diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-11-28 00:03:50 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-01-03 14:21:53 +0100 |
| commit | deaf962ebd7c6b9d8a161d9378a710031e4f1dd6 (patch) | |
| tree | 8e885dfedb3eefafa29bd46edc1ebe09f5f8c41c /src/netlink_linearize.c | |
| parent | b139f738f558d6afb8c8f3e73526f578b059abd6 (diff) | |
src: add support for stateful object maps
You can create these maps using explicit map declarations:
# nft add table filter
# nft add chain filter input { type filter hook input priority 0\; }
# nft add map filter badguys { type ipv4_addr : counter \; }
# nft add rule filter input counter name ip saddr map @badguys
# nft add counter filter badguy1
# nft add counter filter badguy2
# nft add element filter badguys { 192.168.2.3 : "badguy1" }
# nft add element filter badguys { 192.168.2.4 : "badguy2" }
Or through implicit map definitions:
table ip filter {
counter http-traffic {
packets 8 bytes 672
}
chain input {
type filter hook input priority 0; policy accept;
counter name tcp dport map { 80 : "http-traffic", 443 : "http-traffic"}
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/netlink_linearize.c')
| -rw-r--r-- | src/netlink_linearize.c | 26 |
1 files changed, 23 insertions, 3 deletions
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c index c9488b32..5030135c 100644 --- a/src/netlink_linearize.c +++ b/src/netlink_linearize.c @@ -692,14 +692,34 @@ static void netlink_gen_expr(struct netlink_linearize_ctx *ctx, static void netlink_gen_objref_stmt(struct netlink_linearize_ctx *ctx, const struct stmt *stmt) { + struct expr *expr = stmt->objref.expr; struct nft_data_linearize nld; struct nftnl_expr *nle; + uint32_t sreg_key; nle = alloc_nft_expr("objref"); - netlink_gen_data(stmt->objref.expr, &nld); - nftnl_expr_set(nle, NFTNL_EXPR_OBJREF_IMM_NAME, nld.value, nld.len); - nftnl_expr_set_u32(nle, NFTNL_EXPR_OBJREF_IMM_TYPE, stmt->objref.type); + switch (expr->ops->type) { + case EXPR_MAP: + sreg_key = get_register(ctx, expr->map); + netlink_gen_expr(ctx, expr->map, sreg_key); + release_register(ctx, expr->map); + nftnl_expr_set_u32(nle, NFTNL_EXPR_OBJREF_SET_SREG, sreg_key); + nftnl_expr_set_str(nle, NFTNL_EXPR_OBJREF_SET_NAME, + expr->mappings->set->handle.set); + nftnl_expr_set_u32(nle, NFTNL_EXPR_OBJREF_SET_ID, + expr->mappings->set->handle.set_id); + break; + case EXPR_VALUE: + netlink_gen_data(stmt->objref.expr, &nld); + nftnl_expr_set(nle, NFTNL_EXPR_OBJREF_IMM_NAME, + nld.value, nld.len); + nftnl_expr_set_u32(nle, NFTNL_EXPR_OBJREF_IMM_TYPE, + stmt->objref.type); + break; + default: + BUG("unsupported expression %u\n", expr->ops->type); + } nftnl_rule_add_expr(ctx->nlr, nle); } |