From 79195a8cc9e9d9cf2d17165bf07ac4cc9d55539f Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Thu, 24 Nov 2022 14:17:17 +0100 Subject: xt: Rewrite unsupported compat expression dumping Choose a format which provides more information and is easily parseable. Then teach parsers about it and make it explicitly reject the ruleset giving a meaningful explanation. Also update the man pages with some more details. Signed-off-by: Phil Sutter --- src/parser_bison.y | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'src/parser_bison.y') diff --git a/src/parser_bison.y b/src/parser_bison.y index 760c23cf..d7cf8bc5 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -626,6 +626,8 @@ int nft_lex(void *, void *, void *); %token IN "in" %token OUT "out" +%token XT "xt" + %type limit_rate_pkts %type limit_rate_bytes @@ -900,6 +902,9 @@ int nft_lex(void *, void *, void *); %type optstrip_stmt %destructor { stmt_free($$); } optstrip_stmt +%type xt_stmt +%destructor { stmt_free($$); } xt_stmt + %type boolean_expr %destructor { expr_free($$); } boolean_expr %type boolean_keys @@ -991,6 +996,7 @@ close_scope_udplite : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_UDPL close_scope_log : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_LOG); } close_scope_synproxy : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_SYNPROXY); } +close_scope_xt : { scanner_pop_start_cond(nft->scanner, PARSER_SC_XT); } common_block : INCLUDE QUOTED_STRING stmt_separator { @@ -2879,6 +2885,18 @@ stmt : verdict_stmt | synproxy_stmt close_scope_synproxy | chain_stmt | optstrip_stmt + | xt_stmt close_scope_xt + ; + +xt_stmt : XT STRING STRING + { + $$ = NULL; + xfree($2); + xfree($3); + erec_queue(error(&@$, "unsupported xtables compat expression, use iptables-nft with this ruleset"), + state->msgs); + YYERROR; + } ; chain_stmt_type : JUMP { $$ = NFT_JUMP; } -- cgit v1.2.3