parser_bison: allow variable references in set elements definition

Andreas reports that he cannot use variables in set definitions:

	define s-ext-2-int = 10.10.10.10 . 25, 10.10.10.10 . 143

        set s-ext-2-int {
                type ipv4_addr . inet_service
                elements =  { $s-ext-2-int }
        }

This syntax is not correct though, since the curly braces should be
placed in the variable definition itself, so we have context to handle
this variable as a list of set elements.

The correct syntax that works after this patch is:

	define s-ext-2-int = { 10.10.10.10 . 25, 10.10.10.10 . 143 }

	table inet forward {
        	set s-ext-2-int {
	                type ipv4_addr . inet_service
	                elements = $s-ext-2-int
	        }
	}

Reported-by: Andreas Hainke <andreas.hainke@foteviken.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/parser_bison.y b/src/parser_bison.y
index a87468e29bf39954a45a219151ebc286b5872e94..aac10dcc9b996760e87372bb1a22cfcb07c8c34b 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -525,8 +525,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %type <expr>                   verdict_map_expr verdict_map_list_expr verdict_map_list_member_expr
 %destructor { expr_free($$); } verdict_map_expr verdict_map_list_expr verdict_map_list_member_expr
 
-%type <expr>                   set_expr set_list_expr set_list_member_expr
-%destructor { expr_free($$); } set_expr set_list_expr set_list_member_expr
+%type <expr>                   set_expr set_block_expr set_list_expr set_list_member_expr
+%destructor { expr_free($$); } set_expr set_block_expr set_list_expr set_list_member_expr
 %type <expr>                   set_elem_expr set_elem_expr_alloc set_lhs_expr set_rhs_expr
 %destructor { expr_free($$); } set_elem_expr set_elem_expr_alloc set_lhs_expr set_rhs_expr
 %type <expr>                   set_elem_expr_stmt set_elem_expr_stmt_alloc
@@ -1061,7 +1061,7 @@ set_block         :       /* empty */     { $$ = $<set>-1; }
                                $1->gc_int = $3 * 1000;
                                $$ = $1;
                        }
-                       |       set_block       ELEMENTS        '='             set_expr
+                       |       set_block       ELEMENTS        '='             set_block_expr
                        {
                                $1->init = $4;
                                $$ = $1;
@@ -1069,6 +1069,10 @@ set_block                :       /* empty */     { $$ = $<set>-1; }
                        |       set_block       set_mechanism   stmt_seperator
                        ;
 
+set_block_expr         :       set_expr
+                       |       variable_expr
+                       ;
+
 set_flag_list          :       set_flag_list   COMMA           set_flag
                        {
                                $$ = $1 | $3;
@@ -1104,7 +1108,7 @@ map_block         :       /* empty */     { $$ = $<set>-1; }
                                $1->flags |= $3;
                                $$ = $1;
                        }
-                       |       map_block       ELEMENTS        '='             set_expr
+                       |       map_block       ELEMENTS        '='             set_block_expr
                        {
                                $1->init = $4;
                                $$ = $1;

diff --git a/tests/shell/testcases/nft-f/0009variable_0 b/tests/shell/testcases/nft-f/0009variable_0
new file mode 100755 (executable)
index 0000000..4d38707
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0009variable_0
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -e
+
+tmpfile=$(mktemp)
+if [ ! -w $tmpfile ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+trap "rm -rf $tmpfile" EXIT # cleanup if aborted
+
+RULESET="define concat-set-variable = { 10.10.10.10 . 25, 10.10.10.10 . 143 }
+
+table inet forward {
+       set concat-set-variable {
+               type ipv4_addr . inet_service
+               elements = \$concat-set-variable
+       }
+}"
+
+echo "$RULESET" > $tmpfile
+$NFT -f $tmpfile