diff options
| -rw-r--r-- | Makefile.rules.in | 9 | ||||
| -rwxr-xr-x | files/examples/sets_and_maps | 8 | ||||
| -rw-r--r-- | include/expression.h | 2 | ||||
| -rw-r--r-- | include/nftables.h | 5 | ||||
| -rw-r--r-- | src/evaluate.c | 6 | ||||
| -rw-r--r-- | src/expression.c | 2 | ||||
| -rw-r--r-- | src/main.c | 6 | ||||
| -rw-r--r-- | src/mnl.c | 4 | ||||
| -rw-r--r-- | src/parser.y | 44 | ||||
| -rw-r--r-- | src/rule.c | 21 | ||||
| -rw-r--r-- | src/scanner.l | 5 | ||||
| -rw-r--r-- | tests/dictionary | 30 | ||||
| -rw-r--r-- | tests/loop-detect.3 | 2 | ||||
| -rw-r--r-- | tests/loop-detect.4 | 2 | ||||
| -rw-r--r-- | tests/verdict-maps | 6 |
15 files changed, 108 insertions, 44 deletions
diff --git a/Makefile.rules.in b/Makefile.rules.in index 25988dd7..ae563a54 100644 --- a/Makefile.rules.in +++ b/Makefile.rules.in @@ -22,7 +22,14 @@ configure: configure.ac %.c %.h: %.y $(makedeps) @echo -e " YACC\t\t$<" - $(YACC) $(YACCFLAGS) -d -o $@ $< + $(YACC) $(YACCFLAGS) --defines=$*.h.tmp -o $@ $< + ( \ + echo "#ifndef __$(*F)_H"; \ + echo "#define __$(*F)_H"; \ + cat $*.h.tmp; \ + echo "#endif /* __$(*F)_H */" \ + ) > $*.h + $(RM) $*.h.tmp %.c %.h: %.l $(makedeps) @echo -e " LEX\t\t$<" diff --git a/files/examples/sets_and_maps b/files/examples/sets_and_maps index adfc6884..a05199ae 100755 --- a/files/examples/sets_and_maps +++ b/files/examples/sets_and_maps @@ -25,13 +25,13 @@ table filter { type ifindex } - # named map of type ifindex => ipv4_address + # named map of type ifindex : ipv4_address map nat_map { - type ifindex => ipv4_address + type ifindex : ipv4_address } map jump_map { - type ifindex => verdict + type ifindex : verdict } chain input_1 { counter; } @@ -48,6 +48,6 @@ table filter { meta iif @local_ifs counter meta iif vmap @jump_map - #meta iif vmap { eth0 => jump input1, eth1 => jump input2 } + #meta iif vmap { eth0 : jump input1, eth1 : jump input2 } } } diff --git a/include/expression.h b/include/expression.h index a9aa328e..0633102e 100644 --- a/include/expression.h +++ b/include/expression.h @@ -27,7 +27,7 @@ * @EXPR_LIST: list of expressions * @EXPR_SET: literal set * @EXPR_SET_REF: set reference - * @EXPR_MAPPING: a single mapping (key => value) + * @EXPR_MAPPING: a single mapping (key : value) * @EXPR_MAP: map operation (expr map { EXPR_MAPPING, ... }) * @EXPR_UNARY: byteorder conversion, generated during evaluation * @EXPR_BINOP: binary operations (bitwise, shifts) diff --git a/include/nftables.h b/include/nftables.h index 225bf951..5a000870 100644 --- a/include/nftables.h +++ b/include/nftables.h @@ -17,8 +17,9 @@ enum debug_level { DEBUG_PARSER = 0x2, DEBUG_EVALUATION = 0x4, DEBUG_NETLINK = 0x8, - DEBUG_PROTO_CTX = 0x10, - DEBUG_SEGTREE = 0x20, + DEBUG_MNL = 0x10, + DEBUG_PROTO_CTX = 0x20, + DEBUG_SEGTREE = 0x40, }; #define INCLUDE_PATHS_MAX 16 diff --git a/src/evaluate.c b/src/evaluate.c index 4ca32943..2b2427a5 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1222,6 +1222,12 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set) return set_error(ctx, set, "unqualified key data type " "specified in %s definition", type); + if (set->init != NULL) { + expr_set_context(&ctx->ectx, set->keytype, set->keylen); + if (expr_evaluate(ctx, &set->init) < 0) + return -1; + } + if (!(set->flags & SET_F_MAP)) return 0; diff --git a/src/expression.c b/src/expression.c index a12133c8..c8566224 100644 --- a/src/expression.c +++ b/src/expression.c @@ -644,7 +644,7 @@ struct expr *set_expr_alloc(const struct location *loc) static void mapping_expr_print(const struct expr *expr) { expr_print(expr->left); - printf(" => "); + printf(" : "); expr_print(expr->right); } @@ -111,7 +111,7 @@ static void show_help(const char *name) " -a/--handle Output rule handle.\n" " -I/--includepath <directory> Add <directory> to the paths searched for include files.