What I'm not sure of is:
- Are these token values considered user-friendly or usable?
- Is printing of these values with their names desired?
What do you think?
-- 8< --
This patch adds the possibility to use textual names to set the chain priority
to basic values so that numeric values do not need to be learnt any more for
basic usage.
Example:
nft> add table inet x
nft> add chain inet x y {type filter hook prerouting priority PRIO_MANGLE ;}
nft> list ruleset
table inet x {
chain y {
type filter hook prerouting priority -150; policy accept;
}
}
Signed-off-by: Máté Eckl <ecklm94@xxxxxxxxx>
---
src/parser_bison.y | 30 ++++++++++++++++++++++++++++--
src/scanner.l | 13 +++++++++++++
2 files changed, 41 insertions(+), 2 deletions(-)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 034dd01..236e9be 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -21,6 +21,7 @@
#include <linux/netfilter/nf_conntrack_tuple_common.h>
#include <linux/netfilter/nf_nat.h>
#include <linux/netfilter/nf_log.h>
+#include <linux/netfilter_ipv4.h>
#include <netinet/ip_icmp.h>
#include <netinet/icmp6.h>
#include <libnftnl/common.h>
@@ -313,6 +314,19 @@ int nft_lex(void *, void *, void *);
%token NEXTHDR "nexthdr"
%token HOPLIMIT "hoplimit"
+%token PRIO_RAW_BEFORE_DEFRAG "PRIO_RAW_BEFORE_DEFRAG"
+%token PRIO_CONNTRACK_DEFRAG "PRIO_CONNTRACK_DEFRAG"
+%token PRIO_RAW "PRIO_RAW"
+%token PRIO_SELINUX_FIRST "PRIO_SELINUX_FIRST"
+%token PRIO_CONNTRACK "PRIO_CONNTRACK"
+%token PRIO_MANGLE "PRIO_MANGLE"
+%token PRIO_NAT_DST "PRIO_NAT_DST"
+%token PRIO_FILTER "PRIO_FILTER"
+%token PRIO_SECURITY "PRIO_SECURITY"
+%token PRIO_NAT_SRC "PRIO_NAT_SRC"
+%token PRIO_SELINUX_LAST "PRIO_SELINUX_LAST"
+%token PRIO_CONNTRACK_HELPER "PRIO_CONNTRACK_HELPER"
+
%token ICMP6 "icmpv6"
%token PPTR "param-problem"
%token MAXDELAY "max-delay"
@@ -1790,8 +1804,20 @@ hook_spec : TYPE STRING HOOK STRING dev_spec PRIORITY prio_spec
}
;
-prio_spec : NUM { $$ = $1; }
- | DASH NUM { $$ = -$2; }
+prio_spec : NUM { $$ = $1; }
+ | DASH NUM { $$ = -$2; }
+ | PRIO_RAW_BEFORE_DEFRAG { $$ = NF_IP_PRI_RAW_BEFORE_DEFRAG; }
+ | PRIO_CONNTRACK_DEFRAG { $$ = NF_IP_PRI_CONNTRACK_DEFRAG; }
+ | PRIO_RAW { $$ = NF_IP_PRI_RAW; }
+ | PRIO_SELINUX_FIRST { $$ = NF_IP_PRI_SELINUX_FIRST; }
+ | PRIO_CONNTRACK { $$ = NF_IP_PRI_CONNTRACK; }
+ | PRIO_MANGLE { $$ = NF_IP_PRI_MANGLE; }
+ | PRIO_NAT_DST { $$ = NF_IP_PRI_NAT_DST; }
+ | PRIO_FILTER { $$ = NF_IP_PRI_FILTER; }
+ | PRIO_SECURITY { $$ = NF_IP_PRI_SECURITY; }
+ | PRIO_NAT_SRC { $$ = NF_IP_PRI_NAT_SRC; }
+ | PRIO_SELINUX_LAST { $$ = NF_IP_PRI_SELINUX_LAST;}
+ | PRIO_CONNTRACK_HELPER { $$ = NF_IP_PRI_CONNTRACK_HELPER; }
;
dev_spec : DEVICE STRING { $$ = $2; }
diff --git a/src/scanner.l b/src/scanner.l
index 416bd27..846bd34 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -427,6 +427,19 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"nexthdr" { return NEXTHDR; }
"hoplimit" { return HOPLIMIT; }
+"PRIO_RAW_BEFORE_DEFRAG" { return PRIO_RAW_BEFORE_DEFRAG; }
+"PRIO_CONNTRACK_DEFRAG" { return PRIO_CONNTRACK_DEFRAG; }
+"PRIO_RAW" { return PRIO_RAW; }
+"PRIO_SELINUX_FIRST" { return PRIO_SELINUX_FIRST; }
+"PRIO_CONNTRACK" { return PRIO_CONNTRACK; }
+"PRIO_MANGLE" { return PRIO_MANGLE; }
+"PRIO_NAT_DST" { return PRIO_NAT_DST; }
+"PRIO_FILTER" { return PRIO_FILTER; }
+"PRIO_SECURITY" { return PRIO_SECURITY; }
+"PRIO_NAT_SRC" { return PRIO_NAT_SRC; }
+"PRIO_SELINUX_LAST" { return PRIO_SELINUX_LAST; }
+"PRIO_CONNTRACK_HELPER" { return PRIO_CONNTRACK_HELPER; }
+
"icmpv6" { return ICMP6; }
"param-problem" { return PPTR; }
"max-delay" { return MAXDELAY; }
--
ecklm
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
