diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-01-22 11:17:10 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-01-22 11:47:58 +0100 |
commit | 30f667920601d01107398cbb85da45fdb1237212 (patch) | |
tree | 007eb0687d716a6cb2a33be255e283fdd483d4af /src/parser_bison.y | |
parent | b4c7117ef552d0d71bde1db4a047b4c005699951 (diff) |
src: add 'auto-merge' option to sets
After discussions with Karel here:
https://bugzilla.netfilter.org/show_bug.cgi?id=1184
And later on with Phil Sutter, we decided to disable the automatic merge
feature in sets with intervals. This feature is problematic because it
introduces an inconsistency between what we add and what we later on
get. This is going to get worse with the upcoming timeout support for
intervals. Therefore, we turned off this by default.
However, Jeff Kletsky and folks like this feature, so let's restore this
behaviour on demand with this new 'auto-merge' statement, that you can
place on the set definition, eg.
# nft list ruleset
table ip x {
...
set y {
type ipv4_addr
flags interval
auto-merge
}
}
# nft add element x z { 1.1.1.1-2.2.2.2, 1.1.1.2 }
Regarding implementation details: Given this feature only makes sense
from userspace, let's store this in the set user data area, so nft knows
it has to do automatic merge of adjacent/overlapping elements as per
user request.
# nft add set x z { type ipv4_addr\; auto-merge\; }
Error: auto-merge only works with interval sets
add set x z { type ipv4_addr; auto-merge; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1216
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/parser_bison.y')
-rw-r--r-- | src/parser_bison.y | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/parser_bison.y b/src/parser_bison.y index 009b801f..2e79109f 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -234,6 +234,7 @@ int nft_lex(void *, void *, void *); %token CONSTANT "constant" %token INTERVAL "interval" +%token AUTOMERGE "auto-merge" %token TIMEOUT "timeout" %token GC_INTERVAL "gc-interval" %token ELEMENTS "elements" @@ -1407,6 +1408,11 @@ set_block : /* empty */ { $$ = $<set>-1; } $1->init = $4; $$ = $1; } + | set_block AUTOMERGE + { + $1->automerge = true; + $$ = $1; + } | set_block set_mechanism stmt_separator ; |