diff options
author | Patrick McHardy <kaber@trash.net> | 2016-04-27 12:29:50 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-05-13 19:30:29 +0200 |
commit | 3ed5e31f4a323d7f054b6120d05134195dc681f0 (patch) | |
tree | 5daa5afd681e9b3dbada6405659cd11cefc19554 /src/statement.c | |
parent | 9f3cce668b72c9ec9d9e0a6071d132a8f35d7b70 (diff) |
src: add flow statement
The flow statement allows to instantiate per flow statements for user
defined flows. This can so far be used for per flow accounting or limiting,
similar to what the iptables hashlimit provides. Flows can be aged using
the timeout option.
Examples:
# nft filter input flow ip saddr . tcp dport limit rate 10/second
# nft filter input flow table acct iif . ip saddr timeout 60s counter
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/statement.c')
-rw-r--r-- | src/statement.c | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/src/statement.c b/src/statement.c index 41498418..988cfeb7 100644 --- a/src/statement.c +++ b/src/statement.c @@ -41,6 +41,8 @@ struct stmt *stmt_alloc(const struct location *loc, void stmt_free(struct stmt *stmt) { + if (stmt == NULL) + return; if (stmt->ops->destroy) stmt->ops->destroy(stmt); xfree(stmt); @@ -103,6 +105,37 @@ struct stmt *verdict_stmt_alloc(const struct location *loc, struct expr *expr) return stmt; } +static void flow_stmt_print(const struct stmt *stmt) +{ + printf("flow "); + if (stmt->flow.set) { + expr_print(stmt->flow.set); + printf(" "); + } + expr_print(stmt->flow.key); + printf(" "); + stmt_print(stmt->flow.stmt); +} + +static void flow_stmt_destroy(struct stmt *stmt) +{ + expr_free(stmt->flow.key); + expr_free(stmt->flow.set); + stmt_free(stmt->flow.stmt); +} + +static const struct stmt_ops flow_stmt_ops = { + .type = STMT_FLOW, + .name = "flow", + .print = flow_stmt_print, + .destroy = flow_stmt_destroy, +}; + +struct stmt *flow_stmt_alloc(const struct location *loc) +{ + return stmt_alloc(loc, &flow_stmt_ops); +} + static void counter_stmt_print(const struct stmt *stmt) { printf("counter packets %" PRIu64 " bytes %" PRIu64, |