diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-05-31 18:08:06 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-06-06 15:49:47 +0200 |
commit | 57e4a095edc4dab19e14fc8d1bca3febde1ca86c (patch) | |
tree | c51aaa1f1d3a6d1b42d2ee3da073b46289524ea5 /src/parser_bison.y | |
parent | 3384849c113b1ec3906c7a22cc71d708aae1218e (diff) |
src: connlimit support
This patch adds support for the new connlimit stateful expression, that
provides a mapping with the connlimit iptables extension through meters.
eg.
nft add rule filter input tcp dport 22 \
meter test { ip saddr ct count over 2 } counter reject
This limits the maximum amount incoming of SSH connections per source
address up to 2 simultaneous connections.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/parser_bison.y')
-rw-r--r-- | src/parser_bison.y | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/src/parser_bison.y b/src/parser_bison.y index d13eaa66..5797ee76 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -560,8 +560,8 @@ int nft_lex(void *, void *, void *); %type <stmt> log_stmt log_stmt_alloc %destructor { stmt_free($$); } log_stmt log_stmt_alloc %type <val> level_type log_flags log_flags_tcp log_flag_tcp -%type <stmt> limit_stmt quota_stmt -%destructor { stmt_free($$); } limit_stmt quota_stmt +%type <stmt> limit_stmt quota_stmt connlimit_stmt +%destructor { stmt_free($$); } limit_stmt quota_stmt connlimit_stmt %type <val> limit_burst limit_mode time_unit quota_mode %type <stmt> reject_stmt reject_stmt_alloc %destructor { stmt_free($$); } reject_stmt reject_stmt_alloc @@ -2062,6 +2062,7 @@ stmt_list : stmt stmt : verdict_stmt | match_stmt | meter_stmt + | connlimit_stmt | counter_stmt | payload_stmt | meta_stmt @@ -2129,6 +2130,19 @@ verdict_map_list_member_expr: opt_newline set_elem_expr COLON verdict_expr opt_n } ; +connlimit_stmt : CT COUNT NUM + { + $$ = connlimit_stmt_alloc(&@$); + $$->connlimit.count = $3; + } + | CT COUNT OVER NUM + { + $$ = connlimit_stmt_alloc(&@$); + $$->connlimit.count = $4; + $$->connlimit.flags = NFT_CONNLIMIT_F_INV; + } + ; + counter_stmt : counter_stmt_alloc | counter_stmt_alloc counter_args |