Re: [nft PATCH RFC] scanner: nat: Move to own scope

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Phil Sutter <phil@xxxxxx> wrote:
> > So, it is in IP scope, sees 'prefix' (which will be STRING as the
> > PREFIX scan rule is off) and that ends up in a parser error due to lack
> > of a 'IP STRING' rule.
> OK, thanks. So does this mean we won't ever be able to move keywords
> opening a statement or expression out of INIT scope or is my case a
> special one?

We can move them out of INIT scope, but only if they remain within
the same scope.

For example, you could create a 'rule scope' or 'expression scope'
that contains all tokens (ip, tcp, etc.) that start a new expression.

I did not do this because there are too many cases where expressions are
permitted outside of rule scope, e.g. in set definitions (key, elements

> To clarify, what I have in mind is a sample rule 'ip id 1 tcp dport 1'
> where 'tcp' must either be in INIT scope or part of SC_IP. 

IP and TCP need to be in the same scope (e.g. INIT).

In the given example I suspect that TCP doesn't have to be in SC_IP
scope since 'ip id 1' is a full expression and scope closure happens
before next token gets scanned.

[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux