summaryrefslogtreecommitdiffstats
path: root/src/evaluate.c
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2018-08-24 09:52:22 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2018-08-24 09:52:22 +0200
commita55ca1a24b7b216144dc737f621fb68f4a924e38 (patch)
treee104f4c5d5ad34b39f58a3b05b80aba85858d0c0 /src/evaluate.c
parent0e90798e98121abab274434ec60f0b873f510021 (diff)
src: integrate stateful expressions into sets and maps
The following example shows how to populate a set from the packet path using the destination IP address, for each entry there is a counter. The entry expires after the 1 hour timeout if no packets matching this entry are seen. table ip x { set xyz { type ipv4_addr size 65535 flags dynamic,timeout timeout 1h } chain y { type filter hook output priority filter; policy accept; update @xyz { ip daddr counter } counter } } Similar example, that creates a mapping better IP address and mark, where the mark is assigned using an incremental sequence generator from 0 to 1 inclusive. table ip x { map xyz { type ipv4_addr : mark size 65535 flags dynamic,timeout timeout 1h } chain y { type filter hook input priority filter; policy accept; update @xyz { ip saddr counter : numgen inc mod 2 } } } Supported stateful statements are: limit, quota, counter and connlimit. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/evaluate.c')
-rw-r--r--src/evaluate.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/src/evaluate.c b/src/evaluate.c
index 9bc67d8f..647e1606 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2708,6 +2708,13 @@ static int stmt_evaluate_set(struct eval_ctx *ctx, struct stmt *stmt)
if (stmt->set.key->comment != NULL)
return expr_error(ctx->msgs, stmt->set.key,
"Key expression comments are not supported");
+ if (stmt->set.stmt) {
+ if (stmt_evaluate(ctx, stmt->set.stmt) < 0)
+ return -1;
+ if (!(stmt->set.stmt->flags & STMT_F_STATEFUL))
+ return stmt_binary_error(ctx, stmt->set.stmt, stmt,
+ "meter statement must be stateful");
+ }
return 0;
}
@@ -2739,6 +2746,13 @@ static int stmt_evaluate_map(struct eval_ctx *ctx, struct stmt *stmt)
if (stmt->map.data->comment != NULL)
return expr_error(ctx->msgs, stmt->map.data,
"Data expression comments are not supported");
+ if (stmt->map.stmt) {
+ if (stmt_evaluate(ctx, stmt->map.stmt) < 0)
+ return -1;
+ if (!(stmt->map.stmt->flags & STMT_F_STATEFUL))
+ return stmt_binary_error(ctx, stmt->map.stmt, stmt,
+ "meter statement must be stateful");
+ }
return 0;
}