\n" #ifdef DEBUG -" --debug <level [,level...]> Specify debugging level (scanner, parser, eval, netlink, proto-ctx, segtree, all)\n" +" --debug <level [,level...]> Specify debugging level (scanner, parser, eval, netlink, mnl, proto-ctx, segtree, all)\n" #endif "\n", name); @@ -139,6 +139,10 @@ static const struct { .level = DEBUG_NETLINK, }, { + .name = "mnl", + .level = DEBUG_MNL, + }, + { .name = "proto-ctx", .level = DEBUG_PROTO_CTX, }, @@ -39,7 +39,7 @@ mnl_talk(struct mnl_socket *nf_sock, const void *data, unsigned int len, int ret; #ifdef DEBUG - if (debug_level & DEBUG_NETLINK) + if (debug_level & DEBUG_MNL) mnl_nlmsg_fprintf(stdout, data, len, sizeof(struct nfgenmsg)); #endif @@ -207,7 +207,7 @@ static ssize_t mnl_nft_socket_sendmsg(const struct mnl_socket *nl) iov[i].iov_len = mnl_nlmsg_batch_size(batch_page->batch); i++; #ifdef DEBUG - if (debug_level & DEBUG_NETLINK) { + if (debug_level & DEBUG_MNL) { mnl_nlmsg_fprintf(stdout, mnl_nlmsg_batch_head(batch_page->batch), mnl_nlmsg_batch_size(batch_page->batch), diff --git a/src/parser.y b/src/parser.y index fd631368..3e3abedd 100644 --- a/src/parser.y +++ b/src/parser.y @@ -150,7 +150,6 @@ static void location_update(struct location *loc, struct location *rhs, int n) %token ASTERISK "*" %token DASH "-" %token AT "@" -%token ARROW "=>" %token VMAP "vmap" %token INCLUDE "include" @@ -184,6 +183,10 @@ static void location_update(struct location *loc, struct location *rhs, int n) %token GOTO "goto" %token RETURN "return" +%token CONSTANT "constant" +%token INTERVAL "interval" +%token ELEMENTS "elements" + %token <val> NUM "number" %token <string> STRING "string" %token <string> QUOTED_STRING @@ -364,6 +367,8 @@ static void location_update(struct location *loc, struct location *rhs, int n) %type <rule> rule %destructor { rule_free($$); } rule +%type <val> set_flag_list set_flag + %type <set> set_block_alloc set_block %destructor { set_free($$); } set_block_alloc @@ -751,6 +756,27 @@ set_block : /* empty */ { $$ = $<set>-1; } } $$ = $1; } + | set_block FLAGS set_flag_list stmt_seperator + { + $1->flags = $3; + $$ = $1; + } + | set_block ELEMENTS '=' set_expr + { + $1->init = $4; + $$ = $1; + } + ; + +set_flag_list : set_flag_list COMMA set_flag + { + $$ = $1 | $3; + } + | set_flag + ; + +set_flag : CONSTANT { $$ = SET_F_CONSTANT; } + | INTERVAL { $$ = SET_F_INTERVAL; } ; map_block_alloc : /* empty */ @@ -764,7 +790,7 @@ map_block : /* empty */ { $$ = $<set>-1; } | map_block common_block | map_block stmt_seperator | map_block TYPE - identifier ARROW identifier + identifier COLON identifier stmt_seperator { $1->keytype = datatype_lookup_byname($3); @@ -783,6 +809,16 @@ map_block : /* empty */ { $$ = $<set>-1; } $$ = $1; } + | map_block FLAGS set_flag_list stmt_seperator + { + $1->flags = $3; + $$ = $1; + } + | map_block ELEMENTS '=' set_expr + { + $1->init = $4; + $$ = $1; + } ; hook_spec : TYPE STRING HOOK STRING PRIORITY NUM @@ -1309,11 +1345,11 @@ set_list_member_expr : opt_newline expr opt_newline { $$ = $2; } - | opt_newline map_lhs_expr ARROW concat_expr opt_newline + | opt_newline map_lhs_expr COLON concat_expr opt_newline { $$ = mapping_expr_alloc(&@$, $2, $4); } - | opt_newline map_lhs_expr ARROW verdict_expr opt_newline + | opt_newline map_lhs_expr COLON verdict_expr opt_newline { $$ = mapping_expr_alloc(&@$, $2, $4); } @@ -89,6 +89,7 @@ struct set *set_lookup(const struct table *table, const char *name) void set_print(const struct set *set) { + const char *delim = ""; const char *type; type = set->flags & SET_F_MAP ? "map" : "set"; @@ -96,15 +97,21 @@ void set_print(const struct set *set) printf("\t\ttype %s", set->keytype->name); if (set->flags & SET_F_MAP) - printf(" => %s", set->datatype->name); + printf(" : %s", set->datatype->name); printf("\n"); - if (set->flags & SET_F_ANONYMOUS) - printf("\t\tanonymous\n"); - if (set->flags & SET_F_CONSTANT) - printf("\t\tconstant\n"); - if (set->flags & SET_F_INTERVAL) - printf("\t\tinterval\n"); + if (set->flags & (SET_F_CONSTANT | SET_F_INTERVAL)) { + printf("\t\tflags "); + if (set->flags & SET_F_CONSTANT) { + printf("%sconstant", delim); + delim = ","; + } + if (set->flags & SET_F_INTERVAL) { + printf("%sinterval", delim); + delim = ","; + } + printf("\n"); + } if (set->init != NULL && set->init->size > 0) { printf("\t\telements = "); diff --git a/src/scanner.l b/src/scanner.l index 6ff8846b..a0ca7d75 100644 --- a/src/scanner.l +++ b/src/scanner.l @@ -221,7 +221,6 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "@" { return AT; } "$" { return '$'; } "=" { return '='; } -"=>" { return ARROW; } "vmap" { return VMAP; } "include" { return INCLUDE; } @@ -258,6 +257,10 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "position" { return POSITION; } +"constant" { return CONSTANT; } +"interval" { return INTERVAL; } +"elements" { return ELEMENTS; } + "counter" { return COUNTER; } "packets" { return PACKETS; } "bytes" { return BYTES; } diff --git a/tests/dictionary b/tests/dictionary index 41935295..b4e6c521 100644 --- a/tests/dictionary +++ b/tests/dictionary @@ -21,32 +21,32 @@ add rule ip filter OUTPUT tcp dport { \ 192.168.0.1, \ } -# must succeed: expr { expr => verdict, ... } +# must succeed: expr { expr : verdict, ... } add rule ip filter OUTPUT tcp dport vmap { \ - 22 => jump chain1, \ - 23 => jump chain2, \ + 22 : jump chain1, \ + 23 : jump chain2, \ } -# must fail: expr { expr => verdict, expr => expr, ... } +# must fail: expr { expr : verdict, expr : expr, ... } add rule ip filter OUTPUT tcp dport vmap { \ - 22 => jump chain1, \ - 23 => 0x100, \ + 22 : jump chain1, \ + 23 : 0x100, \ } -# must fail: expr { expr => expr, ...} +# must fail: expr { expr : expr, ...} add rule ip filter OUTPUT tcp dport vmap { \ - 22 => 0x100, \ - 23 => 0x200, \ + 22 : 0x100, \ + 23 : 0x200, \ } -# must succeed: expr MAP { expr => expr, ... } expr +# must succeed: expr MAP { expr : expr, ... } expr add rule ip filter OUTPUT meta mark set tcp dport map { \ - 22 => 1, \ - 23 => 2, \ + 22 : 1, \ + 23 : 2, \ } -# must fail: expr MAP { expr => type1, expr => type2, .. } expr +# must fail: expr MAP { expr : type1, expr : type2, .. } expr add rule ip filter OUTPUT meta mark set tcp dport map { \ - 22 => 1, \ - 23 => 192.168.0.1, \ + 22 : 1, \ + 23 : 192.168.0.1, \ } diff --git a/tests/loop-detect.3 b/tests/loop-detect.3 index 3b83ef12..80f7fc5a 100644 --- a/tests/loop-detect.3 +++ b/tests/loop-detect.3 @@ -4,4 +4,4 @@ flush table filter add filter chain1 jump chain2 add filter chain2 jump chain3 -add filter chain3 ip daddr vmap { 10.0.0.1 => continue, 192.168.0.1 => jump chain1 } +add filter chain3 ip daddr vmap { 10.0.0.1 : continue, 192.168.0.1 : jump chain1 } diff --git a/tests/loop-detect.4 b/tests/loop-detect.4 index f6f4d572..acd9a342 100644 --- a/tests/loop-detect.4 +++ b/tests/loop-detect.4 @@ -3,5 +3,5 @@ # Circular jump with an intermediate anonymous verdict map: chain1 -> chain2 -> chain3 -> chain1 flush table filter add filter chain1 jump chain2 -add filter chain2 ip daddr vmap { 10.0.0.1 => continue, 192.168.0.1 => jump chain3 } +add filter chain2 ip daddr vmap { 10.0.0.1 : continue, 192.168.0.1 : jump chain3 } add filter chain3 jump chain1 diff --git a/tests/verdict-maps b/tests/verdict-maps index 72ef98f9..c1630ce3 100644 --- a/tests/verdict-maps +++ b/tests/verdict-maps @@ -14,7 +14,7 @@ add chain ip filter chain3 add filter chain3 counter add filter input ip saddr vmap { \ - 10.0.0.0/24 => jump chain1, \ - 10.0.0.0/8 => jump chain2, \ - 8.8.8.8 => jump chain3 \ + 10.0.0.0/24 : jump chain1, \ + 10.0.0.0/8 : jump chain2, \ + 8.8.8.8 : jump chain3 \ } |