diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-03-16 10:14:47 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-03-16 12:02:11 +0100 |
commit | e7395266640aed088e312ca1da3c147b64059988 (patch) | |
tree | 0ff60c8670ee5a1a4928cc81eb281426de01b387 /doc/nft.xml | |
parent | 6c15ee2bab56cabb678cbd46cebd25703c363ab2 (diff) |
src: revisit syntax to update sets and maps from packet path
For sets, we allow this:
nft add rule x y ip protocol tcp update @y { ip saddr}
For maps:
table ip nftlb {
map persistencia {
type ipv4_addr : mark
timeout 1h
elements = { 192.168.1.132 expires 59m55s : 0x00000064,
192.168.56.101 expires 59m24s : 0x00000065 }
}
chain pre {
type nat hook prerouting priority 0; policy accept;
update @persistencia \
{ @nh,96,32 : numgen inc mod 2 offset 100 }
}
}
nft --debug=netlink add rule ip nftlb pre add @persistencia \
{ ip saddr : numgen inc mod 2 offset 100 }
More compact and it doesn't gets it confused with a simple map update
command (interesting that bison didn't spew any conflict error).
Former syntax for sets is preserved.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc/nft.xml')
-rw-r--r-- | doc/nft.xml | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/doc/nft.xml b/doc/nft.xml index d3765fac..07f4f277 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -5375,15 +5375,15 @@ dup to ip daddr map { 192.168.7.1 : "eth0", 192.168.7.2 : "eth1" } </para> <para> <cmdsynopsis> - <command>set</command> <group choice="req"> <arg>add</arg> <arg>update</arg> </group> - <replaceable>expression</replaceable> - <arg choice="opt">timeout <replaceable>timeout</replaceable></arg> - <arg choice="opt">comment<replaceable>string</replaceable></arg> <replaceable>@setname</replaceable> + <replaceable>{ expression </replaceable> + <arg choice="opt">timeout <replaceable>timeout</replaceable></arg> + <arg choice="opt">comment <replaceable>string</replaceable></arg> + <replaceable>}</replaceable> </cmdsynopsis> </para> <para> @@ -5401,7 +5401,7 @@ dup to ip daddr map { 192.168.7.1 : "eth0", 192.168.7.2 : "eth1" } # add source ip addresses to the backlist if more than 10 tcp connection requests occured per second and ip address. # entries will timeout after one minute, after which they might be re-added if limit condition persists. - nft add rule ip filter input tcp flags syn tcp dport ssh flow table flood { ip saddr timeout 10s limit rate over 10/second} set add ip saddr timeout 1m @blackhole drop + nft add rule ip filter input tcp flags syn tcp dport ssh meter flood { ip saddr timeout 10s limit rate over 10/second} add @blackhole { ip saddr timeout 1m } drop # inspect state of the rate limit meter: nft list meter ip filter flood |