From 959851990ec049ffb0928e86477834c7cb8e7f55 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 19 Jan 2022 22:39:56 +0100 Subject: parser_bison: missing synproxy support in map declarations Update parser to allow for maps with synproxy. Fixes: f44ab88b1088 ("src: add synproxy stateful object support") Signed-off-by: Pablo Neira Ayuso --- src/parser_bison.y | 1 + tests/shell/testcases/sets/0024named_objects_0 | 15 +++++++++++++++ .../shell/testcases/sets/dumps/0024named_objects_0.nft | 18 ++++++++++++++++++ 3 files changed, 34 insertions(+) diff --git a/src/parser_bison.y b/src/parser_bison.y index 1136ab91..d67d16b8 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -1984,6 +1984,7 @@ map_block_obj_type : COUNTER close_scope_counter { $$ = NFT_OBJECT_COUNTER; } | QUOTA close_scope_quota { $$ = NFT_OBJECT_QUOTA; } | LIMIT close_scope_limit { $$ = NFT_OBJECT_LIMIT; } | SECMARK close_scope_secmark { $$ = NFT_OBJECT_SECMARK; } + | SYNPROXY { $$ = NFT_OBJECT_SYNPROXY; } ; map_block : /* empty */ { $$ = $-1; } diff --git a/tests/shell/testcases/sets/0024named_objects_0 b/tests/shell/testcases/sets/0024named_objects_0 index 21200c3c..6d21e388 100755 --- a/tests/shell/testcases/sets/0024named_objects_0 +++ b/tests/shell/testcases/sets/0024named_objects_0 @@ -18,6 +18,15 @@ table inet x { quota user124 { over 2000 bytes } + synproxy https-synproxy { + mss 1460 + wscale 7 + timestamp sack-perm + } + synproxy other-synproxy { + mss 1460 + wscale 5 + } set y { type ipv4_addr } @@ -25,9 +34,15 @@ table inet x { type ipv4_addr : quota elements = { 192.168.2.2 : "user124", 192.168.2.3 : "user124"} } + map test2 { + type ipv4_addr : synproxy + flags interval + elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } + } chain y { type filter hook input priority 0; policy accept; counter name ip saddr map { 192.168.2.2 : "user123", 1.1.1.1 : "user123", 2.2.2.2 : "user123"} + synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } quota name ip saddr map @test drop } }" diff --git a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft b/tests/shell/testcases/sets/dumps/0024named_objects_0.nft index 2ffa4f2f..52d1bf64 100644 --- a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft +++ b/tests/shell/testcases/sets/dumps/0024named_objects_0.nft @@ -15,6 +15,17 @@ table inet x { over 2000 bytes } + synproxy https-synproxy { + mss 1460 + wscale 7 + timestamp sack-perm + } + + synproxy other-synproxy { + mss 1460 + wscale 5 + } + set y { type ipv4_addr } @@ -24,9 +35,16 @@ table inet x { elements = { 192.168.2.2 : "user124", 192.168.2.3 : "user124" } } + map test2 { + type ipv4_addr : synproxy + flags interval + elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } + } + chain y { type filter hook input priority filter; policy accept; counter name ip saddr map { 1.1.1.1 : "user123", 2.2.2.2 : "user123", 192.168.2.2 : "user123" } + synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } quota name ip saddr map @test drop } } -- cgit v1.2.3