diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-11-28 00:03:50 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-01-03 14:21:53 +0100 |
| commit | deaf962ebd7c6b9d8a161d9378a710031e4f1dd6 (patch) | |
| tree | 8e885dfedb3eefafa29bd46edc1ebe09f5f8c41c /src/netlink_delinearize.c | |
| parent | b139f738f558d6afb8c8f3e73526f578b059abd6 (diff) | |
src: add support for stateful object maps
You can create these maps using explicit map declarations:
# nft add table filter
# nft add chain filter input { type filter hook input priority 0\; }
# nft add map filter badguys { type ipv4_addr : counter \; }
# nft add rule filter input counter name ip saddr map @badguys
# nft add counter filter badguy1
# nft add counter filter badguy2
# nft add element filter badguys { 192.168.2.3 : "badguy1" }
# nft add element filter badguys { 192.168.2.4 : "badguy2" }
Or through implicit map definitions:
table ip filter {
counter http-traffic {
packets 8 bytes 672
}
chain input {
type filter hook input priority 0; policy accept;
counter name tcp dport map { 80 : "http-traffic", 443 : "http-traffic"}
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/netlink_delinearize.c')
| -rw-r--r-- | src/netlink_delinearize.c | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 90fb9e67..48968442 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -1142,6 +1142,35 @@ static void netlink_parse_objref(struct netlink_parse_ctx *ctx, expr = netlink_alloc_value(&netlink_location, &nld); expr->dtype = &string_type; expr->byteorder = BYTEORDER_HOST_ENDIAN; + } else if (nftnl_expr_is_set(nle, NFTNL_EXPR_OBJREF_SET_SREG)) { + struct expr *left, *right; + enum nft_registers sreg; + const char *name; + struct set *set; + + name = nftnl_expr_get_str(nle, NFTNL_EXPR_OBJREF_SET_NAME); + set = set_lookup(ctx->table, name); + if (set == NULL) + return netlink_error(ctx, loc, + "Unknown set '%s' in objref expression", + name); + + sreg = netlink_parse_register(nle, NFTNL_EXPR_OBJREF_SET_SREG); + left = netlink_get_register(ctx, loc, sreg); + if (left == NULL) + return netlink_error(ctx, loc, + "objref expression has no left hand side"); + + if (left->len < set->keylen) { + left = netlink_parse_concat_expr(ctx, loc, sreg, set->keylen); + if (left == NULL) + return; + } + + right = set_ref_expr_alloc(loc, set); + expr = map_expr_alloc(loc, left, right); + expr_set_type(expr, &string_type, BYTEORDER_HOST_ENDIAN); + type = set->objtype; } else { netlink_error(ctx, loc, "unknown objref expression type %u", type); |