diff options
-rw-r--r-- | doc/nft.xml | 10 | ||||
-rw-r--r-- | src/parser_bison.y | 11 | ||||
-rw-r--r-- | src/statement.c | 12 |
3 files changed, 21 insertions, 12 deletions
diff --git a/doc/nft.xml b/doc/nft.xml index d3765fac..07f4f277 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -5375,15 +5375,15 @@ dup to ip daddr map { 192.168.7.1 : "eth0", 192.168.7.2 : "eth1" } </para> <para> <cmdsynopsis> - <command>set</command> <group choice="req"> <arg>add</arg> <arg>update</arg> </group> - <replaceable>expression</replaceable> - <arg choice="opt">timeout <replaceable>timeout</replaceable></arg> - <arg choice="opt">comment<replaceable>string</replaceable></arg> <replaceable>@setname</replaceable> + <replaceable>{ expression </replaceable> + <arg choice="opt">timeout <replaceable>timeout</replaceable></arg> + <arg choice="opt">comment <replaceable>string</replaceable></arg> + <replaceable>}</replaceable> </cmdsynopsis> </para> <para> @@ -5401,7 +5401,7 @@ dup to ip daddr map { 192.168.7.1 : "eth0", 192.168.7.2 : "eth1" } # add source ip addresses to the backlist if more than 10 tcp connection requests occured per second and ip address. # entries will timeout after one minute, after which they might be re-added if limit condition persists. - nft add rule ip filter input tcp flags syn tcp dport ssh flow table flood { ip saddr timeout 10s limit rate over 10/second} set add ip saddr timeout 1m @blackhole drop + nft add rule ip filter input tcp flags syn tcp dport ssh meter flood { ip saddr timeout 10s limit rate over 10/second} add @blackhole { ip saddr timeout 1m } drop # inspect state of the rate limit meter: nft list meter ip filter flood diff --git a/src/parser_bison.y b/src/parser_bison.y index bdf2fb49..9c143832 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -2713,18 +2713,25 @@ set_stmt : SET set_stmt_op set_elem_expr_stmt symbol_expr $$->set.key = $3; $$->set.set = $4; } + | set_stmt_op symbol_expr '{' set_elem_expr_stmt '}' + { + $$ = set_stmt_alloc(&@$); + $$->set.op = $1; + $$->set.key = $4; + $$->set.set = $2; + } ; set_stmt_op : ADD { $$ = NFT_DYNSET_OP_ADD; } | UPDATE { $$ = NFT_DYNSET_OP_UPDATE; } ; -map_stmt : set_stmt_op MAP '{' set_elem_expr_stmt COLON set_elem_expr_stmt '}' symbol_expr +map_stmt : set_stmt_op symbol_expr '{' set_elem_expr_stmt COLON set_elem_expr_stmt '}' { $$ = map_stmt_alloc(&@$); $$->map.op = $1; $$->map.map = map_expr_alloc(&@$, $4, $6); - $$->map.set = $8; + $$->map.set = $2; } ; diff --git a/src/statement.c b/src/statement.c index 61ba643b..d495ec44 100644 --- a/src/statement.c +++ b/src/statement.c @@ -615,10 +615,11 @@ static const char * const set_stmt_op_names[] = { static void set_stmt_print(const struct stmt *stmt, struct output_ctx *octx) { - nft_print(octx, "set %s ", set_stmt_op_names[stmt->set.op]); - expr_print(stmt->set.key, octx); - nft_print(octx, " "); + nft_print(octx, "%s ", set_stmt_op_names[stmt->set.op]); expr_print(stmt->set.set, octx); + nft_print(octx, "{ "); + expr_print(stmt->set.key, octx); + nft_print(octx, " } "); } static void set_stmt_destroy(struct stmt *stmt) @@ -641,12 +642,13 @@ struct stmt *set_stmt_alloc(const struct location *loc) static void map_stmt_print(const struct stmt *stmt, struct output_ctx *octx) { - nft_print(octx, "%s map { ", set_stmt_op_names[stmt->map.op]); + nft_print(octx, "%s ", set_stmt_op_names[stmt->map.op]); + expr_print(stmt->map.set, octx); + nft_print(octx, "{ "); expr_print(stmt->map.map->map->key, octx); nft_print(octx, " : "); expr_print(stmt->map.map->mappings, octx); nft_print(octx, " } "); - expr_print(stmt->map.set, octx); } static void map_stmt_destroy(struct stmt *stmt) |