summaryrefslogtreecommitdiffstats
path: root/src/parser_bison.y
Commit message (Collapse)AuthorAgeFilesLines
...
* scanner: ct: move to own scopeFlorian Westphal2021-03-161-21/+22
| | | | | | | | | | | | This allows moving multiple ct specific keywords out of INITIAL scope. Next few patches follow same pattern: 1. add a scope_close_XXX rule 2. add a SCANSTATE_XXX & make flex switch to it when encountering XXX keyword 3. make bison leave SCANSTATE_XXXX when it has seen the complete expression. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: socket: move to own scopeFlorian Westphal2021-03-111-1/+2
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: rt: move to own scopeFlorian Westphal2021-03-111-3/+4
| | | | | | | | classid and nexthop can be moved out of INIT scope. Rest are still needed because tehy are used by other expressions as well. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: ipsec: move to own scopeFlorian Westphal2021-03-111-4/+5
| | | | | | ... and hide the ipsec specific tokens from the INITITAL scope. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: queue: move to own scopeFlorian Westphal2021-03-111-2/+3
| | | | | | allows to remove 3 queue specific keywords from INITIAL scope. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: introduce start condition stackFlorian Westphal2021-03-111-4/+7
| | | | | | | | | | | | | | | | | | | | Add a small initial chunk of flex start conditionals. This starts with two low-hanging fruits, numgen and j/symhash. NUMGEN and HASH start conditions are entered from flex when the corresponding expression token is encountered. Flex returns to the INIT condition when the bison parser has seen a complete numgen/hash statement. This intentionally uses a stack rather than BEGIN() to eventually support nested states. The scanner_pop_start_cond() function argument is not used yet, but will need to be used later to deal with nesting. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: remove unused tokensFlorian Westphal2021-03-091-6/+0
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: compact ct obj list typesFlorian Westphal2021-03-061-11/+8
| | | | | | Add new ct_cmd_type and avoid copypaste of the ct cmd_list rules. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: compact map RHS typeFlorian Westphal2021-03-061-29/+9
| | | | | | Similar to previous patch, we can avoid duplication. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: squash duplicated spec/specid rulesFlorian Westphal2021-03-061-44/+38
| | | | | | | No need to have duplicate CMD rules for spec and specid: add and use a common rule for those cases. Signed-off-by: Florian Westphal <fw@strlen.de>
* table: support for the table owner flagPablo Neira Ayuso2021-03-021-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | Add new flag to allow userspace process to own tables: Tables that have an owner can only be updated/destroyed by the owner. The table is destroyed either if the owner process calls nft_ctx_free() or owner process is terminated (implicit table release). The ruleset listing includes the program name that owns the table: nft> list ruleset table ip x { # progname nft flags owner chain y { type filter hook input priority filter; policy accept; counter packets 1 bytes 309 } } Original code to pretty print the netlink portID to program name has been extracted from the conntrack userspace utility. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: re-enable support for concatentation on map RHSFlorian Westphal2021-02-231-0/+9
| | | | | | | | | "typeof .... : ip saddr . tcp dport" is legal. This makes 'testcases/maps/nat_addr_port' pass again. Fixes: 4ab1e5e6077918 ("src: allow use of 'verdict' in typeof definitions") Signed-off-by: Florian Westphal <fw@strlen.de>
* src: allow use of 'verdict' in typeof definitionsFlorian Westphal2021-02-221-3/+26
| | | | | | | | | | | | | | | 'verdict' cannot be used as part of a map typeof-based key definition, its a datatype and not an expression, e.g.: typeof iifname . ip protocol . th dport : verdic ... will fail. Make the parser convert a 'verdict' symbol to a verdict expression and allow to store its presence as part of the typeof key definition. Reported-by: Frank Myhr <fmyhr@fhmtech.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add negation match on singleton bitmask valuePablo Neira Ayuso2021-02-051-0/+1
