Re: [RFC PATCH nft] parser: Set base chain prios with textual names

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Mon, 4 Jun 2018 13:28:47 +0200

On Mon, Jun 04, 2018 at 11:58:18AM +0200, Máté Eckl wrote:
> What I'm not sure of is:
> 	- Are these token values considered user-friendly or usable?
> 	- Is printing of these values with their names desired?
> 
> What do you think?
> 
> -- 8< --
> This patch adds the possibility to use textual names to set the chain priority
> to basic values so that numeric values do not need to be learnt any more for
> basic usage.
> 
> Example:
> 	nft> add table inet x
> 	nft> add chain inet x y {type filter hook prerouting priority PRIO_MANGLE ;}

that's fine, but I prefer more comprehensible (less programmer
oriented) tag names, and also only expose the bare minimum that can be
useful to start with, ie. those that are used by iptables chain
definition included in tables.

More comments below.

> 	nft> list ruleset
> 	table inet x {
> 		chain y {
> 			type filter hook prerouting priority -150; policy accept;
> 		}
> 	}
> 
> Signed-off-by: Máté Eckl <ecklm94@xxxxxxxxx>
> ---
>  src/parser_bison.y | 30 ++++++++++++++++++++++++++++--
>  src/scanner.l      | 13 +++++++++++++
>  2 files changed, 41 insertions(+), 2 deletions(-)
> 
> diff --git a/src/parser_bison.y b/src/parser_bison.y
> index 034dd01..236e9be 100644
> --- a/src/parser_bison.y
> +++ b/src/parser_bison.y
> @@ -21,6 +21,7 @@
>  #include <linux/netfilter/nf_conntrack_tuple_common.h>
>  #include <linux/netfilter/nf_nat.h>
>  #include <linux/netfilter/nf_log.h>
> +#include <linux/netfilter_ipv4.h>
>  #include <netinet/ip_icmp.h>
>  #include <netinet/icmp6.h>
>  #include <libnftnl/common.h>
> @@ -313,6 +314,19 @@ int nft_lex(void *, void *, void *);
>  %token NEXTHDR			"nexthdr"
>  %token HOPLIMIT			"hoplimit"
>  
> +%token PRIO_RAW_BEFORE_DEFRAG   "PRIO_RAW_BEFORE_DEFRAG"
> +%token PRIO_CONNTRACK_DEFRAG    "PRIO_CONNTRACK_DEFRAG"
> +%token PRIO_RAW                 "PRIO_RAW"
> +%token PRIO_SELINUX_FIRST       "PRIO_SELINUX_FIRST"
> +%token PRIO_CONNTRACK           "PRIO_CONNTRACK"
> +%token PRIO_MANGLE              "PRIO_MANGLE"
> +%token PRIO_NAT_DST             "PRIO_NAT_DST"
> +%token PRIO_FILTER              "PRIO_FILTER"
> +%token PRIO_SECURITY            "PRIO_SECURITY"
> +%token PRIO_NAT_SRC             "PRIO_NAT_SRC"
> +%token PRIO_SELINUX_LAST        "PRIO_SELINUX_LAST"
> +%token PRIO_CONNTRACK_HELPER    "PRIO_CONNTRACK_HELPER"

We can probably handle this as strings, so we don't need to update
scanner.l
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html