[PATCH nft 1/2] parser_bison: restore parsing of dynamic set element updates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Add a new set_elem_expr_stmt production to handle dynamic set element
updates from rules.

Quickly tested this here through:

 # nft add table filter
 # nft add chain filter input { type filter hook input priority 0\; }
 # nft add set filter myset { type inet_service\; flags timeout\; }
 # nft add rule filter input set add tcp sport timeout 60s @myset
 # nft list ruleset
 table ip filter {
        set myset {
                type inet_service
                flags timeout
                elements = { http expires 9s}
        }

        chain input {
                type filter hook input priority 0; policy accept;
                set add tcp dport timeout 1m @myset
        }
 }

Fixes: a3e60492a684 ("parser: restrict relational rhs expression recursion")
Reported-by: Anders K. Pedersen <akp@xxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
 src/parser_bison.y | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index d7cba23..d946e0e 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -523,6 +523,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %destructor { expr_free($$); }	set_expr set_list_expr set_list_member_expr
 %type <expr>			set_elem_expr set_elem_expr_alloc set_lhs_expr set_rhs_expr
 %destructor { expr_free($$); }	set_elem_expr set_elem_expr_alloc set_lhs_expr set_rhs_expr
+%type <expr>			set_elem_expr_stmt set_elem_expr_stmt_alloc
+%destructor { expr_free($$); }	set_elem_expr_stmt set_elem_expr_stmt_alloc
 
 %type <expr>			flow_key_expr flow_key_expr_alloc
 %destructor { expr_free($$); }	flow_key_expr flow_key_expr_alloc
@@ -1781,7 +1783,17 @@ queue_stmt_flag		:	BYPASS	{ $$ = NFT_QUEUE_FLAG_BYPASS; }
 			|	FANOUT	{ $$ = NFT_QUEUE_FLAG_CPU_FANOUT; }
 			;
 
-set_stmt		:	SET	set_stmt_op	set_elem_expr	symbol_expr
+set_elem_expr_stmt	:	set_elem_expr_stmt_alloc
+			|	set_elem_expr_stmt_alloc	set_elem_options
+			;
+
+set_elem_expr_stmt_alloc:	concat_expr
+			{
+				$$ = set_elem_expr_alloc(&@1, $1);
+			}
+			;
+
+set_stmt		:	SET	set_stmt_op	set_elem_expr_stmt	symbol_expr
 			{
 				$$ = set_stmt_alloc(&@$);
 				$$->set.op  = $2;
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux