summaryrefslogtreecommitdiffstats
path: root/include/parser.h
Commit message (Collapse)AuthorAgeFilesLines
* src: perform evaluation after parsingPablo Neira Ayuso2019-06-051-1/+0
| | | | | | | | | | | | | | | | | Since 61236968b7a1 ("parser: evaluate commands immediately after parsing"), evaluation is invoked from the parsing phase in order to improve error reporting. However, this approach is problematic from the cache perspective since we don't know if a full or partial netlink dump from the kernel is needed. If the number of objects in the kernel is significant, the netlink dump operation to build the cache may significantly slow down commands. This patch moves the evaluation phase after the parsing phase as a preparation update to allow for a better strategy to build the cache. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: dynamic input_descriptor allocationPablo Neira Ayuso2019-06-051-1/+2
| | | | | | | | | | | | | This patch introduces the input descriptor list, that stores the existing input descriptor objects. These objects are now dynamically allocated and release from scanner_destroy() path. Follow up patches that decouple the parsing and the evaluation phases require this for error reporting as described by b14572f72aac ("erec: Fix input descriptors for included files"), this patch partially reverts such partial. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: file descriptor leak in include_file()Pablo Neira Ayuso2019-03-151-3/+3
| | | | | | | | File that contains the ruleset is never closed, track open files through the nft_ctx object and close them accordingly. Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: Pass struct nft_ctx to parser_init()Phil Sutter2018-04-141-4/+2
| | | | | | | | | Signature of parser_init() got quite huge, so simply pass the whole context pointer to it - most of the parameters are just taken from there anyway. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Keep cmds list outside of parser_statePhil Sutter2018-04-141-2/+3
| | | | | | | | | | | | | | | Parser basically turns input into a list of commands and error messages. Having the commands list being part of struct parser_state does not make sense from this point of view, also it will have to go away with upcoming JSON support anyway. While being at it, change nft_netlink() to take just the list of commands instead of the whole parser state as parameter, also take care of command freeing in nft_run_cmd_from_* functions (where the list resides as auto-variable) instead of from inside nft_run(). Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of printfPhil Sutter2017-09-291-1/+1
| | | | | | | | | | | | | | | | | This patch introduces nft_print()/nft_gmp_print() functions which have to be used instead of printf to output information that were previously send to stdout. These functions print to a FILE pointer defined in struct output_ctx. It is set by calling: | old_fp = nft_ctx_set_output(ctx, new_fp); Having an application-defined FILE pointer is actually quite flexible: Using fmemopen() or even fopencookie(), an application gains full control over what is printed and where it should go to. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: Fix for wrong parameter type of scanner_destroy()Phil Sutter2017-08-241-1/+1
| | | | | | | | The function takes the scanner as argument, not the state. This wasn't a real issue since scanner is a void pointer, which means it's only casted around without need. So this fix is a rather cosmetic one. Signed-off-by: Phil Sutter <phil@nwl.cc>
* src: add debugging mask to context structurePablo Neira Ayuso2017-08-231-1/+2
| | | | | | | So this toggle is not global anymore. Update name that fits better with the semantics of this variable. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add include_paths to struct nft_ctxPablo Neira Ayuso2017-08-231-2/+3
| | | | | | | Not convenient to keep this as static for the upcoming library, so let's move it where it belongs. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: introduce struct nft_cacheVarsha Rao2017-08-141-2/+2
| | | | | | | | | | Pass variable cache_initialized and structure list_head as members of structure nft_cache. Joint work with Pablo Neira. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: Pass nf_sock where needed as parameterPablo Neira Ayuso2017-07-171-1/+4
| | | | | | | | | | | | This socket should not be global, it is also hidden in many layers of code. Expose it as function parameters to decouple the netlink socket handling logic from the command parsing, evaluation and bytecode generation. Joint work with Varsha Rao. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: evaluate commands immediately after parsingPatrick McHardy2014-02-041-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | We currently do parsing and evaluation in two seperate stages. This means that if any error occurs during parsing, we won't evaluate the syntactical correct commands and detect possible evaluation errors in them. In order to improve error reporting, change this to evaluate every command as soon as it is fully parsed. With this in place, the ruleset can be fully validated and all errors reported in one step: tests/error.1:6:23-23: Error: syntax error, unexpected newline filter input tcp dport ^ tests/error.1:7:24-26: Error: datatype mismatch, expected internet network service, expression has type Internet protocol filter input tcp dport tcp ~~~~~~~~~ ^^^ tests/error.1:8:24-32: Error: Right hand side of relational expression (==) must be constant filter input tcp dport tcp dport ~~~~~~~~~~^^^^^^^^^ Signed-off-by: Patrick McHardy <kaber@trash.net>
* parser: recover from errors in any blockPatrick McHardy2014-02-041-0/+1
| | | | | | | | | | | | | | | | | | | | | | | Move error recovery to the common_block definition to handle errors in any block. Queue those errors and abort parsing once a threshold is reached. With this in place, we can continue parsing when errors occur and show all of them to the user at once. tests/error.1:3:8-8: Error: syntax error, unexpected '{', expecting string filter { ^ tests/error.1:4:13-13: Error: syntax error, unexpected newline filter input ^ tests/error.1:5:17-17: Error: syntax error, unexpected newline filter input tcp ^ tests/error.1:6:23-23: Error: syntax error, unexpected newline filter input tcp dport Signed-off-by: Patrick McHardy <kaber@trash.net>
* Add support for scoping and symbol bindingPatrick McHardy2009-03-201-0/+8
| | | | | | | | | | | | As a first step towards stand-alone sets, add support for scoping and binding symbols. This will be used for user-defined constants, as well as declarations of modifiable (stand-alone) sets once the kernel side is ready. Scopes are currently limited to three nesting levels: the global scope, table block scopes and chain block scopes. Signed-off-by: Patrick McHardy <kaber@trash.net>
* Fix use of reserved names in header sandwichPatrick McHardy2009-03-181-3/+3
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Initial commitv0.01-alpha1Patrick McHardy2009-03-181-0/+36