[nft,0/6] arbirary table/chain names

Message ID	20210316234039.15677-1-fw@strlen.de
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Florian Westphal <fw@strlen.de> To: <netfilter-devel@vger.kernel.org> Cc: Florian Westphal <fw@strlen.de> Subject: [PATCH nft 0/6] arbirary table/chain names Date: Wed, 17 Mar 2021 00:40:33 +0100 Message-Id: <20210316234039.15677-1-fw@strlen.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	arbirary table/chain names \| expand [nft,0/6] arbirary table/chain names [nft,1/6] scanner: add support for scope nesting [nft,2/6] scanner: counter: move to own scope [nft,3/6] scanner: log: move to own scope [nft,4/6] scanner: support arbitary table names [nft,5/6] scanner: support arbitrary chain names [nft,6/6] src: allow arbitary chain name in implicit rule add case

Message ID

20210316234039.15677-1-fw@strlen.de

Headers

From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH nft 0/6] arbirary table/chain names
Date: Wed, 17 Mar 2021 00:40:33 +0100
Message-Id: <20210316234039.15677-1-fw@strlen.de>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

arbirary table/chain names | expand

Message

Florian Westphal March 16, 2021, 11:40 p.m. UTC

This series allows (almost) arbitrary chain names.

Unsolved problem:
nft has implict 'rule add' behaviour, e.g.

'nft add rule ip filter input foo ip saddr 1.2.3.4 drop' can be written like
'nft ip filter input foo ip saddr 1.2.3.4 drop' or even
'nft filter input foo ip saddr 1.2.3.4 drop'.

IOW, the scanner cannot switch to the exclusive rule scope
added in patch 5 to allow for arbitrary names.

Patch 6 resolves this by switching state from bison, but this
requires to add future tokens to a special whitelist.

It might be better to omit patch 6 and/or deprecate the
implicit rule add behaviour.  See patch 6 for details.

Florian Westphal (6):
  scanner: add support for scope nesting
  scanner: counter: move to own scope
  scanner: log: move to own scope
  scanner: support arbitary table names
  scanner: support arbitrary chain names
  src: allow arbitary chain name in implicit rule add case

 include/parser.h   |  12 ++++
 src/parser_bison.y |  97 ++++++++++++++++++-------
 src/scanner.l      | 173 +++++++++++++++++++++++++++++++++++++++++----
 3 files changed, 241 insertions(+), 41 deletions(-)