| | | | | | | | | | | | | | | | | This patch provides a shortcut for: ct status and dnat == 0 which allows to check for the packet whose dnat bit is unset: # nft add rule x y ct status ! dnat counter This operation is only available for expression with a bitmask basetype, eg. # nft describe ct status ct expression, datatype ct_status (conntrack status) (basetype bitmask, integer), 32 bits Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: disallow burst 0 in ratelimitsPablo Neira Ayuso2020-12-181-2/+23
| | | | | | | | | | | | The ratelimiter in nftables is similar to the one in iptables, and iptables disallows a zero burst. Update the byte rate limiter not to print burst 5 (default value). Update tests/py payloads to print burst 5 instead of zero when the burst is unspecified. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add set element multi-statement supportPablo Neira Ayuso2020-12-181-35/+50
| | | | | | | | Extend the set element infrastructure to support for several statements. This patch places the statements right after the key when printing it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for multi-statement in dynamic sets and mapsPablo Neira Ayuso2020-12-171-6/+21
| | | | | | | | This patch allows for two statements for dynamic set updates, e.g. nft rule x y add @y { ip daddr limit rate 1/second counter } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: remove unused proto_key member from structFlorian Westphal2020-12-091-1/+0
| | | | | | also, no need for this struct to be in the parser. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser_bison: double close_scope() call for implicit chainsPablo Neira Ayuso2020-12-081-1/+1
| | | | | | | | Call close_scope() from chain_block_alloc only. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1485 Fixes: c330152b7f77 ("src: support for implicit chain bindings") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: allow to restore limit from dynamic setPablo Neira Ayuso2020-12-041-0/+32
| | | | | | | Update parser to allow to restore limit per set element in dynamic set. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1477 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tcp: add raw tcp option match supportFlorian Westphal2020-11-091-0/+5
| | | | | | tcp option @42,16,4 (@kind,offset,length). Signed-off-by: Florian Westphal <fw@strlen.de>
* tcpopt: allow to check for presence of any tcp optionFlorian Westphal2020-11-091-0/+7
| | | | | | | | | | | | | nft currently doesn't allow to check for presence of arbitrary tcp options. Only known options where nft provides a template can be tested for. This allows to test for presence of raw protocol values as well. Example: tcp option 42 exists Signed-off-by: Florian Westphal <fw@strlen.de>
* tcpopt: split tcpopt_hdr_fields into per-option enumFlorian Westphal2020-11-091-9/+9
| | | | | | | | | | | | | | | | | | Currently we're limited to ten template fields in exthdr_desc struct. Using a single enum for all tpc option fields thus won't work indefinitely (TCPOPTHDR_FIELD_TSECR is 9) when new option templates get added. Fortunately we can just use one enum per tcp option to avoid this. As a side effect this also allows to simplify the sack offset calculations. Rather than computing that on-the-fly, just add extra fields to the SACK template. expr->exthdr.offset now holds the 'raw' value, filled in from the option template. This would ease implementation of 'raw option matching' using offset and length to load from the option. Signed-off-by: Florian Westphal <fw@strlen.de>
* tcpopts: clean up parser -> tcpopt.c plumbingFlorian Westphal2020-11-091-13/+13
| | | | | | | | | | | | | | | | | tcpopt template mapping is asymmetric: one mapping is to match dumped netlink exthdr expression to the original tcp option template. This struct is indexed by the raw, on-write kind/type number. The other mapping maps parsed options to the tcp option template. Remove the latter. The parser is changed to translate the textual option name, e.g. "maxseg" to the on-wire number. This avoids the second mapping, it will also allow to more easily support raw option matching in a followup patch. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: merge sack-perm/sack-permitted and maxseg/mssFlorian Westphal2020-11-091-7/+5
| | | | | | | | | | | | | | | | | | | | | | One was added by the tcp option parsing ocde, the other by synproxy. So we have: synproxy ... sack-perm synproxy ... mss and tcp option maxseg tcp option sack-permitted This kills the extra tokens on the scanner/parser side, so sack-perm and sack-permitted can both be used. Likewise, 'synproxy maxseg' and 'tcp option mss size 42' will work too. On the output side, the shorter form is now preferred, i.e. sack-perm and mss. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add comment support for chainsJose M. Guisado Gomez2020-09-301-0/+8
