr - | ip_hdr_expr - | icmp_hdr_expr - | ip6_hdr_expr - | icmp6_hdr_expr - | auth_hdr_expr - | esp_hdr_expr - | comp_hdr_expr - | udp_hdr_expr - | udplite_hdr_expr - | tcp_hdr_expr - | dccp_hdr_expr - | sctp_hdr_expr - ; - -payload_raw_expr : AT payload_base_spec COMMA NUM COMMA NUM - { - $$ = payload_expr_alloc(&@$, NULL, 0); - $$->payload.base = $2; - $$->payload.offset = $4; - $$->len = $6; - $$->dtype = &integer_type; - } - ; - -payload_base_spec : LL_HDR { $$ = PROTO_BASE_LL_HDR; } - | NETWORK_HDR { $$ = PROTO_BASE_NETWORK_HDR; } - | TRANSPORT_HDR { $$ = PROTO_BASE_TRANSPORT_HDR; } - ; - -eth_hdr_expr : ETHER eth_hdr_field - { - $$ = payload_expr_alloc(&@$, &proto_eth, $2); - } - | ETHER - { - $$ = symbol_expr_alloc(&@$, SYMBOL_VALUE, - current_scope(state), - "ether"); - } - ; - -eth_hdr_field : SADDR { $$ = ETHHDR_SADDR; } - | DADDR { $$ = ETHHDR_DADDR; } - | TYPE { $$ = ETHHDR_TYPE; } - ; - -vlan_hdr_expr : VLAN vlan_hdr_field - { - $$ = payload_expr_alloc(&@$, &proto_vlan, $2); - } - | VLAN - { - $$ = symbol_expr_alloc(&@$, SYMBOL_VALUE, - current_scope(state), - "vlan"); - } - ; - -vlan_hdr_field : ID { $$ = VLANHDR_VID; } - | CFI { $$ = VLANHDR_CFI; } - | PCP { $$ = VLANHDR_PCP; } - | TYPE { $$ = VLANHDR_TYPE; } - ; - -arp_hdr_expr : ARP arp_hdr_field - { - $$ = payload_expr_alloc(&@$, &proto_arp, $2); - } - | ARP - { - $$ = symbol_expr_alloc(&@$, SYMBOL_VALUE, - current_scope(state), - "arp"); - } - ; - -arp_hdr_field : HTYPE { $$ = ARPHDR_HRD; } - | PTYPE { $$ = ARPHDR_PRO; } - | HLEN { $$ = ARPHDR_HLN; } - | PLEN { $$ = ARPHDR_PLN; } - | OPERATION { $$ = ARPHDR_OP; } - ; - -ip_hdr_expr : IP ip_hdr_field - { - $$ = payload_expr_alloc(&@$, &proto_ip, $2); - } - | IP - { - $$ = symbol_expr_alloc(&@$, SYMBOL_VALUE, - current_scope(state), - "ip"); - } - ; - -ip_hdr_field : VERSION { $$ = IPHDR_VERSION; } - | HDRLENGTH { $$ = IPHDR_HDRLENGTH; } - | TOS { $$ = IPHDR_TOS; } - | LENGTH { $$ = IPHDR_LENGTH; } - | ID { $$ = IPHDR_ID; } - | FRAG_OFF { $$ = IPHDR_FRAG_OFF; } - | TTL { $$ = IPHDR_TTL; } - | PROTOCOL { $$ = IPHDR_PROTOCOL; } - | CHECKSUM { $$ = IPHDR_CHECKSUM; } - | SADDR { $$ = IPHDR_SADDR; } - | DADDR { $$ = IPHDR_DADDR; } - ; - -icmp_hdr_expr : ICMP icmp_hdr_field - { - $$ = payload_expr_alloc(&@$, &proto_icmp, $2); - } - | ICMP - { - uint8_t data = IPPROTO_ICMP; - $$ = constant_expr_alloc(&@$, &inet_protocol_type, - BYTEORDER_HOST_ENDIAN, - sizeof(data) * BITS_PER_BYTE, &data); - } - ; - -icmp_hdr_field : TYPE { $$ = ICMPHDR_TYPE; } - | CODE { $$ = ICMPHDR_CODE; } - | CHECKSUM { $$ = ICMPHDR_CHECKSUM; } - | ID { $$ = ICMPHDR_ID; } - | SEQUENCE { $$ = ICMPHDR_SEQ; } - | GATEWAY { $$ = ICMPHDR_GATEWAY; } - | MTU { $$ = ICMPHDR_MTU; } - ; - -ip6_hdr_expr : IP6 ip6_hdr_field - { - $$ = payload_expr_alloc(&@$, &proto_ip6, $2); - } - | IP6 - { - $$ = symbol_expr_alloc(&@$, SYMBOL_VALUE, - current_scope(state), - "ip6"); - } - ; - -ip6_hdr_field : VERSION { $$ = IP6HDR_VERSION; } - | PRIORITY { $$ = IP6HDR_PRIORITY; } - | FLOWLABEL { $$ = IP6HDR_FLOWLABEL; } - | LENGTH { $$ = IP6HDR_LENGTH; } - | NEXTHDR { $$ = IP6HDR_NEXTHDR; } - | HOPLIMIT { $$ = IP6HDR_HOPLIMIT; } - | SADDR { $$ = IP6HDR_SADDR; } - | DADDR { $$ = IP6HDR_DADDR; } - ; -icmp6_hdr_expr : ICMP6 icmp6_hdr_field - { - $$ = payload_expr_alloc(&@$, &proto_icmp6, $2); - } - | ICMP6 - { - uint8_t data = IPPROTO_ICMPV6; - $$ = constant_expr_alloc(&@$, &inet_protocol_type, - BYTEORDER_HOST_ENDIAN, - sizeof(data) * BITS_PER_BYTE, &data); - } - ; - -icmp6_hdr_field : TYPE { $$ = ICMP6HDR_TYPE; } - | CODE { $$ = ICMP6HDR_CODE; } - | CHECKSUM { $$ = ICMP6HDR_CHECKSUM; } - | PPTR { $$ = ICMP6HDR_PPTR; } - | MTU { $$ = ICMP6HDR_MTU; } - | ID { $$ = ICMP6HDR_ID; } - | SEQUENCE { $$ = ICMP6HDR_SEQ; } - | MAXDELAY { $$ = ICMP6HDR_MAXDELAY; } - ; - -auth_hdr_expr : AH auth_hdr_field - { - $$ = payload_expr_alloc(&@$, &proto_ah, $2); - } - | AH - { - uint8_t data = IPPROTO_AH; - $$ = constant_expr_alloc(&@$, &inet_protocol_type, - BYTEORDER_HOST_ENDIAN, - sizeof(data) * BITS_PER_BYTE, &data); - } - ; - -auth_hdr_field : NEXTHDR { $$ = AHHDR_NEXTHDR; } - | HDRLENGTH { $$ = AHHDR_HDRLENGTH; } - | RESERVED { $$ = AHHDR_RESERVED; } - | SPI { $$ = AHHDR_SPI; } - | SEQUENCE { $$ = AHHDR_SEQUENCE; } - ; - -esp_hdr_expr : ESP esp_hdr_field - { - $$ = payload_expr_alloc(&@$, &proto_esp, $2); - } - | ESP - { - uint8_t data = IPPROTO_ESP; - $$ = constant_expr_alloc(&@$, &inet_protocol_type, - BYTEORDER_HOST_ENDIAN, - sizeof(data) * BITS_PER_BYTE, &data); - } - ; - -esp_hdr_field : SPI { $$ = ESPHDR_SPI; } - | SEQUENCE { $$ = ESPHDR_SEQUENCE; } - ; - -comp_hdr_expr : COMP comp_hdr_field - { - $$ = payload_expr_alloc(&@$, &proto_comp, $2); - } - | COMP - { - uint8_t data = IPPROTO_COMP; - $$ = constant_expr_alloc(&@$, &inet_protocol_type, - BYTEORDER_HOST_ENDIAN, - sizeof(data) * BITS_PER_BYTE, &data); - } - ; - -comp_hdr_field : NEXTHDR { $$ = COMPHDR_NEXTHDR; } - | FLAGS { $$ = COMPHDR_FLAGS; } - | CPI { $$ = COMPHDR_CPI; } - ; - -udp_hdr_expr : UDP udp_hdr_field - { - $$ = payload_expr_alloc(&@$, &proto_udp, $2); - } - | UDP - { - uint8_t data = IPPROTO_UDP; - $$ = constant_expr_alloc(&@$, &inet_protocol_type, - BYTEORDER_HOST_ENDIAN, - sizeof(data) * BITS_PER_BYTE, &data); - } - ; - -udp_hdr_field : SPORT { $$ = UDPHDR_SPORT; } - | DPORT { $$ = UDPHDR_DPORT; } - | LENGTH { $$ = UDPHDR_LENGTH; } - | CHECKSUM { $$ = UDPHDR_CHECKSUM; } - ; - -udplite_hdr_expr : UDPLITE udplite_hdr_field - { - $$ = payload_expr_alloc(&@$, &proto_udplite, $2); - } - | UDPLITE - { - uint8_t data = IPPROTO_UDPLITE; - $$ = constant_expr_alloc(&@$, &inet_protocol_type, - BYTEORDER_HOST_ENDIAN, - sizeof(data) * BITS_PER_BYTE, &data); - } - ; - -udplite_hdr_field : SPORT { $$ = UDPHDR_SPORT; } - | DPORT { $$ = UDPHDR_DPORT; } - | CSUMCOV { $$ = UDPHDR_LENGTH; } - | CHECKSUM { $$ = UDPHDR_CHECKSUM; } - ; - -tcp_hdr_expr : TCP tcp_hdr_field - { - $$ = payload_expr_alloc(&@$, &proto_tcp, $2); - } - | TCP - { - uint8_t data = IPPROTO_TCP; - $$ = constant_expr_alloc(&@$, &inet_protocol_type, - BYTEORDER_HOST_ENDIAN, - sizeof(data) * BITS_PER_BYTE, &data); - } - ; - -tcp_hdr_field : SPORT { $$ = TCPHDR_SPORT; } - | DPORT { $$ = TCPHDR_DPORT; } - | SEQUENCE { $$ = TCPHDR_SEQ; } - | ACKSEQ { $$ = TCPHDR_ACKSEQ; } - | DOFF { $$ = TCPHDR_DOFF; } - | RESERVED { $$ = TCPHDR_RESERVED; } - | FLAGS { $$ = TCPHDR_FLAGS; } - | WINDOW { $$ = TCPHDR_WINDOW; } - | CHECKSUM { $$ = TCPHDR_CHECKSUM; } - | URGPTR { $$ = TCPHDR_URGPTR; } - ; - -dccp_hdr_expr : DCCP dccp_hdr_field - { - $$ = payload_expr_alloc(&@$, &proto_dccp, $2); - } - | DCCP - { - uint8_t data = IPPROTO_DCCP; - $$ = constant_expr_alloc(&@$, &inet_protocol_type, - BYTEORDER_HOST_ENDIAN, - sizeof(data) * BITS_PER_BYTE, &data); - } - ; - -dccp_hdr_field : SPORT { $$ = DCCPHDR_SPORT; } - | DPORT { $$ = DCCPHDR_DPORT; } - | TYPE { $$ = DCCPHDR_TYPE; } - ; - -sctp_hdr_expr : SCTP sctp_hdr_field - { - $$ = payload_expr_alloc(&@$, &proto_sctp, $2); - } - | SCTP - { - uint8_t data = IPPROTO_SCTP; - $$ = constant_expr_alloc(&@$, &inet_protocol_type, - BYTEORDER_HOST_ENDIAN, - sizeof(data) * BITS_PER_BYTE, &data); - } - ; - -sctp_hdr_field : SPORT { $$ = SCTPHDR_SPORT; } - | DPORT { $$ = SCTPHDR_DPORT; } - | VTAG { $$ = SCTPHDR_VTAG; } - | CHECKSUM { $$ = SCTPHDR_CHECKSUM; } - ; - -exthdr_expr : hbh_hdr_expr - | rt_hdr_expr - | rt0_hdr_expr - | rt2_hdr_expr - | frag_hdr_expr - | dst_hdr_expr - | mh_hdr_expr - ; - -hbh_hdr_expr : HBH hbh_hdr_field - { - $$ = exthdr_expr_alloc(&@$, &exthdr_hbh, $2); - } - ; - -hbh_hdr_field : NEXTHDR { $$ = HBHHDR_NEXTHDR; } - | HDRLENGTH { $$ = HBHHDR_HDRLENGTH; } - ; - -rt_hdr_expr : RT rt_hdr_field - { - $$ = exthdr_expr_alloc(&@$, &exthdr_rt, $2); - } - ; - -rt_hdr_field : NEXTHDR { $$ = RTHDR_NEXTHDR; } - | HDRLENGTH { $$ = RTHDR_HDRLENGTH; } - | TYPE { $$ = RTHDR_TYPE; } - | SEG_LEFT { $$ = RTHDR_SEG_LEFT; } - ; - -rt0_hdr_expr : RT0 rt0_hdr_field - { - $$ = exthdr_expr_alloc(&@$, &exthdr_rt0, $2); - } - ; - -rt0_hdr_field : ADDR '[' NUM ']' - { - $$ = RT0HDR_ADDR_1 + $3 - 1; - } - ; - -rt2_hdr_expr : RT2 rt2_hdr_field - { - $$ = exthdr_expr_alloc(&@$, &exthdr_rt2, $2); - } - ; - -rt2_hdr_field : ADDR { $$ = RT2HDR_ADDR; } - ; - -frag_hdr_expr : FRAG frag_hdr_field - { - $$ = exthdr_expr_alloc(&@$, &exthdr_frag, $2); - } - ; - -frag_hdr_field : NEXTHDR { $$ = FRAGHDR_NEXTHDR; } - | RESERVED { $$ = FRAGHDR_RESERVED; } - | FRAG_OFF { $$ = FRAGHDR_FRAG_OFF; } - | RESERVED2 { $$ = FRAGHDR_RESERVED2; } - | MORE_FRAGMENTS { $$ = FRAGHDR_MFRAGS; } - | ID { $$ = FRAGHDR_ID; } - ; - -dst_hdr_expr : DST dst_hdr_field - { - $$ = exthdr_expr_alloc(&@$, &exthdr_dst, $2); - } - ; - -dst_hdr_field : NEXTHDR { $$ = DSTHDR_NEXTHDR; } - | HDRLENGTH { $$ = DSTHDR_HDRLENGTH; } - ; - -mh_hdr_expr : MH mh_hdr_field - { - $$ = exthdr_expr_alloc(&@$, &exthdr_mh, $2); - } - ; - -mh_hdr_field : NEXTHDR { $$ = MHHDR_NEXTHDR; } - | HDRLENGTH { $$ = MHHDR_HDRLENGTH; } - | TYPE { $$ = MHHDR_TYPE; } - | RESERVED { $$ = MHHDR_RESERVED; } - | CHECKSUM { $$ = MHHDR_CHECKSUM; } - ; - -%% |