diff mbox series

[nft] parser_bison: missing synproxy support in map declarations

Message ID 20220119214318.900947-1-pablo@netfilter.org
State Accepted
Delegated to: Pablo Neira
Headers show
Series [nft] parser_bison: missing synproxy support in map declarations | expand

Commit Message

Pablo Neira Ayuso Jan. 19, 2022, 9:43 p.m. UTC 
Update parser to allow for maps with synproxy.

Fixes: f44ab88b1088 ("src: add synproxy stateful object support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/parser_bison.y                             |  1 +
 tests/shell/testcases/sets/0024named_objects_0 | 15 +++++++++++++++
 .../sets/dumps/0024named_objects_0.nft         | 18 ++++++++++++++++++
 3 files changed, 34 insertions(+)
diff mbox series

Patch

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 1136ab911f0f..d67d16b8bc8c 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1984,6 +1984,7 @@  map_block_obj_type	:	COUNTER	close_scope_counter { $$ = NFT_OBJECT_COUNTER; }
 			|	QUOTA	close_scope_quota { $$ = NFT_OBJECT_QUOTA; }
 			|	LIMIT	close_scope_limit { $$ = NFT_OBJECT_LIMIT; }
 			|	SECMARK close_scope_secmark { $$ = NFT_OBJECT_SECMARK; }
+			|	SYNPROXY { $$ = NFT_OBJECT_SYNPROXY; }
 			;
 
 map_block		:	/* empty */	{ $$ = $<set>-1; }
diff --git a/tests/shell/testcases/sets/0024named_objects_0 b/tests/shell/testcases/sets/0024named_objects_0
index 21200c3cca3c..6d21e3884da9 100755
--- a/tests/shell/testcases/sets/0024named_objects_0
+++ b/tests/shell/testcases/sets/0024named_objects_0
@@ -18,6 +18,15 @@  table inet x {
 	quota user124 {
 		over 2000 bytes
 	}
+	synproxy https-synproxy {
+		mss 1460
+		wscale 7
+		timestamp sack-perm
+	}
+	synproxy other-synproxy {
+		mss 1460
+		wscale 5
+	}
 	set y {
 		type ipv4_addr
 	}
@@ -25,9 +34,15 @@  table inet x {
 		type ipv4_addr : quota
 		elements = { 192.168.2.2 : "user124", 192.168.2.3 : "user124"}
 	}
+	map test2 {
+		type ipv4_addr : synproxy
+		flags interval
+		elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
+	}
 	chain y {
 		type filter hook input priority 0; policy accept;
 		counter name ip saddr map { 192.168.2.2 : "user123", 1.1.1.1 : "user123", 2.2.2.2 : "user123"}
+		synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
 		quota name ip saddr map @test drop
 	}
 }"
diff --git a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft b/tests/shell/testcases/sets/dumps/0024named_objects_0.nft
index 2ffa4f2ff757..52d1bf64b686 100644
--- a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft
+++ b/tests/shell/testcases/sets/dumps/0024named_objects_0.nft
@@ -15,6 +15,17 @@  table inet x {
 		over 2000 bytes
 	}
 
+	synproxy https-synproxy {
+		mss 1460
+		wscale 7
+		timestamp sack-perm
+	}
+
+	synproxy other-synproxy {
+		mss 1460
+		wscale 5
+	}
+
 	set y {
 		type ipv4_addr
 	}
@@ -24,9 +35,16 @@  table inet x {
 		elements = { 192.168.2.2 : "user124", 192.168.2.3 : "user124" }
 	}
 
+	map test2 {
+		type ipv4_addr : synproxy
+		flags interval
+		elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
+	}
+
 	chain y {
 		type filter hook input priority filter; policy accept;
 		counter name ip saddr map { 1.1.1.1 : "user123", 2.2.2.2 : "user123", 192.168.2.2 : "user123" }
+		synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
 		quota name ip saddr map @test drop
 	}
 }