diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-11-28 00:03:50 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-01-03 14:21:53 +0100 |
commit | deaf962ebd7c6b9d8a161d9378a710031e4f1dd6 (patch) | |
tree | 8e885dfedb3eefafa29bd46edc1ebe09f5f8c41c /src/rule.c | |
parent | b139f738f558d6afb8c8f3e73526f578b059abd6 (diff) |
src: add support for stateful object maps
You can create these maps using explicit map declarations:
# nft add table filter
# nft add chain filter input { type filter hook input priority 0\; }
# nft add map filter badguys { type ipv4_addr : counter \; }
# nft add rule filter input counter name ip saddr map @badguys
# nft add counter filter badguy1
# nft add counter filter badguy2
# nft add element filter badguys { 192.168.2.3 : "badguy1" }
# nft add element filter badguys { 192.168.2.4 : "badguy2" }
Or through implicit map definitions:
table ip filter {
counter http-traffic {
packets 8 bytes 672
}
chain input {
type filter hook input priority 0; policy accept;
counter name tcp dport map { 80 : "http-traffic", 443 : "http-traffic"}
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/rule.c')
-rw-r--r-- | src/rule.c | 5 |
1 files changed, 4 insertions, 1 deletions
@@ -273,7 +273,7 @@ static void set_print_declaration(const struct set *set, const char *type; uint32_t flags; - if (set->flags & NFT_SET_MAP) + if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) type = "map"; else if (set->flags & NFT_SET_EVAL) type = "flow table"; @@ -293,6 +293,8 @@ static void set_print_declaration(const struct set *set, printf("%s%stype %s", opts->tab, opts->tab, set->keytype->name); if (set->flags & NFT_SET_MAP) printf(" : %s", set->datatype->name); + else if (set->flags & NFT_SET_OBJECT) + printf(" : %s", obj_type_name(set->objtype)); printf("%s", opts->stmt_separator); @@ -913,6 +915,7 @@ static int __do_add_setelems(struct netlink_ctx *ctx, const struct handle *h, set_to_intervals(ctx->msgs, set, expr, true) < 0) return -1; + expr->set_flags |= set->flags; if (netlink_add_setelems(ctx, h, expr, excl) < 0) return -1; |