| | | | | | | | | | | | | | | | | | | | This patch enables the user to specify a comment when adding a chain. Relies on kernel space supporting userdata for chains. > nft add table ip filter > nft add chain ip filter input { comment "test"\; type filter hook input priority 0\; policy accept\; } > list ruleset table ip filter { chain input { comment "test" type filter hook input priority filter; policy accept; } } Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: fail when specifying multiple commentsJose M. Guisado Gomez2020-09-141-0/+63
| | | | | | | | | | | | | | | | | | | | Before this patch grammar supported specifying multiple comments, and only the last value would be assigned. This patch adds a function to test if an attribute is already assigned and, if so, calls erec_queue with this attribute location. Use this function in order to check for duplication (or more) of comments for actions that support it. > nft add table inet filter { flags "dormant"\; comment "test"\; comment "another"\;} Error: You can only specify this once. This statement is duplicated. add table inet filter { flags dormant; comment test; comment another;} ^^^^^^^^^^^^^^^^ Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add comment support for objectsJose M. Guisado Gomez2020-09-081-0/+52
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Enables specifying an optional comment when declaring named objects. The comment is to be specified inside the object's block ({} block) Relies on libnftnl exporting nftnl_obj_get_data and kernel space support to store the comments. For consistency, this patch makes the comment be printed first when listing objects. Adds a testcase importing all commented named objects except for secmark, although it's supported. Example: Adding a quota with a comment > add table inet filter > nft add quota inet filter q { over 1200 bytes \; comment "test_comment"\; } > list ruleset table inet filter { quota q { comment "test_comment" over 1200 bytes } } Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* socket: add support for "wildcard" keyBalazs Scheidler2020-08-291-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | iptables had a "-m socket --transparent" which didn't match sockets that are bound to all addresses (e.g. 0.0.0.0 for ipv4, and ::0 for ipv6). It was possible to override this behavior by using --nowildcard, in which case it did match zero bound sockets as well. The issue is that nftables never included the wildcard check, so in effect it behaved like "iptables -m socket --transparent --nowildcard" with no means to exclude wildcarded listeners. This is a problem as a user-space process that binds to 0.0.0.0:<port> that enables IP_TRANSPARENT would effectively intercept traffic going in _any_ direction on the specific port, whereas in most cases, transparent proxies would only need this for one specific address. The solution is to add "socket wildcard" key to the nft_socket module, which makes it possible to match on the wildcardness of a socket from one's ruleset. This is how to use it: table inet haproxy { chain prerouting { type filter hook prerouting priority -150; policy accept; socket transparent 1 socket wildcard 0 mark set 0x00000001 } } This patch effectively depends on its counterpart in the kernel. Signed-off-by: Balazs Scheidler <bazsi77@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add comment support when adding tablesJose M. Guisado Gomez2020-08-281-0/+4
| | | | | | | | | | | | | | | | | | | Adds userdata building logic if a comment is specified when creating a new table. Adds netlink userdata parsing callback function. Relies on kernel supporting userdata for nft_table. Example: > nft add table ip x { comment "test"\; } > nft list ruleset table ip x { comment "test" } Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add comment support for map tooPablo Neira Ayuso2020-08-171-0/+5
| | | | | | Extend and slightly rework tests/shell to cover this case too. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add comment support for set declarationsJose M. Guisado Gomez2020-08-121-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow users to add a comment when declaring a named set. Adds set output handling the comment in both nftables and json format. $ nft add table ip x $ nft add set ip x s {type ipv4_addr\; comment "some_addrs"\; elements = {1.1.1.1, 1.2.3.4}} $ nft list ruleset table ip x { set s { type ipv4_addr; comment "some_addrs" elements = { 1.1.1.1, 1.2.3.4 } } } $ nft --json list ruleset { "nftables": [ { "metainfo": { "json_schema_version": 1, "release_name": "Capital Idea #2", "version": "0.9.6" } }, { "table": { "family": "ip", "handle": 4857, "name": "x" } }, { "set": { "comment": "some_addrs", "elem": [ "1.1.1.1", "1.2.3.4" ], "family": "ip", "handle": 1, "name": "s", "table": "x", "type": "ipv4_addr" } } ] } Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: memleak symbol redefinitionPablo Neira Ayuso2020-07-291-0/+1
| | | | | | Missing expr_free() from the error path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow for negative value in variable definitionsPablo Neira Ayuso2020-07-221-1/+9
| | | | | | Extend test to cover for negative value in chain priority definition. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow to use variables in flowtable and chain devicesPablo Neira Ayuso2020-07-211-0/+16
| | | | | | | | | | | | | | | This patch adds support for using variables for devices in the chain and flowtable definitions, eg. define if_main = lo table netdev filter1 { chain Main_Ingress1 { type filter hook ingress device $if_main priority -500; policy accept; } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: memleak in log prefix stringPablo Neira Ayuso2020-07-151-0/+1
| | | | | | | Release the string after creating the constant expression. Fixes: 96c909ef46f0 ("src: allow for variables in the log prefix string") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for implicit chain bindingsPablo Neira Ayuso2020-07-151-3/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows you to group rules in a subchain, e.g. table inet x { chain y { type filter hook input priority 0; tcp dport 22 jump { ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept ip6 saddr ::1/128 accept; } } } This also supports for the `goto' chain verdict. This patch adds a new chain binding list to avoid a chain list lookup from the delinearize path for the usual chains. This can be simplified later on with a single hashtable per table for all chains. From the shell, you have to use the explicit separator ';', in bash you have to escape this: # nft add rule inet x y tcp dport 80 jump { ip saddr 127.0.0.1 accept\; ip6 saddr ::1 accept \; } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow for variables in the log prefix stringPablo Neira Ayuso2020-07-081-4/+118
| | | | | | | | | | | | | | | | | | | For example: define test = "state" define foo = "match" table x { chain y { ct state invalid log prefix "invalid $test $foo:" } } This patch scans for variables in the log prefix string. The log prefix expression is a list of constant and variable expression that are converted into a constant expression from the evaluation phase. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use expression to store the log prefixPablo Neira Ayuso2020-07-081-1/+6
| | | | | | Intsead of using an array of char. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Allow for empty set variable definitionPablo Neira Ayuso2020-07-041-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow for empty set definition in variables if they are merged to non-empty set definition: define BASE_ALLOWED_INCOMING_TCP_PORTS = {22, 80, 443} define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {} table inet filter { chain input { type filter hook input priority 0; policy drop; tcp dport {$BASE_ALLOWED_INCOMING_TCP_PORTS, $EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept } } However, disallow this: define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {} table inet filter { chain input { type filter hook input priority 0; policy drop; tcp dport {$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept } } # nft -f x.nft /tmp/x.nft:6:18-52: Error: Set is empty tcp dport {$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: delete devices to an existing flowtablePablo Neira Ayuso2020-06-021-0/+7
| | | | | | | | This patch allows you to remove a device to an existing flowtable: # nft delete flowtable x y { devices = { eth0 } \; } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename CMD_OBJ_SETELEM to CMD_OBJ_ELEMENTSPablo Neira Ayuso2020-05-141-4/+4
| | | | | | | | The CMD_OBJ_ELEMENTS provides an expression that contains the list of set elements. This leaves room to introduce CMD_OBJ_SETELEMS in a follow up patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: ct_timeout: release policy string and state listPablo Neira Ayuso2020-05-051-0/+1
