-
Notifications
You must be signed in to change notification settings - Fork 1
Top level NFTABLES Keywords
To start the whole Vim syntax design, all top-level keywords needs to be identified.
All keywords (and its next keyword) are found in src/parser_bison.y
over at Netfilter Git repo.
Command bison -g
generates an excellent DOT-formatted graph file which generates 780K dot-lines.
The dot, pydot, python-graph and python-image all failed to produce a readable image as size of 48MB PNG, 12MB GIF, and 900KB SVG resulted.
What does work is GIMP using 10in wide, 30in height @ 1,500 pixel/cm with X:Y ratio of 30:60.
If I shrink the DOT file to 100 dot-lines (out of 70,000) and cut off everything after "100" then added the closing digraph '}
' at the end of file, various graph tools produce this better.
Vim syntax does not maintain an empty but viable state transition node; all state transitions must be flattened down to their keywords: Only keyword/identifier/operators here.
The nftables
command line (CLI) makes uses of optional 'add
' and 'table
' keywords, some flattening of the bison-parser.c
is required.
Not to insult our syntax highlighting effort, the first two keywords may be the actual table name and chain name before the stmt_rule
kicks in; those table and chain names are huge variables; we'll limit these names to 64 chars.
The summary of starting at the top is:
" `include`
" Filespec can have quotes in them to contain any whitespaces
hi link nftables_INCLUDE_filespecWS nftablesHL_Filespec
syn region nftables_INCLUDE_filespecWS contained start=/[\\]"/ end=/[\\]"/ skipwhite
" there are no skipnl/skipempty in Filespec
hi link nftables_INCLUDE_filespec nftablesHL_Filespec
syn region nftables_INCLUDE_filespec contained skipwhite
\ start=/[^\\]"/hs=s+2
\ end=/[^(\\)]"/he=e-1
\ skip=/\\"/
\ contains=nftables_INCLUDE_filespecWS
\ nextgroup=
\ nftables_stmt_separator,
\ nftables_Error,
hi link nftables_INCLUDE nftablesHL_Keyword
syn keyword nftables_INCLUDE contained include skipwhite
\ nextgroup=
\ nftables_INCLUDE_filespec,
\ nftables_Error
" assignments
" 592 primary_rhs_expr → symbol_expr
" 593 | integer_expr
" 594 | boolean_expr
" 595 | keyword_expr
" 596 | "tcp"
" 597 | "udp"
" 598 | "udplite"
" 599 | "esp"
" 600 | "ah"
" 601 | "icmp"
" 602 | "icmpv6"
" 603 | "comp"
" 604 | "dccp"
" 605 | "sctp"
" 606 | "redirect"
" 565 shift_rhs_expr → primary_rhs_expr
" 566 | shift_rhs_expr "<<" primary_rhs_expr
" 567 | shift_rhs_expr ">>" primary_rhs_expr
"
" 568 and_rhs_expr → shift_rhs_expr
" 569 | and_rhs_expr "&" shift_rhs_expr
"
" 570 exclusive_or_rhs_expr → and_rhs_expr
" 571 | exclusive_or_rhs_expr "^" and_rhs_expr
"
" 572 inclusive_or_rhs_expr → exclusive_or_rhs_expr
" 573 | inclusive_or_rhs_expr '|' exclusive_or_rhs_expr
"
" 574 basic_rhs_expr → inclusive_or_rhs_expr
" 575 concat_rhs_expr → basic_rhs_expr
" 576 | concat_rhs_expr "." basic_rhs_expr
" 562 rhs_expr → concat_rhs_expr
" 563 | multiton_rhs_expr
" 564 | set_expr
" 541 initializer_expr → rhs_expr
" 542 | list_rhs_expr
hi link nftables_DEFINE_varname nftablesHL_Identifier
syn match nftables_DEFINE_varname contained skipwhite
\ /\i\{1,64\}/
\ nextgroup=
\ nftables_stmt_separator,
\ nftables_Error
hi link nftablesCluster_DEFINE_initializer_expr nftablesHL_PreProc
syn cluster nftablesCluster_DEFINE_initializer_expr
\ contains=nftables_DEFINE_varname
hi link nftables_DEFINE_EQ nftablesHL_Operator
syn match nftables_DEFINE_EQ contained /\s*=/ skipwhite
\ nextgroup=
\ nftables_DEFINE_varname,
\ @nftablesCluster_DEFINE_initializer_expr
hi link nftables_DEFINE_var_id nftablesHL_Identifier
syn match nftables_DEFINE_var_id contained /\<[a-zA-Z0-9\_]\{1,64\}\>/
\ skipwhite
\ nextgroup=
\ nftables_DEFINE_EQ,
\ nftablesE_NoEQ
hi link nftables_DEFINE nftablesHL_Keyword
syn keyword nftables_DEFINE contained define skipwhite
\ nextgroup=
\ nftables_DEFINE_var_id,
\ nftables_Error
hi link nftables_REDEFINE nftablesHL_Keyword
syn keyword nftables_REDEFINE contained redefine skipwhite
\ nextgroup=
\ nftables_DEFINE_var_id,
\ nftables_Error
hi link nftables_UNDEFINE nftablesHL_Keyword
syn keyword nftables_UNDEFINE contained undefine skipwhite
\ nextgroup=
\ nftables_DEFINE_varname,
\ nftables_Error
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
" common_block and base_cmd, add_cmd, and rule_cmd must all get merge
