... and hide the ipsec specific tokens from the INITITAL scope.
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
include/parser.h | 1 +
src/parser_bison.y | 9 +++++----
src/scanner.l | 13 ++++++++-----
3 files changed, 14 insertions(+), 9 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index c3a85a4cf4c2..001698db259b 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -29,6 +29,7 @@ struct parser_state {
enum startcond_type {
PARSER_SC_BEGIN,
PARSER_SC_EXPR_HASH,
+ PARSER_SC_EXPR_IPSEC,
PARSER_SC_EXPR_NUMGEN,
PARSER_SC_EXPR_QUEUE,
};
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 423dddfc2c6d..83d78a23b2ac 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -862,6 +862,7 @@ opt_newline : NEWLINE
;
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
+close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
@@ -4738,7 +4739,7 @@ meta_key_unqualified : MARK { $$ = NFT_META_MARK; }
| IIFGROUP { $$ = NFT_META_IIFGROUP; }
| OIFGROUP { $$ = NFT_META_OIFGROUP; }
| CGROUP { $$ = NFT_META_CGROUP; }
- | IPSEC { $$ = NFT_META_SECPATH; }
+ | IPSEC close_scope_ipsec { $$ = NFT_META_SECPATH; }
| TIME { $$ = NFT_META_TIME_NS; }
| DAY { $$ = NFT_META_TIME_DAY; }
| HOUR { $$ = NFT_META_TIME_HOUR; }
@@ -4837,7 +4838,7 @@ xfrm_state_proto_key : DADDR { $$ = NFT_XFRM_KEY_DADDR_IP4; }
| SADDR { $$ = NFT_XFRM_KEY_SADDR_IP4; }
;
-xfrm_expr : IPSEC xfrm_dir xfrm_spnum xfrm_state_key
+xfrm_expr : IPSEC xfrm_dir xfrm_spnum xfrm_state_key close_scope_ipsec
{
if ($3 > 255) {
erec_queue(error(&@3, "value too large"), state->msgs);
@@ -4845,7 +4846,7 @@ xfrm_expr : IPSEC xfrm_dir xfrm_spnum xfrm_state_key
}
$$ = xfrm_expr_alloc(&@$, $2, $3, $4);
}
- | IPSEC xfrm_dir xfrm_spnum nf_key_proto xfrm_state_proto_key
+ | IPSEC xfrm_dir xfrm_spnum nf_key_proto xfrm_state_proto_key close_scope_ipsec
{
enum nft_xfrm_keys xfrmk = $5;
@@ -4919,7 +4920,7 @@ rt_expr : RT rt_key
rt_key : CLASSID { $$ = NFT_RT_CLASSID; }
| NEXTHOP { $$ = NFT_RT_NEXTHOP4; }
| MTU { $$ = NFT_RT_TCPMSS; }
- | IPSEC { $$ = NFT_RT_XFRM; }
+ | IPSEC close_scope_ipsec { $$ = NFT_RT_XFRM; }
;
ct_expr : CT ct_key
diff --git a/src/scanner.l b/src/scanner.l
index 893364b7b9e7..cf3d7d52b4c5 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -197,6 +197,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%option warn
%option stack
%s SCANSTATE_EXPR_HASH
+%s SCANSTATE_EXPR_IPSEC
%s SCANSTATE_EXPR_NUMGEN
%s SCANSTATE_EXPR_QUEUE
@@ -594,12 +595,14 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"exthdr" { return EXTHDR; }
-"ipsec" { return IPSEC; }
-"reqid" { return REQID; }
-"spnum" { return SPNUM; }
+"ipsec" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_IPSEC); return IPSEC; }
+<SCANSTATE_EXPR_IPSEC>{
+ "reqid" { return REQID; }
+ "spnum" { return SPNUM; }
-"in" { return IN; }
-"out" { return OUT; }
+ "in" { return IN; }
+ "out" { return OUT; }
+}
"secmark" { return SECMARK; }
"secmarks" { return SECMARKS; }
--
2.26.2
