Skip to content

Top level NFTABLES Keywords

Egbert edited this page Sep 24, 2020 · 4 revisions

To start the whole Vim syntax design, all top-level keywords needs to be identified.

SOURCE

All keywords (and its next keyword) are found in src/parser_bison.y over at Netfilter Git repo.

GRAPHING

Command bison -g generates an excellent DOT-formatted graph file which generates 780K dot-lines.

The dot, pydot, python-graph and python-image all failed to produce a readable image as size of 48MB PNG, 12MB GIF, and 900KB SVG resulted.

What does work is GIMP using 10in wide, 30in height @ 1,500 pixel/cm with X:Y ratio of 30:60.

SUB-GRAPHING

If I shrink the DOT file to 100 dot-lines (out of 70,000) and cut off everything after "100" then added the closing digraph '}' at the end of file, various graph tools produce this better.

START AT TOP-LEVEL

Vim syntax does not maintain an empty but viable state transition node; all state transitions must be flattened down to their keywords: Only keyword/identifier/operators here.

The nftables command line (CLI) makes uses of optional 'add' and 'table' keywords, some flattening of the bison-parser.c is required.

Not to insult our syntax highlighting effort, the first two keywords may be the actual table name and chain name before the stmt_rule kicks in; those table and chain names are huge variables; we'll limit these names to 64 chars.

The summary of starting at the top is:

" `include`
" Filespec can have quotes in them to contain any whitespaces
hi link nftables_INCLUDE_filespecWS nftablesHL_Filespec
syn region nftables_INCLUDE_filespecWS contained start=/[\\]"/ end=/[\\]"/  skipwhite

" there are no skipnl/skipempty in Filespec
hi link nftables_INCLUDE_filespec nftablesHL_Filespec
syn region nftables_INCLUDE_filespec contained skipwhite 
\ start=/[^\\]"/hs=s+2
\ end=/[^(\\)]"/he=e-1
\ skip=/\\"/
\ contains=nftables_INCLUDE_filespecWS
\ nextgroup=
\    nftables_stmt_separator,
\    nftables_Error,

hi link nftables_INCLUDE nftablesHL_Keyword
syn keyword nftables_INCLUDE contained include skipwhite
\ nextgroup=
\    nftables_INCLUDE_filespec,
\    nftables_Error

" assignments
"   592 primary_rhs_expr → symbol_expr
"  593                  | integer_expr
"  594                  | boolean_expr
"  595                  | keyword_expr
"  596                  | "tcp"
"  597                  | "udp"
"  598                  | "udplite"
"  599                  | "esp"
"  600                  | "ah"
"  601                  | "icmp"
"  602                  | "icmpv6"
"  603                  | "comp"
"  604                  | "dccp"
"  605                  | "sctp"
"  606                  | "redirect"
"   565 shift_rhs_expr → primary_rhs_expr
"  566                | shift_rhs_expr "<<" primary_rhs_expr
"  567                | shift_rhs_expr ">>" primary_rhs_expr
"
"  568 and_rhs_expr → shift_rhs_expr
"  569              | and_rhs_expr "&" shift_rhs_expr
"
"  570 exclusive_or_rhs_expr → and_rhs_expr
"  571                       | exclusive_or_rhs_expr "^" and_rhs_expr
"
"  572 inclusive_or_rhs_expr → exclusive_or_rhs_expr
"  573                       | inclusive_or_rhs_expr '|' exclusive_or_rhs_expr
"
"  574 basic_rhs_expr → inclusive_or_rhs_expr
"  575 concat_rhs_expr → basic_rhs_expr
"  576                 | concat_rhs_expr "." basic_rhs_expr
"  562 rhs_expr → concat_rhs_expr
"  563          | multiton_rhs_expr
"  564          | set_expr
"  541 initializer_expr → rhs_expr
"  542                  | list_rhs_expr
hi link nftables_DEFINE_varname nftablesHL_Identifier
syn match nftables_DEFINE_varname contained skipwhite 
\     /\i\{1,64\}/
\ nextgroup=
\    nftables_stmt_separator,
\    nftables_Error

hi link  nftablesCluster_DEFINE_initializer_expr  nftablesHL_PreProc
syn cluster nftablesCluster_DEFINE_initializer_expr
\ contains=nftables_DEFINE_varname

hi link nftables_DEFINE_EQ nftablesHL_Operator
syn match nftables_DEFINE_EQ contained /\s*=/ skipwhite
\ nextgroup=
\    nftables_DEFINE_varname,
\    @nftablesCluster_DEFINE_initializer_expr

hi link nftables_DEFINE_var_id nftablesHL_Identifier
syn match nftables_DEFINE_var_id contained /\<[a-zA-Z0-9\_]\{1,64\}\>/ 
\ skipwhite 
\ nextgroup=
\    nftables_DEFINE_EQ,
\    nftablesE_NoEQ


hi link nftables_DEFINE nftablesHL_Keyword
syn keyword nftables_DEFINE contained define skipwhite
\ nextgroup=
\    nftables_DEFINE_var_id,
\    nftables_Error

hi link nftables_REDEFINE nftablesHL_Keyword
syn keyword nftables_REDEFINE contained redefine skipwhite
\ nextgroup=
\    nftables_DEFINE_var_id,
\    nftables_Error

hi link nftables_UNDEFINE nftablesHL_Keyword
syn keyword nftables_UNDEFINE contained undefine skipwhite
\ nextgroup=
\    nftables_DEFINE_varname,
\    nftables_Error


