diff options
| author | Patrick McHardy <kaber@trash.net> | 2016-04-27 12:29:50 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-05-13 19:30:29 +0200 |
| commit | 3ed5e31f4a323d7f054b6120d05134195dc681f0 (patch) | |
| tree | 5daa5afd681e9b3dbada6405659cd11cefc19554 /src/parser_bison.y | |
| parent | 9f3cce668b72c9ec9d9e0a6071d132a8f35d7b70 (diff) | |
src: add flow statement
The flow statement allows to instantiate per flow statements for user
defined flows. This can so far be used for per flow accounting or limiting,
similar to what the iptables hashlimit provides. Flows can be aged using
the timeout option.
Examples:
# nft filter input flow ip saddr . tcp dport limit rate 10/second
# nft filter input flow table acct iif . ip saddr timeout 60s counter
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/parser_bison.y')
| -rw-r--r-- | src/parser_bison.y | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/src/parser_bison.y b/src/parser_bison.y index b8d33861..8a7785b3 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -216,6 +216,8 @@ static void location_update(struct location *loc, struct location *rhs, int n) %token PERFORMANCE "performance" %token SIZE "size" +%token FLOW "flow" + %token <val> NUM "number" %token <string> STRING "string" %token <string> QUOTED_STRING @@ -484,6 +486,8 @@ static void location_update(struct location *loc, struct location *rhs, int n) %type <stmt> set_stmt %destructor { stmt_free($$); } set_stmt %type <val> set_stmt_op +%type <stmt> flow_stmt flow_stmt_alloc +%destructor { stmt_free($$); } flow_stmt flow_stmt_alloc %type <expr> symbol_expr verdict_expr integer_expr %destructor { expr_free($$); } symbol_expr verdict_expr integer_expr @@ -519,6 +523,9 @@ static void location_update(struct location *loc, struct location *rhs, int n) %type <expr> set_elem_expr set_elem_expr_alloc set_lhs_expr set_rhs_expr %destructor { expr_free($$); } set_elem_expr set_elem_expr_alloc set_lhs_expr set_rhs_expr +%type <expr> flow_key_expr flow_key_expr_alloc +%destructor { expr_free($$); } flow_key_expr flow_key_expr_alloc + %type <expr> expr initializer_expr %destructor { expr_free($$); } expr initializer_expr @@ -1306,6 +1313,7 @@ stmt_list : stmt stmt : verdict_stmt | match_stmt + | flow_stmt | counter_stmt | payload_stmt | meta_stmt @@ -1757,6 +1765,41 @@ set_stmt_op : ADD { $$ = NFT_DYNSET_OP_ADD; } | UPDATE { $$ = NFT_DYNSET_OP_UPDATE; } ; +flow_stmt : flow_stmt_alloc flow_stmt_opts flow_key_expr stmt + { + $1->flow.key = $3; + $1->flow.stmt = $4; + $$->location = @$; + $$ = $1; + } + | flow_stmt_alloc flow_key_expr stmt + { + $1->flow.key = $2; + $1->flow.stmt = $3; + $$->location = @$; + $$ = $1; + } + ; + +flow_stmt_alloc : FLOW + { + $$ = flow_stmt_alloc(&@$); + } + ; + +flow_stmt_opts : flow_stmt_opt + { + $<stmt>$ = $<stmt>0; + } + | flow_stmt_opts flow_stmt_opt + ; + +flow_stmt_opt : TABLE identifier + { + $<stmt>0->flow.table = $2; + } + ; + match_stmt : relational_expr { $$ = expr_stmt_alloc(&@$, $1); @@ -1941,6 +1984,20 @@ set_list_member_expr : opt_newline set_expr opt_newline } ; +flow_key_expr : flow_key_expr_alloc + | flow_key_expr_alloc set_elem_options + { + $$->location = @$; + $$ = $1; + } + ; + +flow_key_expr_alloc : concat_expr + { + $$ = set_elem_expr_alloc(&@1, $1); + } + ; + set_elem_expr : set_elem_expr_alloc | set_elem_expr_alloc set_elem_options ; |