diff options
| author | Phil Sutter <phil@nwl.cc> | 2022-11-24 14:17:17 +0100 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2022-12-13 14:59:55 +0100 |
| commit | 79195a8cc9e9d9cf2d17165bf07ac4cc9d55539f (patch) | |
| tree | e339339c6b37040ccd5603dddc55fe7fb32c38c0 /src | |
| parent | e432477f5c013d0ca56f9fc5f9ac7cf35301b0b9 (diff) | |
xt: Rewrite unsupported compat expression dumping
Choose a format which provides more information and is easily parseable.
Then teach parsers about it and make it explicitly reject the ruleset
giving a meaningful explanation. Also update the man pages with some
more details.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'src')
| -rw-r--r-- | src/json.c | 19 | ||||
| -rw-r--r-- | src/parser_bison.y | 18 | ||||
| -rw-r--r-- | src/parser_json.c | 5 | ||||
| -rw-r--r-- | src/scanner.l | 3 | ||||
| -rw-r--r-- | src/statement.c | 1 | ||||
| -rw-r--r-- | src/xt.c | 8 |
6 files changed, 47 insertions, 7 deletions
@@ -82,12 +82,6 @@ static json_t *stmt_print_json(const struct stmt *stmt, struct output_ctx *octx) char buf[1024]; FILE *fp; - /* XXX: Can't be supported at this point: - * xt_stmt_xlate() ignores output_fp. - */ - if (stmt->ops->type == STMT_XT) - return json_pack("{s:n}", "xt"); - if (stmt->ops->json) return stmt->ops->json(stmt, octx); @@ -1624,6 +1618,19 @@ json_t *optstrip_stmt_json(const struct stmt *stmt, struct output_ctx *octx) expr_print_json(stmt->optstrip.expr, octx)); } +json_t *xt_stmt_json(const struct stmt *stmt, struct output_ctx *octx) +{ + static const char *xt_typename[NFT_XT_MAX] = { + [NFT_XT_MATCH] = "match", + [NFT_XT_TARGET] = "target", + [NFT_XT_WATCHER] = "watcher", + }; + + return json_pack("{s:{s:s, s:s}}", "xt", + "type", xt_typename[stmt->xt.type], + "name", stmt->xt.name); +} + static json_t *table_print_json_full(struct netlink_ctx *ctx, struct table *table) { diff --git a/src/parser_bison.y b/src/parser_bison.y index 760c23cf..d7cf8bc5 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -626,6 +626,8 @@ int nft_lex(void *, void *, void *); %token IN "in" %token OUT "out" +%token XT "xt" + %type <limit_rate> limit_rate_pkts %type <limit_rate> limit_rate_bytes @@ -900,6 +902,9 @@ int nft_lex(void *, void *, void *); %type <stmt> optstrip_stmt %destructor { stmt_free($$); } optstrip_stmt +%type <stmt> xt_stmt +%destructor { stmt_free($$); } xt_stmt + %type <expr> boolean_expr %destructor { expr_free($$); } boolean_expr %type <val8> boolean_keys @@ -991,6 +996,7 @@ close_scope_udplite : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_UDPL close_scope_log : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_LOG); } close_scope_synproxy : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_SYNPROXY); } +close_scope_xt : { scanner_pop_start_cond(nft->scanner, PARSER_SC_XT); } common_block : INCLUDE QUOTED_STRING stmt_separator { @@ -2879,6 +2885,18 @@ stmt : verdict_stmt | synproxy_stmt close_scope_synproxy | chain_stmt | optstrip_stmt + | xt_stmt close_scope_xt + ; + +xt_stmt : XT STRING STRING + { + $$ = NULL; + xfree($2); + xfree($3); + erec_queue(error(&@$, "unsupported xtables compat expression, use iptables-nft with this ruleset"), + state->msgs); + YYERROR; + } ; chain_stmt_type : JUMP { $$ = NFT_JUMP; } diff --git a/src/parser_json.c b/src/parser_json.c index aa00e9ec..762e779d 100644 --- a/src/parser_json.c +++ b/src/parser_json.c @@ -2764,6 +2764,11 @@ static struct stmt *json_parse_stmt(struct json_ctx *ctx, json_t *root) return verdict_stmt_alloc(int_loc, expr); } + if (!strcmp(type, "xt")) { + json_error(ctx, "unsupported xtables compat expression, use iptables-nft with this ruleset"); + return NULL; + } + for (i = 0; i < array_size(stmt_parser_tbl); i++) { if (!strcmp(type, stmt_parser_tbl[i].key)) return stmt_parser_tbl[i].cb(ctx, stmt_parser_tbl[i].key, tmp); diff --git a/src/scanner.l b/src/scanner.l index 7e8748f5..583c2511 100644 --- a/src/scanner.l +++ b/src/scanner.l @@ -215,6 +215,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) %s SCANSTATE_TCP %s SCANSTATE_TYPE %s SCANSTATE_VLAN +%s SCANSTATE_XT %s SCANSTATE_CMD_EXPORT %s SCANSTATE_CMD_IMPORT %s SCANSTATE_CMD_LIST @@ -800,6 +801,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "secmark" { scanner_push_start_cond(yyscanner, SCANSTATE_SECMARK); return SECMARK; } +"xt" { scanner_push_start_cond(yyscanner, SCANSTATE_XT); return XT; } + {addrstring} { yylval->string = xstrdup(yytext); return STRING; diff --git a/src/statement.c b/src/statement.c index 327d00f9..eafc51c4 100644 --- a/src/statement.c +++ b/src/statement.c @@ -997,6 +997,7 @@ static const struct stmt_ops xt_stmt_ops = { .name = "xt", .print = xt_stmt_print, .destroy = xt_stmt_destroy, + .json = xt_stmt_json, }; struct stmt *xt_stmt_alloc(const struct location *loc) @@ -115,7 +115,13 @@ void xt_stmt_xlate(const struct stmt *stmt, struct output_ctx *octx) xt_xlate_free(xl); xfree(entry); #else - nft_print(octx, "# xt_%s", stmt->xt.name); + static const char *typename[NFT_XT_MAX] = { + [NFT_XT_MATCH] = "match", + [NFT_XT_TARGET] = "target", + [NFT_XT_WATCHER] = "watcher", + }; + + nft_print(octx, "xt %s %s", typename[stmt->xt.type], stmt->xt.name); #endif } |