WHen I simplified the parser to restrict 'queue num' I forgot that
instead of range and immediate value its also allowed to pass in
a variable expression, e.g.
define myq = 0
add rule ... 'queue num $myq bypass'
Allow those as well and add a test case for this.
Fixes: 767f0af82a389 ("parser: restrict queue num expressiveness")
Reported-by: Amish <anon.amish@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
queue_stmt_expr_simple : integer_expr
| range_rhs_expr
+ | variable_expr
;
queue_stmt_expr : numgen_expr
define d_ipv6 = fe0::1
define d_ipv6_2 = fe0::2
define d_ports = 100-222
+define d_qnum = 0
+define d_qnumr = 1-42
table inet t {
chain c {
ip daddr . meta iif vmap { \$d_ipv4 . \$d_iif : accept }
tcp dport \$d_ports
udp dport vmap { \$d_ports : accept }
+ tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue num \$d_qnum bypass
+ tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue num \$d_qnumr
+ tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue flags bypass,fanout num \$d_qnumr
+ tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue to symhash mod 2
+ tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue flags bypass to jhash tcp dport . tcp sport mod 4
}
}"
ip daddr . iif vmap { 10.0.0.0 . "lo" : accept }
tcp dport 100-222
udp dport vmap { 100-222 : accept }
+ tcp sport 1 tcp dport 1 oifname "foobar" queue flags bypass num 0
+ tcp sport 1 tcp dport 1 oifname "foobar" queue num 1-42
+ tcp sport 1 tcp dport 1 oifname "foobar" queue flags bypass,fanout num 1-42
+ tcp sport 1 tcp dport 1 oifname "foobar" queue to symhash mod 2
+ tcp sport 1 tcp dport 1 oifname "foobar" queue flags bypass to jhash tcp dport . tcp sport mod 4
}
}
projects / thirdparty / nftables.git / commitdiff
