scanner: add tcp flex scope

This moves tcp options not used anywhere else (e.g. in synproxy) to a
distinct scope.  This will also allow to avoid exposing new option
keywords in the ruleset context.

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/include/parser.h b/include/parser.h
index e8635b4c0feb776a6e7984a22a3804aa71937800..cb7d12a36edb01bc0656ec7f9892ea674b52a529 100644 (file)
--- a/include/parser.h
+++ b/include/parser.h
@@ -40,6 +40,7 @@ enum startcond_type {
        PARSER_SC_QUOTA,
        PARSER_SC_SCTP,
        PARSER_SC_SECMARK,
+       PARSER_SC_TCP,
        PARSER_SC_VLAN,
        PARSER_SC_CMD_LIST,
        PARSER_SC_EXPR_FIB,

diff --git a/src/parser_bison.y b/src/parser_bison.y
index bc5ec2e667b8e0524160781734ef05204d7f58c6..2606098534e6a00829bd7620fb21c34d29438631 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -929,6 +929,7 @@ close_scope_list    : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_LIST); }
 close_scope_limit      : { scanner_pop_start_cond(nft->scanner, PARSER_SC_LIMIT); };
 close_scope_numgen     : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
 close_scope_quota      : { scanner_pop_start_cond(nft->scanner, PARSER_SC_QUOTA); };
+close_scope_tcp                : { scanner_pop_start_cond(nft->scanner, PARSER_SC_TCP); }
 close_scope_queue      : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
 close_scope_rt         : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_RT); };
 close_scope_sctp       : { scanner_pop_start_cond(nft->scanner, PARSER_SC_SCTP); };
@@ -3109,7 +3110,7 @@ level_type                :       string
                        }
                        ;
 
-log_flags              :       TCP     log_flags_tcp
+log_flags              :       TCP     log_flags_tcp   close_scope_tcp
                        {
                                $$ = $2;
                        }
@@ -3360,7 +3361,7 @@ reject_opts               :       /* empty */
                                $<stmt>0->reject.expr = $3;
                                datatype_set($<stmt>0->reject.expr, &icmpx_code_type);
                        }
-                       |       WITH    TCP     RESET
+                       |       WITH    TCP     close_scope_tcp RESET
                        {
                                $<stmt>0->reject.type = NFT_REJECT_TCP_RST;
                        }
@@ -4460,7 +4461,7 @@ ct_cmd_type               :       HELPERS         { $$ = CMD_OBJ_CT_HELPERS; }
                        |       EXPECTATION     { $$ = CMD_OBJ_CT_EXPECT; }
                        ;
 
-ct_l4protoname         :       TCP     { $$ = IPPROTO_TCP; }
+ct_l4protoname         :       TCP     close_scope_tcp { $$ = IPPROTO_TCP; }
                        |       UDP     { $$ = IPPROTO_UDP; }
                        ;
 
@@ -4734,7 +4735,7 @@ primary_rhs_expr  :       symbol_expr             { $$ = $1; }
                        |       integer_expr            { $$ = $1; }
                        |       boolean_expr            { $$ = $1; }
                        |       keyword_expr            { $$ = $1; }
-                       |       TCP
+                       |       TCP     close_scope_tcp
                        {
                                uint8_t data = IPPROTO_TCP;
                                $$ = constant_expr_alloc(&@$, &inet_protocol_type,
@@ -5241,7 +5242,7 @@ payload_expr              :       payload_raw_expr
                        |       comp_hdr_expr
                        |       udp_hdr_expr
                        |       udplite_hdr_expr
-                       |       tcp_hdr_expr
+                       |       tcp_hdr_expr    close_scope_tcp
                        |       dccp_hdr_expr
                        |       sctp_hdr_expr
                        |       th_hdr_expr

diff --git a/src/scanner.l b/src/scanner.l
index 455ef99fea8fe10570fdf7f4d5ccc85c51b12a8b..09fcbd094aa69761f6715bdbf81ce1ccf85bb8fa 100644 (file)
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -206,6 +206,7 @@ addrstring  ({macaddr}|{ip4addr}|{ip6addr})
 %s SCANSTATE_QUOTA
 %s SCANSTATE_SCTP
 %s SCANSTATE_SECMARK
+%s SCANSTATE_TCP
 %s SCANSTATE_VLAN
 %s SCANSTATE_CMD_LIST
 %s SCANSTATE_EXPR_FIB
@@ -465,10 +466,9 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
        "value"                 { return VALUE; }
 }
 
+<SCANSTATE_TCP>{
 "echo"                 { return ECHO; }
 "eol"                  { return EOL; }
-"maxseg"               { return MSS; }
-"mss"                  { return MSS; }
 "nop"                  { return NOP; }
 "noop"                 { return NOP; }
 "sack"                 { return SACK; }
@@ -476,9 +476,6 @@ addrstring  ({macaddr}|{ip4addr}|{ip6addr})
 "sack1"                        { return SACK1; }
 "sack2"                        { return SACK2; }
 "sack3"                        { return SACK3; }
-"sack-permitted"       { return SACK_PERM; }
-"sack-perm"            { return SACK_PERM; }
-"timestamp"            { return TIMESTAMP; }
 "time"                 { return TIME; }
 
 "count"                        { return COUNT; }
@@ -486,6 +483,12 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
 "right"                        { return RIGHT; }
 "tsval"                        { return TSVAL; }
 "tsecr"                        { return TSECR; }
+}
+"maxseg"               { return MSS; }
+"mss"                  { return MSS; }
+"sack-permitted"       { return SACK_PERM; }
+"sack-perm"            { return SACK_PERM; }
+"timestamp"            { return TIMESTAMP; }
 
 "icmp"                 { return ICMP; }
 "code"                 { return CODE; }
@@ -524,7 +527,7 @@ addrstring  ({macaddr}|{ip4addr}|{ip6addr})
 "dport"                        { return DPORT; }
 "port"                 { return PORT; }
 
-"tcp"                  { return TCP; }
+"tcp"                  { scanner_push_start_cond(yyscanner, SCANSTATE_TCP); return TCP; }
 "ackseq"               { return ACKSEQ; }
 "doff"                 { return DOFF; }
 "window"               { return WINDOW; }
@@ -560,6 +563,7 @@ addrstring  ({macaddr}|{ip4addr}|{ip6addr})
        "asconf"                { return ASCONF; }
 
        "tsn"                   { return TSN; }
+       "sack"                  { return SACK; }
        "stream"                { return STREAM; }
        "ssn"                   { return SSN; }
        "ppid"                  { return PPID; }
@@ -641,6 +645,7 @@ addrstring  ({macaddr}|{ip4addr}|{ip6addr})
        "label"                 { return LABEL; }
        "state"                 { return STATE; }
        "status"                { return STATUS; }
+       "count"                 { return COUNT; }
 }
 
 "numgen"               { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_NUMGEN); return NUMGEN; }