This is the initial batch of patches to rework the nft scanner.
This adds a start condition stack and moves a few expressions to
use start conditions.
This first batch only comes with inclusive start conditions, i.e.
the rules in INITIAL scope are still recognized; the only change is that
the tokens moved to per-expression start conditions disappear from the
INITIAL scope.
For example, after this series 'chain mod' is no longer a syntax error
because the MOD token isn't part of the initial scope anymore.
The next set of patches (not included here) adds start conditions for ip, ip6, arp,
ether and makes saddr/daddr recognized as STRING unless part of a
'ip/ip6 ...' expression.
The plan is to introduce exclusive scopes to deal with table/chain
names, i.e. 'TABLE' and 'CHAIN' keywords switch nft into a mode where
all default rules are disabled.
This will then allow to handle really weird rulesets like
table ip chain {
chain netdev {
meta iifname saddr ip saddr 1.2.3.4 ...
}
and so on.
Main motivation is to avoid breakage of existing rulesets, e.g.
table inet filter {
chain vid {
... when a future version of nft adds a 'vid' token.
Another effect is that this reduces the need for workarounds like e.g.
'parser: allow classid as set key' and other workarounds that needed to
(re-) enable keywords in STRING context.
Florian Westphal (6):
scanner: remove unused tokens
scanner: introduce start condition stack
scanner: queue: move to own scope
scanner: ipsec: move to own scope
scanner: rt: move to own scope
scanner: socket: move to own scope
include/parser.h | 12 +++++++
src/parser_bison.y | 41 +++++++++++-----------
src/scanner.l | 86 ++++++++++++++++++++++++++++++----------------
3 files changed, 89 insertions(+), 50 deletions(-)
--
2.26.2