" together within here so we can sort the precedence of patterns together
hi link nftables_rule_stmt_list nftablesHL_Rule
syn keyword nftables_rule_stmt_list contained skipwhite
\ meter connlimit counter payload meta log limit quota
\ reject nat queue ct masq dup fwd map
\ nextgroup=
\ nftables_stmt_separator,
\ nftables_Error
syn match nftables_rule_stmt_list contained skipwhite
\ /\<\(match\)\|\(redir\)\|\(set\)\>/
hi link nftables_chain_maybe nftablesHL_Chain
syn match nftables_chain_maybe contained /\<[a-zA-Z0-9]\{1,64\}\>/ skipwhite
\ nextgroup=
\ nftables_rule_stmt_list,
\ nftables_stmt_separator,
\ nftables_Error
" Cannot really add nftables_Error here because it's a wild pattern
hi link nftables_table_maybe nftablesHL_Table
syn match nftables_table_maybe contained /\<[a-zA-Z0-9]\{1,64\}\>/ skipwhite
\ nextgroup=nftables_chain_maybe
" 16 base_cmd → add_cmd
" 17 base_cmd | "add" add_cmd
" 249 family_spec_explicit | . "arp"
" 250 family_spec_explicit | . "bridge"
" 33 add_cmd | "chain" chain_spec
" 34 add_cmd | "chain" chain_spec chain_block_alloc '{' chain_block '}'
" 41 add_cmd | "counter" obj_spec
" 42 add_cmd | "counter" obj_spec counter_obj
" 19 base_cmd | "create" create_cmd
" 44 add_cmd | "ct" "helper" obj_spec ct_obj_alloc '{' ct_helper_block '}' stmt_separator
" 21 base_cmd | "delete" delete_cmd
" 30 base_cmd | "describe" describe_cmd
" 39 add_cmd | "element" set_spec set_block_expr
" 28 base_cmd | "export" export_cmd
" 40 add_cmd | "flowtable" flowtable_spec flowtable_block_alloc '{' flowtable_block '}'
" 25 base_cmd | "flush" flush_cmd
" 22 base_cmd | "get" get_cmd
" 27 base_cmd | "import" import_cmd
" 248 family_spec_explicit | . "inet"
" 20 base_cmd | "insert" insert_cmd
" 246 family_spec_explicit → . "ip"
" 247 family_spec_explicit | . "ip6"
" 45 add_cmd | "limit" obj_spec limit_obj
" 23 base_cmd | "list" list_cmd
" 38 add_cmd | "map" set_spec map_block_alloc '{' map_block '}'
" 29 base_cmd | "monitor" monitor_cmd
" 251 family_spec_explicit | . "netdev"
" 43 add_cmd | "quota" obj_spec quota_obj
" 26 base_cmd | "rename" rename_cmd
" 18 base_cmd | "replace" replace_cmd
" 24 base_cmd | "reset" reset_cmd
" 35 add_cmd | "rule" rule_position rule
" 37 add_cmd | "set" set_spec set_block_alloc '{' set_block '}'
" 31 add_cmd → "table" table_spec
" 32 add_cmd | "table" table_spec table_block_alloc '{' table_block '}'
" 36 add_cmd | rule_position rule
" 268 rule_position → chain_spec
" 269 rule_position | chain_spec position_spec
" 270 rule_position | chain_spec handle_spec
" 271 rule_position | chain_spec index_spec
" 252 table_spec → . family_spec identifier
" 254 chain_spec → . table_spec identifier
" 244 family_spec → . %empty [ "<string>" ]
" 245 family_spec | . family_spec_explicit
" LAST pattern "<table_name>" "<chain_name>" 'counter'/'accept'
"
hi link nftables_family_netdev nftablesHL_Family
syn keyword nftables_family_netdev contained netdev skipwhite
\ nextgroup=nftables_table_maybe
hi link nftables_family_bridge nftablesHL_Family
syn keyword nftables_family_bridge contained bridge skipwhite
\ nextgroup=nftables_table_maybe
hi link nftables_family_arp nftablesHL_Family
syn keyword nftables_family_arp contained arp skipwhite
\ nextgroup=nftables_table_maybe
hi link nftables_family_ip nftablesHL_Family
syn keyword nftables_family_ip contained ip skipwhite
\ nextgroup=nftables_table_maybe
hi link nftables_family_ip6 nftablesHL_Family
syn keyword nftables_family_ip6 contained ip6 skipwhite
\ nextgroup=nftables_table_maybe
hi link nftables_family_inet nftablesHL_Family
syn keyword nftables_family_inet contained inet skipwhite
\ nextgroup=nftables_table_maybe
hi link nftables_TABLE nftablesHL_Statement
syn keyword nftables_TABLE contained table skipwhite
\ nextgroup=
\ nftables_family_netdev,
\ nftables_family_arp,
\ nftables_family_bridge,
\ nftables_family_ip,
\ nftables_family_ip6,
\ nftables_family_inet,
\ nftables_table_maybe
hi link nftablesCluster_add_cmd nftablesHL_Command
syn cluster nftablesCluster_add_cmd
\ contains=
\ nftables_TABLE,
\ nftables_family_netdev,
\ nftables_family_arp,
\ nftables_family_bridge,
\ nftables_family_ip,
\ nftables_family_ip6,
\ nftables_family_inet
hi link nftables_ADD nftablesHL_Command
syn match nftables_ADD contained /[ \t]*\<add\>/ skipwhite
\ nextgroup=
\ @nftablesCluster_add_cmd,
\ nftables_table_maybe
This gets us to this image: