nftables: added support for per-file variable scopes and global variables

Message ID 1825461.eMsbQJIbDQ@voxel
State Changes Requested
Delegated to: Pablo Neira
Headers show
Series
  • nftables: added support for per-file variable scopes and global variables
Related show

Commit Message

David Fabian April 30, 2018, 8:28 a.m.
Hello,

this series of patches follows a discussion brought here about adding support 
for deeper variable scopes especially in the flat notation. These patches add 
a new variable scope to each include statement. The new scope is a child of 
the parent scope (script in which the include resides). All variables in the 
parent are still accessible in the child but the parent cannot access child 
variables. This effectively creates a tree hierarchy and with the support of 
redefine, one can even mask inherited variables in the child scopes. Sibling 
scopes are not accessible from each other.

If one wants to have some global definitions in a separate script and not 
pollute the top-level script, one can use a new keyword global in the define 
like:

define global global_var=eth0

This puts $global_var to the top-level scope which is accessible from 
everywhere and it survives any include. Global re-definitions and undefines 
are also supported.

Comments

Pablo Neira Ayuso May 23, 2018, 7:59 a.m. | #1
On Mon, Apr 30, 2018 at 10:28:16AM +0200, David Fabian wrote:
> Hello,
> 
> this series of patches follows a discussion brought here about adding support 
> for deeper variable scopes especially in the flat notation. These patches add 
> a new variable scope to each include statement. The new scope is a child of 
> the parent scope (script in which the include resides). All variables in the 
> parent are still accessible in the child but the parent cannot access child 
> variables. This effectively creates a tree hierarchy and with the support of 
> redefine, one can even mask inherited variables in the child scopes. Sibling 
> scopes are not accessible from each other.
> 
> If one wants to have some global definitions in a separate script and not 
> pollute the top-level script, one can use a new keyword global in the define 
> like:
> 
> define global global_var=eth0

Better probably "global define" instead, so we make sure no script
using the $global variable outthere breaks.

> This puts $global_var to the top-level scope which is accessible from 
> everywhere and it survives any include. Global re-definitions and undefines 
> are also supported.

Please send us patch using git send-email. Instead of them all
attached to one single email, so patchwork [1] tracks them.

Make sure your patches apply to nftables.git HEAD. Thanks!

[1] http://patchwork.ozlabs.org/project/netfilter-devel/list/
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

From 12bdc9e48ddfc9fc539713f4dfb0204aaf3bbdfe Mon Sep 17 00:00:00 2001
From: David Fabian <david.fabian@bosson.cz>
Date: Mon, 30 Apr 2018 09:21:44 +0200
Subject: [PATCH 7/7] Call proper nft binary in run-tests.sh

---
 tests/shell/run-tests.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh
index b52611b..6a0830f 100755
--- a/tests/shell/run-tests.sh
+++ b/tests/shell/run-tests.sh
@@ -123,7 +123,7 @@  do
 
 			if [ "$DUMPGEN" == "y" ] && [ "$rc_got" == "${POSITIVE_RET}" ] && [ ! -f "${dumpfile}" ]; then
 				mkdir -p "${dumppath}"
-				nft list ruleset > "${dumpfile}"
+				$NFT list ruleset > "${dumpfile}"
 			fi
 		else
 			((failed++))
-- 
2.13.6