On Mon, Jun 04, 2018 at 01:28:47PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Jun 04, 2018 at 11:58:18AM +0200, Máté Eckl wrote:
> > What I'm not sure of is:
> > - Are these token values considered user-friendly or usable?
> > - Is printing of these values with their names desired?
> >
> > What do you think?
> >
> > -- 8< --
> > This patch adds the possibility to use textual names to set the chain
> > priority
> > to basic values so that numeric values do not need to be learnt any more for
> > basic usage.
> >
> > Example:
> > nft> add table inet x
> > nft> add chain inet x y {type filter hook prerouting priority
> > PRIO_MANGLE ;}
>
> that's fine, but I prefer more comprehensible (less programmer
> oriented) tag names, and also only expose the bare minimum that can be
> useful to start with, ie. those that are used by iptables chain
> definition included in tables.
Good idea, I will look after it.
>
> More comments below.
>
> > nft> list ruleset
> > table inet x {
> > chain y {
> > type filter hook prerouting priority -150; policy
> > accept;
> > }
> > }
> >
> > Signed-off-by: Máté Eckl <[email protected]>
> > ---
> > src/parser_bison.y | 30 ++++++++++++++++++++++++++++--
> > src/scanner.l | 13 +++++++++++++
> > 2 files changed, 41 insertions(+), 2 deletions(-)
> >
> > diff --git a/src/parser_bison.y b/src/parser_bison.y
> > index 034dd01..236e9be 100644
> > --- a/src/parser_bison.y
> > +++ b/src/parser_bison.y
> > @@ -21,6 +21,7 @@
> > #include <linux/netfilter/nf_conntrack_tuple_common.h>
> > #include <linux/netfilter/nf_nat.h>
> > #include <linux/netfilter/nf_log.h>
> > +#include <linux/netfilter_ipv4.h>
> > #include <netinet/ip_icmp.h>
> > #include <netinet/icmp6.h>
> > #include <libnftnl/common.h>
> > @@ -313,6 +314,19 @@ int nft_lex(void *, void *, void *);
> > %token NEXTHDR "nexthdr"
> > %token HOPLIMIT "hoplimit"
> >
> > +%token PRIO_RAW_BEFORE_DEFRAG "PRIO_RAW_BEFORE_DEFRAG"
> > +%token PRIO_CONNTRACK_DEFRAG "PRIO_CONNTRACK_DEFRAG"
> > +%token PRIO_RAW "PRIO_RAW"
> > +%token PRIO_SELINUX_FIRST "PRIO_SELINUX_FIRST"
> > +%token PRIO_CONNTRACK "PRIO_CONNTRACK"
> > +%token PRIO_MANGLE "PRIO_MANGLE"
> > +%token PRIO_NAT_DST "PRIO_NAT_DST"
> > +%token PRIO_FILTER "PRIO_FILTER"
> > +%token PRIO_SECURITY "PRIO_SECURITY"
> > +%token PRIO_NAT_SRC "PRIO_NAT_SRC"
> > +%token PRIO_SELINUX_LAST "PRIO_SELINUX_LAST"
> > +%token PRIO_CONNTRACK_HELPER "PRIO_CONNTRACK_HELPER"
>
> We can probably handle this as strings, so we don't need to update
> scanner.l
Could you describe more what this means? I'm not clear about how scanner.l and
parser_bison.y are connected and what their roles are accurately.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
