summaryrefslogtreecommitdiffstats
path: root/src/scanner.l
Commit message (Collapse)AuthorAgeFilesLines
* set: make set initializer parsablePatrick McHardy2014-01-161-0/+2
| | | | | | | | | If a set contains elements, the output is not parsable since the elements = { ... } is not understood by the parser. Fix this and also add support for creating constant sets (which only makes sense when using an initializer). Signed-off-by: Patrick McHardy <kaber@trash.net>
* set: make set flags output parsablePatrick McHardy2014-01-161-0/+2
| | | | | | | | | | | | | | | | | | | | | | This patch fixes two problems: - the output of "nft list table ..." is not parsable if sets are included because the parser can't parse the flags. - set flags can't be specified during set creation. To fix this, the set output is changed to: - not print each flag on a single line - prefix the flags with "flags " - only show the interval flag since all others are for internal use only The parser is changed to parse the flags specified in a set declaration. This allows to parse empty sets. The following patch will take care of parsing sets that are already populated. Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: use ':' instead of '=>' in dictionariesPablo Neira Ayuso2014-01-161-1/+0
| | | | | | | | | | | | | Replace => by : to make it easier for most shell users, as > implies a redirection, let's avoid possible confusion that may result if you forget to escape it. This works fine if you don't forget to add space between the key and the value. If you forget to add the space, depending on the case, the scanner may recognize it correctly or process it as a string. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: remove secmark from ct and meta expressionPatrick McHardy2014-01-151-1/+0
| | | | | | The secctx should be used instead of the secmark. Remove for now. Signed-off-by: Patrick McHardy <kaber@trash.net>
* scanner: add aliases to symbols for easier interaction with most shellsPablo Neira Ayuso2014-01-151-0/+12
| | | | | | | | | | | | | | These symbols need to be escaped in bash and if you use them without escaping then, it can lead to confusion. This patch adds nominal aliases, eg. nft add rule filter output meta mark and 0x3 eq 0x1 as an alternative to: nft add rule filter output meta mark \& 0x3 == 0x1 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: scanner: fixed problem with ipv6 addressAna Rey2014-01-151-25/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There is a problem with the follow ipv6 address combination: nft add rule ip6 t_ip61 filter-input ip6 saddr ::1234:1234:1234:1234:1234:1234:1234 1234::1234:1234:1234:1234:1234:1234 1234:1234::1234:1234:1234:1234:1234 1234:1234:1234::1234:1234:1234:1234 1234:1234:1234:1234::1234:1234:1234 1234:1234:1234:1234:1234::1234:1234 ::1234:1234:1234:1234:1234:1234 1234::1234:1234:1234:1234:1234 1234:1234::1234:1234:1234:1234 1234:1234:1234::1234:1234:1234 1234:1234:1234:1234::1234:1234 ::1234:1234:1234:1234:1234 1234::1234:1234:1234:1234 1234:1234::1234:1234:1234 1234:1234:1234::1234:1234 ::1234:1234:1234:1234 1234::1234:1234:1234 1234:1234::1234:1234 ::1234:1234:1234 1234::1234:1234 The problem was in the scanner (src/scanner.l). Several brackets were missed and the result was an incorrect interpretation. Fix it by adding some brackets in a regular expression in src/scanner.l Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* scanner: rename address selector from 'eth' to 'ether'Pablo Neira Ayuso2014-01-141-1/+1
| | | | | | | | | eth may easily occur when using ifname masks. This could be also fixed by interpreting 'eth' as a simple string in the parser but I think this selector also looks more similar to what we use in tcpdump. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "parser: replace "vmap" keyword by "map""Patrick McHardy2014-01-141-0/+1
| | | | | | This reverts commit 5e8f8a1807917f92e568437598670b0026462c1c. I missed that this introduces shift-reduce conflicts. Revert for now.
* parser: replace "vmap" keyword by "map"Patrick McHardy2014-01-141-1/+0
| | | | | | Consistently use "map" to express mappings. Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: Wrap netfilter hooks around human readable stringsTomasz Bursztyka2013-09-041-6/+0
| | | | | | | | | | | | | | | | | | | This allows to use unique, human readable, hook names for the command line and let the user being unaware of the complex netfilter's hook names and there difference depending on the netfilter family. So: add chain foo bar { type route hook NF_INET_LOCAL_IN 0; } becomes: add chain foo bar { type route hook input 0; } It also fixes then the difference in hook values between families. I.e. ARP family has different values for input, forward and output compared to IPv4, IPv6 or bridge. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add icmpv6 supportEric Leblond2013-07-311-0/+4
| | | | | | | | | | This patch adds ICMPv6 support to nftables. It is now possible to write rules such as: nft add rule ip6 filter input icmpv6 type nd-router-advert accept Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add support for insertion inside rule listEric Leblond2013-07-191-0/+2
| | | | | | | | | | | | | | This patch adds support to insert and to add rule using a rule handle as reference. The rule handle syntax has an new optional position field which take a handle as argument. Two examples: nft add rule filter output position 5 ip daddr 1.2.3.1 drop nft insert rule filter output position 5 ip daddr 1.2.3.1 drop Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix counter restorationEric Leblond2013-06-121-0/+2
| | | | | | | | | | | | It was not possible to restore a ruleset countaining counter. The packets and bytes fields were not known from the parser but they were in the output of the list command. This patch fixes the issue by restoring correctly the counters if they are present in the command. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: allow to list of existing tablesPablo Neira Ayuso2013-04-181-0/+1
| | | | | | | | You can now specify: nft list tables ip to obtain the list of all existing tables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: add rule insertion (prepend) supportPatrick McHardy2012-12-141-0/+1
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* chains: add chain rename supportPatrick McHardy2012-12-141-0/+1
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* add support for new set API and standalone setsPatrick McHardy2009-07-281-2/+4
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* ct: resync netlink header and properly add ct l3protocol supportPatrick McHardy2009-03-311-0/+1
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Add support for user-defined symbolic constantsPatrick McHardy2009-03-201-0/+3
| | | | | | | | | | | | | | | | | | User-defined constants can be used like this: define allowed_hosts = { 192.168.0.0/24, 10.0.0.20-10.0.0.30 } define udp_services = domain define tcp_services = { ssh, domain } ip saddr $allowed_hosts udp dport $udp_services counter accept ip saddr $allowed_hosts tcp dport $tcp_services counter accept Recursive definitions are possible, but currently not fully handled. Anything requiring transformations (sets using ranges) can not be used more than once currently since the expressions need to be COW'ed previously. Signed-off-by: Patrick McHardy <kaber@trash.net>
* lexer: fix some whitespace errorsPatrick McHardy2009-03-181-2/+2
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Initial commitv0.01-alpha1Patrick McHardy2009-03-181-0/+581