From patchwork Mon Jan 22 13:53:09 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Fabian X-Patchwork-Id: 864259 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=cldn.cz header.i=@cldn.cz header.b="bmdMJZP2"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zQCjM313gz9s7F for ; Tue, 23 Jan 2018 00:59:35 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751108AbeAVN7e (ORCPT ); Mon, 22 Jan 2018 08:59:34 -0500 Received: from mailalternative.uvtmail.cz ([109.205.75.52]:43375 "EHLO mail.hosting.cldn.cz" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750955AbeAVN7e (ORCPT ); Mon, 22 Jan 2018 08:59:34 -0500 X-Greylist: delayed 383 seconds by postgrey-1.27 at vger.kernel.org; Mon, 22 Jan 2018 08:59:33 EST Received: from voxel.localnet (linux.uvt.cz [178.17.1.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: fabian@bosson.cz) by mail.hosting.cldn.cz (Postfix) with ESMTPSA id 4069120359 for ; Mon, 22 Jan 2018 14:53:09 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cldn.cz; s=mail; t=1516629189; bh=fZpPgxHj1+g7Kq2GGmtxMTuXcmzR7ILfMYXfeq2lLvU=; h=From:To:Subject:Date; b=bmdMJZP2D/ZTNaxGdQgWbJ8SJFBH62d4dZ+Y6BnmAL27r4Cfu8bCgxUEnEvPV9kCw QU24dIbNC6fJnygWcwwH4agCDU8XPhkCwZK38xksxCdCXOnW4zH2yC/Ob7yNhOZwsE k7xuOA9LihK0eKbLUBhnKf2wtEZQvG1PDFd8u79JzfEmzi34AsHJ1weCg3RwdXr/z7 uVZE82j7yw8alhQ8jU/zr05gnFGnmsdG85CDQa+26aKXM/TSQNZyLwjnZdB0ENNwxJ +dKkP3Dow3Q4oNxkqwmJ+AWUJrpmIGoiFnua8MNNKA+E5885jjOA4+VHXveOTK4d/H MccHwwNvhex4A== From: David Fabian To: netfilter-devel@vger.kernel.org Subject: question about UNDEFINE/REDEFINE Date: Mon, 22 Jan 2018 14:53:09 +0100 Message-ID: <3622208.jy4NlOniyd@voxel> Organization: =?utf-8?b?w5pWVCw=?= s.r.o. MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Hello, we have a firewall written in bash (using iptables) that is organized by customer VLANs. Each VLAN has its own set of bash variables holding things like uplink iface names, gateway IPs, etc. We want to rewrite the firewall to nftables but are stuck on the fact that nft variables cannot be overridden in the same scope. We have each VLAN configuration in a separate file containing pre/post-routing, input, output and forward rules,and we include those files to a master firewall configuration. One solution is to rename all the variables with some VLAN specific (pre/su)ffix. But that is cumbersome. I have made a small patch to nft which adds two new keywords - undefine and redefine. undefine simply undefines a variable from the current scope. redefine allows one to change a variable definition. The patch works against the latest fedora nft (version 0.7) but I believe it should work against master as well. I don't know how to properly send the patch to the project so I am attaching it here. I would like to know your opinion. From 43abd3a12670b54739f0a7f6500aa315b3905f08 Mon Sep 17 00:00:00 2001 From: David Fabian Date: Mon, 22 Jan 2018 14:02:11 +0100 Subject: [PATCH] Added undefine/redefine keywords --- include/rule.h | 1 + src/parser_bison.y | 23 +++++++++++++++++++++++ src/rule.c | 16 ++++++++++++++++ src/scanner.l | 2 ++ 4 files changed, 42 insertions(+) diff --git a/include/rule.h b/include/rule.h index b9b4a19..4524b4d 100644 --- a/include/rule.h +++ b/include/rule.h @@ -80,6 +80,7 @@ struct symbol { extern void symbol_bind(struct scope *scope, const char *identifier, struct expr *expr); +extern int symbol_unbind(struct scope *scope, const char *identifier); extern struct symbol *symbol_lookup(const struct scope *scope, const char *identifier); diff --git a/src/parser_bison.y b/src/parser_bison.y index deaaf06..4cc1b47 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -167,6 +167,8 @@ static void location_update(struct location *loc, struct location *rhs, int n) %token INCLUDE "include" %token DEFINE "define" +%token REDEFINE "redefine" +%token UNDEFINE "undefine" %token FIB "fib" @@ -661,6 +663,27 @@ common_block : INCLUDE QUOTED_STRING stmt_seperator symbol_bind(scope, $2, $4); xfree($2); } + | REDEFINE identifier '=' initializer_expr stmt_seperator + { + struct scope *scope = current_scope(state); + + /* ignore missing identifier */ + symbol_unbind(scope, $2); + symbol_bind(scope, $2, $4); + xfree($2); + } + | UNDEFINE identifier stmt_seperator + { + struct scope *scope = current_scope(state); + + if (symbol_unbind(scope, $2) < 0) { + erec_queue(error(&@2, "undefined symbol '%s'", $2), + state->msgs); + YYERROR; + } + + xfree($2); + } | error stmt_seperator { if (++state->nerrs == max_errors) diff --git a/src/rule.c b/src/rule.c index f1bb6cf..f97c8e5 100644 --- a/src/rule.c +++ b/src/rule.c @@ -447,6 +447,22 @@ void symbol_bind(struct scope *scope, const char *identifier, struct expr *expr) list_add_tail(&sym->list, &scope->symbols); } +int symbol_unbind(struct scope *scope, const char *identifier) +{ + struct symbol *sym; + + if ((sym = symbol_lookup(scope, identifier)) == NULL) + { + return -1; + } + list_del(&sym->list); + xfree(sym->identifier); + expr_free(sym->expr); + xfree(sym); + return 0; +} + + struct symbol *symbol_lookup(const struct scope *scope, const char *identifier) { struct symbol *sym; diff --git a/src/scanner.l b/src/scanner.l index 625023f..2000554 100644 --- a/src/scanner.l +++ b/src/scanner.l @@ -231,6 +231,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "include" { return INCLUDE; } "define" { return DEFINE; } +"redefine" { return REDEFINE; } +"undefine" { return UNDEFINE; } "describe" { return DESCRIBE; } -- 2.14.3