summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2016-05-13 19:28:44 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2016-05-13 20:06:42 +0200
commit42205fc9d1fc96f5398c44ec07c760f8b7660ac0 (patch)
treea19e7be92d7468d323baa522fb6ddcae5f3ddd93 /src
parent3ed5e31f4a323d7f054b6120d05134195dc681f0 (diff)
parser_bison: update flow table syntax
Before we release next nft version, update the syntax to wrap the flow table definition between brackets, eg. # nft add rule filter input tcp dport 22 ct state new \ flow table ssh { ip saddr limit rate 10/second } # nft add rule filter input \ flow table acct { iif . ip saddr timeout 60s counter } When playing around with this in your initial patchset I found very confusing that it may not look obvious to users that they can only use one single statement. For example: # nft add rule filter input \ flow table acct iif . ip saddr timeout 60s counter limit rate 10/second ~~~~~~~~~~~~~~~~~~~~ Note that this limit rate applies globally, so this patch resolves this ambiguity. This may cause us problems in the future too if we extend this to support more than one single statement per flowtable entry (Not telling we need this now, but if someone comes up with a useful usecase, we should be capable of extending this). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r--src/parser_bison.y12
-rw-r--r--src/statement.c2
2 files changed, 8 insertions, 6 deletions
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 8a7785b3..76cf65cb 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1765,17 +1765,17 @@ set_stmt_op : ADD { $$ = NFT_DYNSET_OP_ADD; }
| UPDATE { $$ = NFT_DYNSET_OP_UPDATE; }
;
-flow_stmt : flow_stmt_alloc flow_stmt_opts flow_key_expr stmt
+flow_stmt : flow_stmt_alloc flow_stmt_opts '{' flow_key_expr stmt '}'
{
- $1->flow.key = $3;
- $1->flow.stmt = $4;
+ $1->flow.key = $4;
+ $1->flow.stmt = $5;
$$->location = @$;
$$ = $1;
}
- | flow_stmt_alloc flow_key_expr stmt
+ | flow_stmt_alloc '{' flow_key_expr stmt '}'
{
- $1->flow.key = $2;
- $1->flow.stmt = $3;
+ $1->flow.key = $3;
+ $1->flow.stmt = $4;
$$->location = @$;
$$ = $1;
}
diff --git a/src/statement.c b/src/statement.c
index 988cfeb7..76f528b3 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -112,9 +112,11 @@ static void flow_stmt_print(const struct stmt *stmt)
expr_print(stmt->flow.set);
printf(" ");
}
+ printf("{ ");
expr_print(stmt->flow.key);
printf(" ");
stmt_print(stmt->flow.stmt);
+ printf("} ");
}
static void flow_stmt_destroy(struct stmt *stmt)