diff options
author | Arturo Borrero <arturo.borrero.glez@gmail.com> | 2014-09-23 14:05:15 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-09-29 12:33:37 +0200 |
commit | 90a0f8c443bbe33676aeff4e9782aa6b0e6c0894 (patch) | |
tree | c5c9dd78ed5423f093fe997db595bddbee8df6e3 /src/parser.y | |
parent | 013dbc6b0a8490ba24805a8ae35d7707183b9615 (diff) |
src: add set optimization options
This patch adds options to choose set optimization mechanisms.
Two new statements are added to the set syntax, and they can be mixed:
nft add set filter set1 { type ipv4_addr ; size 1024 ; }
nft add set filter set1 { type ipv4_addr ; policy memory ; }
nft add set filter set1 { type ipv4_addr ; policy performance ; }
nft add set filter set1 { type ipv4_addr ; policy memory ; size 1024 ; }
nft add set filter set1 { type ipv4_addr ; size 1024 ; policy memory ; }
nft add set filter set1 { type ipv4_addr ; policy performance ; size 1024 ; }
nft add set filter set1 { type ipv4_addr ; size 1024 ; policy performance ; }
Also valid for maps:
nft add map filter map1 { type ipv4_addr : verdict ; policy performace ; }
[...]
This is the output format, which can be imported later with `nft -f':
table filter {
set set1 {
type ipv4_addr
policy memory
size 1024
}
}
In this approach the parser accepts default options such as 'performance',
given they are a valid configurations, but aren't sent to the kernel.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/parser.y')
-rw-r--r-- | src/parser.y | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/src/parser.y b/src/parser.y index 32d5455d..db120a06 100644 --- a/src/parser.y +++ b/src/parser.y @@ -20,6 +20,7 @@ #include <linux/netfilter/nf_tables.h> #include <linux/netfilter/nf_conntrack_tuple_common.h> #include <libnftnl/common.h> +#include <libnftnl/set.h> #include <rule.h> #include <statement.h> @@ -201,6 +202,11 @@ static void location_update(struct location *loc, struct location *rhs, int n) %token INTERVAL "interval" %token ELEMENTS "elements" +%token POLICY "policy" +%token MEMORY "memory" +%token PERFORMANCE "performance" +%token SIZE "size" + %token <val> NUM "number" %token <string> STRING "string" %token <string> QUOTED_STRING @@ -401,6 +407,8 @@ static void location_update(struct location *loc, struct location *rhs, int n) %type <val> set_flag_list set_flag +%type <val> set_policy_spec + %type <set> set_block_alloc set_block %destructor { set_free($$); } set_block_alloc @@ -967,6 +975,7 @@ set_block : /* empty */ { $$ = $<set>-1; } $1->init = $4; $$ = $1; } + | set_block set_mechanism stmt_seperator ; set_flag_list : set_flag_list COMMA set_flag @@ -1020,6 +1029,21 @@ map_block : /* empty */ { $$ = $<set>-1; } $1->init = $4; $$ = $1; } + | map_block set_mechanism stmt_seperator + ; + +set_mechanism : POLICY set_policy_spec + { + $<set>0->policy = $2; + } + | SIZE NUM + { + $<set>0->desc.size = $2; + } + ; + +set_policy_spec : PERFORMANCE { $$ = NFT_SET_POL_PERFORMANCE; } + | MEMORY { $$ = NFT_SET_POL_MEMORY; } ; hook_spec : TYPE STRING HOOK STRING PRIORITY NUM |