Added undefine/redefine keywords

This is a small patch to nft which adds two new keywords - undefine and
redefine. undefine simply undefines a variable from the current scope.
redefine allows one to change a variable definition. We have a firewall
written in bash (using iptables) that is organized by customer VLANs.
Each VLAN has its own set of bash variables holding things like uplink
iface names, gateway IPs, etc. We want to rewrite the firewall to
nftables but are stuck on the fact that nft variables cannot be
overridden in the same scope. We have each VLAN configuration in a
separate file containing pre/post-routing, input, output and forward
rules,and we include those files to a master firewall configuration. One
solution is to rename all the variables with some VLAN specific
(pre/su)ffix. But that is cumbersome.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/rule.h b/include/rule.h
index d9c172dd93597306863e6d3065a7f2a55921464c..531222ce1efc50b49effb405a41204334b9101fe 100644 (file)
--- a/include/rule.h
+++ b/include/rule.h
@@ -82,6 +82,7 @@ struct symbol {
 
 extern void symbol_bind(struct scope *scope, const char *identifier,
                        struct expr *expr);
+extern int symbol_unbind(struct scope *scope, const char *identifier);
 extern struct symbol *symbol_lookup(const struct scope *scope,
                                    const char *identifier);
 

diff --git a/src/parser_bison.y b/src/parser_bison.y
index ec8b0dd894feaf9bad35aa38a20f8c13ed274f5c..df672b1e4ce79f83103a2267a4797d88427f57d2 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -185,6 +185,8 @@ int nft_lex(void *, void *, void *);
 
 %token INCLUDE                 "include"
 %token DEFINE                  "define"
+%token REDEFINE                        "redefine"
+%token UNDEFINE                        "undefine"
 
 %token FIB                     "fib"
 
@@ -763,6 +765,26 @@ common_block               :       INCLUDE         QUOTED_STRING   stmt_separator
                                symbol_bind(scope, $2, $4);
                                xfree($2);
                        }
+                       |       REDEFINE        identifier      '='     initializer_expr        stmt_separator
+                       {
+                               struct scope *scope = current_scope(state);
+
+                               /* ignore missing identifier */
+                               symbol_unbind(scope, $2);
+                               symbol_bind(scope, $2, $4);
+                               xfree($2);
+                       }
+                       |       UNDEFINE        identifier      stmt_separator
+                       {
+                               struct scope *scope = current_scope(state);
+
+                               if (symbol_unbind(scope, $2) < 0) {
+                                       erec_queue(error(&@2, "undefined symbol '%s'", $2),
+                                                  state->msgs);
+                                       YYERROR;
+                               }
+                               xfree($2);
+                       }
                        |       error           stmt_separator
                        {
                                if (++state->nerrs == nft->parser_max_errors)

diff --git a/src/rule.c b/src/rule.c
index c7b4b498801115e7e62b438544709c20f2021888..5b7219e82eaaa5819fdf7dc79ec641336848f9ac 100644 (file)
--- a/src/rule.c
+++ b/src/rule.c
@@ -485,6 +485,21 @@ void symbol_bind(struct scope *scope, const char *identifier, struct expr *expr)
        list_add_tail(&sym->list, &scope->symbols);
 }
 
+int symbol_unbind(struct scope *scope, const char *identifier)
+{
+       struct symbol *sym;
+
+       sym = symbol_lookup(scope, identifier);
+       if (!sym)
+               return -1;
+
+       list_del(&sym->list);
+       xfree(sym->identifier);
+       expr_free(sym->expr);
+       xfree(sym);
+       return 0;
+}
+
 struct symbol *symbol_lookup(const struct scope *scope, const char *identifier)
 {
        struct symbol *sym;

diff --git a/src/scanner.l b/src/scanner.l
index c3992a784c71eee2bc324453ff71f22e33cc9849..05c70afe4ac32dae37e661cd763c2d4295c6814e 100644 (file)
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -233,6 +233,8 @@ addrstring  ({macaddr}|{ip4addr}|{ip6addr})
 
 "include"              { return INCLUDE; }
 "define"               { return DEFINE; }
+"redefine"             { return REDEFINE; }
+"undefine"             { return UNDEFINE; }
 
 "describe"             { return DESCRIBE; }