scanner: nat: Move to own scope

Unify nat, masquerade and redirect statements, they widely share their
syntax.

Note the workaround of adding "prefix" to SCANSTATE_IP. This is required
to fix for 'snat ip prefix ...' style expressions.

Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/include/parser.h b/include/parser.h
index 79eadc0d7e52f8bd40a33ef07cec1484017d4547..0ff0ecfbad9acf6a02b2f3ffdef42bcb42132fee 100644 (file)
--- a/include/parser.h
+++ b/include/parser.h
@@ -74,6 +74,7 @@ enum startcond_type {
        PARSER_SC_EXPR_UDPLITE,
 
        PARSER_SC_STMT_LOG,
+       PARSER_SC_STMT_NAT,
        PARSER_SC_STMT_REJECT,
        PARSER_SC_STMT_SYNPROXY,
 };

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 2d419287a788c5801f1840e95ed88fb1f8437374..d8e9937bfff6b674de66114a6700d3646403304d 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -955,6 +955,7 @@ close_scope_list    : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_LIST); }
 close_scope_limit      : { scanner_pop_start_cond(nft->scanner, PARSER_SC_LIMIT); };
 close_scope_mh         : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_MH); };
 close_scope_monitor    : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_MONITOR); };
+close_scope_nat                : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_NAT); };
 close_scope_numgen     : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
 close_scope_osf                : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_OSF); };
 close_scope_policy     : { scanner_pop_start_cond(nft->scanner, PARSER_SC_POLICY); };
@@ -2842,12 +2843,12 @@ stmt                    :       verdict_stmt
                        |       meta_stmt
                        |       log_stmt        close_scope_log
                        |       reject_stmt     close_scope_reject
-                       |       nat_stmt
+                       |       nat_stmt        close_scope_nat
                        |       tproxy_stmt
                        |       queue_stmt
                        |       ct_stmt
-                       |       masq_stmt
-                       |       redir_stmt
+                       |       masq_stmt       close_scope_nat
+                       |       redir_stmt      close_scope_nat
                        |       dup_stmt
                        |       fwd_stmt
                        |       set_stmt
@@ -4768,8 +4769,8 @@ keyword_expr              :       ETHER   close_scope_eth { $$ = symbol_value(&@$, "ether"); }
                        |       IP6     close_scope_ip6 { $$ = symbol_value(&@$, "ip6"); }
                        |       VLAN    close_scope_vlan { $$ = symbol_value(&@$, "vlan"); }
                        |       ARP     close_scope_arp { $$ = symbol_value(&@$, "arp"); }
-                       |       DNAT                    { $$ = symbol_value(&@$, "dnat"); }
-                       |       SNAT                    { $$ = symbol_value(&@$, "snat"); }
+                       |       DNAT    close_scope_nat { $$ = symbol_value(&@$, "dnat"); }
+                       |       SNAT    close_scope_nat { $$ = symbol_value(&@$, "snat"); }
                        |       ECN                     { $$ = symbol_value(&@$, "ecn"); }
                        |       RESET   close_scope_reset       { $$ = symbol_value(&@$, "reset"); }
                        |       ORIGINAL                { $$ = symbol_value(&@$, "original"); }
@@ -4858,7 +4859,7 @@ primary_rhs_expr  :       symbol_expr             { $$ = $1; }
                                                         BYTEORDER_HOST_ENDIAN,
                                                         sizeof(data) * BITS_PER_BYTE, &data);
                        }
-                       |       REDIRECT
+                       |       REDIRECT        close_scope_nat
                        {
                                uint8_t data = ICMP_REDIRECT;
                                $$ = constant_expr_alloc(&@$, &icmp_type_type,

diff --git a/src/scanner.l b/src/scanner.l
index b885f84523b9761fd7d442df6632cc3c3a3a51ac..078bcc7084eba9bfaa721f7b26dc73a6b7f3a3f6 100644 (file)
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -240,6 +240,7 @@ addrstring  ({macaddr}|{ip4addr}|{ip6addr})
 %s SCANSTATE_EXPR_UDPLITE
 
 %s SCANSTATE_STMT_LOG
+%s SCANSTATE_STMT_NAT
 %s SCANSTATE_STMT_REJECT
 %s SCANSTATE_STMT_SYNPROXY
 
@@ -403,7 +404,7 @@ addrstring  ({macaddr}|{ip4addr}|{ip6addr})
 }
 
 "log"                  { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_LOG); return LOG; }
-"prefix"               { return PREFIX; }
+<SCANSTATE_STMT_LOG,SCANSTATE_STMT_NAT,SCANSTATE_IP>"prefix"           { return PREFIX; }
 <SCANSTATE_STMT_LOG>{
        "snaplen"               { return SNAPLEN; }
        "queue-threshold"       { return QUEUE_THRESHOLD; }
@@ -444,13 +445,16 @@ addrstring        ({macaddr}|{ip4addr}|{ip6addr})
        "icmpx"                 { return ICMPX; }
 }
 
-"snat"                 { return SNAT; }
-"dnat"                 { return DNAT; }
-"masquerade"           { return MASQUERADE; }
-"redirect"             { return REDIRECT; }
+"snat"                 { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return SNAT; }
+"dnat"                 { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return DNAT; }
+"masquerade"           { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return MASQUERADE; }
+"redirect"             { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return REDIRECT; }
 "random"               { return RANDOM; }
-"fully-random"         { return FULLY_RANDOM; }
-"persistent"           { return PERSISTENT; }
+<SCANSTATE_STMT_NAT>{
+       "fully-random"          { return FULLY_RANDOM; }
+       "persistent"            { return PERSISTENT; }
+       "port"                  { return PORT; }
+}
 
 "ll"                   { return LL_HDR; }
 "nh"                   { return NETWORK_HDR; }
@@ -614,7 +618,6 @@ addrstring  ({macaddr}|{ip4addr}|{ip6addr})
 <SCANSTATE_CT,SCANSTATE_EXPR_DCCP,SCANSTATE_SCTP,SCANSTATE_TCP,SCANSTATE_EXPR_TH,SCANSTATE_EXPR_UDP,SCANSTATE_EXPR_UDPLITE>{
        "dport"                 { return DPORT; }
 }
-"port"                 { return PORT; }
 
 "tcp"                  { scanner_push_start_cond(yyscanner, SCANSTATE_TCP); return TCP; }
 
@@ -668,7 +671,7 @@ addrstring  ({macaddr}|{ip4addr}|{ip6addr})
 "rt0"                  { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_RT); return RT0; }
 "rt2"                  { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_RT); return RT2; }
 "srh"                  { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_RT); return RT4; }
-"addr"                 { return ADDR; }
+<SCANSTATE_EXPR_RT,SCANSTATE_STMT_NAT>"addr"                   { return ADDR; }
 
 "hbh"                  { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_HBH); return HBH; }