The following rule is rejected by the parser: | oifname "s_c" counter packets 0 bytes 0 ipsec out ip daddr 192.168.1.2 counter name "ipsec_out" For unknown reasons, COUNTER scope is not closed before parsing 'daddr' which is not recognized in that scope. This series adds a test case in patch 1 and a workaround in patch 2, namely moving saddr/daddr keywords back to global scope. Eliminating the whole COUNTER scope would also work, but is neither a real solution. The fact that a scope closed three words ago still causes trouble proves the concept is flawed. IMO one should abandon it and instead deploy quoting of all user-defined strings on output and consequently allow all user-defined strings to be quoted on input. Phil Sutter (2): tests/py: Add a test for failing ipsec after counter Revert "scanner: remove saddr/daddr from initial state" src/scanner.l | 6 ++---- tests/py/inet/ipsec.t | 2 ++ tests/py/inet/ipsec.t.json | 21 +++++++++++++++++++++ tests/py/inet/ipsec.t.payload | 6 ++++++ 4 files changed, 31 insertions(+), 4 deletions(-) -- 2.34.1