""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
" common_block and base_cmd, add_cmd, and rule_cmd must all get merge 
" together within here so we can sort the precedence of patterns together

hi link nftables_rule_stmt_list nftablesHL_Rule
syn keyword nftables_rule_stmt_list contained skipwhite
\    meter connlimit counter payload meta log limit quota
\    reject nat queue ct masq dup fwd map
\ nextgroup=
\    nftables_stmt_separator,
\    nftables_Error

syn match nftables_rule_stmt_list contained skipwhite
\    /\<\(match\)\|\(redir\)\|\(set\)\>/

hi link nftables_chain_maybe nftablesHL_Chain
syn match nftables_chain_maybe contained /\<[a-zA-Z0-9]\{1,64\}\>/ skipwhite
\ nextgroup=
\    nftables_rule_stmt_list,
\    nftables_stmt_separator,
\    nftables_Error
" Cannot really add nftables_Error here because it's a wild pattern

hi link nftables_table_maybe nftablesHL_Table
syn match nftables_table_maybe contained /\<[a-zA-Z0-9]\{1,64\}\>/ skipwhite
\ nextgroup=nftables_chain_maybe 

"   16 base_cmd → add_cmd
"   17 base_cmd | "add" add_cmd
"  249 family_spec_explicit | . "arp"
"  250 family_spec_explicit | . "bridge"
"   33 add_cmd | "chain" chain_spec
"   34 add_cmd | "chain" chain_spec chain_block_alloc '{' chain_block '}'
"   41 add_cmd | "counter" obj_spec
"   42 add_cmd | "counter" obj_spec counter_obj
"   19 base_cmd | "create" create_cmd
"   44 add_cmd | "ct" "helper" obj_spec ct_obj_alloc '{' ct_helper_block '}' stmt_separator
"   21 base_cmd | "delete" delete_cmd
"   30 base_cmd | "describe" describe_cmd
"   39 add_cmd | "element" set_spec set_block_expr
"   28 base_cmd | "export" export_cmd
"   40 add_cmd | "flowtable" flowtable_spec flowtable_block_alloc '{' flowtable_block '}'
"   25 base_cmd | "flush" flush_cmd
"   22 base_cmd | "get" get_cmd
"   27 base_cmd | "import" import_cmd
"  248 family_spec_explicit | . "inet"
"   20 base_cmd | "insert" insert_cmd
"  246 family_spec_explicit → . "ip"
"  247 family_spec_explicit | . "ip6"
"   45 add_cmd | "limit" obj_spec limit_obj
"   23 base_cmd | "list" list_cmd
"   38 add_cmd | "map" set_spec map_block_alloc '{' map_block '}'
"   29 base_cmd | "monitor" monitor_cmd
"  251 family_spec_explicit | . "netdev"
"   43 add_cmd | "quota" obj_spec quota_obj
"   26 base_cmd | "rename" rename_cmd
"   18 base_cmd | "replace" replace_cmd
"   24 base_cmd | "reset" reset_cmd
"   35 add_cmd | "rule" rule_position rule
"   37 add_cmd | "set" set_spec set_block_alloc '{' set_block '}'
"   31 add_cmd → "table" table_spec
"   32 add_cmd | "table" table_spec table_block_alloc '{' table_block '}'
"   36 add_cmd | rule_position rule
"  268 rule_position → chain_spec
"  269 rule_position | chain_spec position_spec
"  270 rule_position | chain_spec handle_spec
"  271 rule_position | chain_spec index_spec
"  252 table_spec → . family_spec identifier
"  254 chain_spec → . table_spec identifier
"  244 family_spec → . %empty  [ "<string>" ]
"  245 family_spec | . family_spec_explicit
"  LAST  pattern  "<table_name>" "<chain_name>" 'counter'/'accept'
"
hi link nftables_family_netdev nftablesHL_Family
syn keyword nftables_family_netdev contained netdev skipwhite
\ nextgroup=nftables_table_maybe

hi link nftables_family_bridge nftablesHL_Family
syn keyword nftables_family_bridge contained bridge skipwhite
\ nextgroup=nftables_table_maybe

hi link nftables_family_arp nftablesHL_Family
syn keyword nftables_family_arp contained arp skipwhite
\ nextgroup=nftables_table_maybe

hi link nftables_family_ip nftablesHL_Family
syn keyword nftables_family_ip contained ip skipwhite
\ nextgroup=nftables_table_maybe

hi link nftables_family_ip6 nftablesHL_Family
syn keyword nftables_family_ip6 contained ip6 skipwhite
\ nextgroup=nftables_table_maybe

hi link nftables_family_inet nftablesHL_Family
syn keyword nftables_family_inet contained inet skipwhite
\ nextgroup=nftables_table_maybe

hi link nftables_TABLE nftablesHL_Statement
syn keyword nftables_TABLE contained table skipwhite
\ nextgroup=
\    nftables_family_netdev,
\    nftables_family_arp,
\    nftables_family_bridge,
\    nftables_family_ip,
\    nftables_family_ip6,
\    nftables_family_inet,
\    nftables_table_maybe

hi link nftablesCluster_add_cmd nftablesHL_Command
syn cluster nftablesCluster_add_cmd
\ contains=
\    nftables_TABLE,
\    nftables_family_netdev,
\    nftables_family_arp,
\    nftables_family_bridge,
\    nftables_family_ip,
\    nftables_family_ip6,
\    nftables_family_inet

hi link nftables_ADD nftablesHL_Command
syn match nftables_ADD contained /[ \t]*\<add\>/ skipwhite
\ nextgroup=
\    @nftablesCluster_add_cmd,
\    nftables_table_maybe

This gets us to this image:

Clone this wiki locally