| | | | | | | | | | | | | | | | | | | ================================================================= ==19037==ERROR: LeakSanitizer: detected memory leaks Direct leak of 18 byte(s) in 2 object(s) allocated from: #0 0x7ff6ee6f9810 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a810) #1 0x7ff6ee22666d in xstrdup /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:75 #2 0x7ff6ee28cce9 in nft_parse /home/pablo/devel/scm/git-netfilter/nftables/src/parser_bison.c:5792 #3 0x4b903f302c8010a (<unknown module>) Direct leak of 16 byte(s) in 1 object(s) allocated from: #0 0x7ff6ee7a8330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330) #1 0x7ff6ee226578 in xmalloc /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:36 SUMMARY: AddressSanitizer: 34 byte(s) leaked in 3 allocation(s). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: release helper type string after parsingPablo Neira Ayuso2020-05-051-0/+1
| | | | | | | | | | | ==4060==ERROR: LeakSanitizer: detected memory leaks Direct leak of 4 byte(s) in 1 object(s) allocated from: #0 0x7f637b64a810 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a810) #1 0x7f637b17766d in xstrdup /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:75 #2 0x7f637b1ddce9 in nft_parse /home/pablo/devel/scm/git-netfilter/nftables/src/parser_bison.c:5792 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: release extended priority string after parsingPablo Neira Ayuso2020-05-051-0/+1
| | | | | | | | | | | | | | | | ==29581==ERROR: LeakSanitizer: detected memory leaks Direct leak of 1034 byte(s) in 152 object(s) allocated from: #0 0x7f7b55f1b810 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a810) #1 0x7f7b559597e0 in xstrdup /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:75 #2 0x7f7b55a494a0 in nft_lex /home/pablo/devel/scm/git-netfilter/nftables/src/scanner.l:641 #3 0x7f7b559cec25 in nft_parse /home/pablo/devel/scm/git-netfilter/nftables/src/parser_bison.c:5792 #4 0x7f7b5597e318 in nft_parse_bison_filename /home/pablo/devel/scm/git-netfilter/nftables/src/libnftables.c:392 #5 0x7f7b5597f864 in nft_run_cmd_from_filename /home/pablo/devel/scm/git-netfilter/nftables/src/libnftables.c:495 #6 0x562a25bbce71 in main /home/pablo/devel/scm/git-netfilter/nftables/src/main.c:457 #7 0x7f7b5457509a in __libc_start_main ../csu/libc-start.c:308 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: Add support for the 'id' keyBrett Mastbergen2020-05-011-0/+1
| | | | | | | | | The 'id' key allows for matching on the id of the conntrack entry. v2: Remove ct_id_type Signed-off-by: Brett Mastbergen <brett.mastbergen@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add STMT_NAT_F_CONCAT flag and use itPablo Neira Ayuso2020-04-281-1/+1
| | | | | | Replace ipportmap boolean field by flags. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add netmap supportPablo Neira Ayuso2020-04-281-0/+17
| | | | | | | | | | | | | | | | | This patch allows you to specify an interval of IP address in maps. table ip x { chain y { type nat hook postrouting priority srcnat; policy accept; snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 } } } The example above performs SNAT to packets that comes from 10.141.11.0/24 using the prefix 192.168.2.0/24, e.g. 10.141.11.4 is mangled to 192.168.2.4. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: NAT support for intervals in mapsPablo Neira Ayuso2020-04-281-0/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows you to specify an interval of IP address in maps. table ip x { chain y { type nat hook postrouting priority srcnat; policy accept; snat ip interval to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 } } } The example above performs SNAT to packets that comes from 10.141.11.4 to an interval of IP addresses from 192.168.2.2 to 192.168.2.4 (both included). You can also combine this with dynamic maps: table ip x { map y { type ipv4_addr : interval ipv4_addr flags interval elements = { 10.141.10.0/24 : 192.168.2.2-192.168.2.4 } } chain y { type nat hook postrouting priority srcnat; policy accept; snat ip interval to ip saddr map @y } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: proper ct timeout list initializationPablo Neira Ayuso2020-04-161-2/+5
| | | | | | | Initialize list of timeout policies from ct_timeout_block. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1403 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>