summaryrefslogtreecommitdiffstats
path: root/src/parser_bison.y
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2018-05-31 18:08:06 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2018-06-06 15:49:47 +0200
commit57e4a095edc4dab19e14fc8d1bca3febde1ca86c (patch)
treec51aaa1f1d3a6d1b42d2ee3da073b46289524ea5 /src/parser_bison.y
parent3384849c113b1ec3906c7a22cc71d708aae1218e (diff)
src: connlimit support
This patch adds support for the new connlimit stateful expression, that provides a mapping with the connlimit iptables extension through meters. eg. nft add rule filter input tcp dport 22 \ meter test { ip saddr ct count over 2 } counter reject This limits the maximum amount incoming of SSH connections per source address up to 2 simultaneous connections. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/parser_bison.y')
-rw-r--r--src/parser_bison.y18
1 files changed, 16 insertions, 2 deletions
diff --git a/src/parser_bison.y b/src/parser_bison.y
index d13eaa66..5797ee76 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -560,8 +560,8 @@ int nft_lex(void *, void *, void *);
%type <stmt> log_stmt log_stmt_alloc
%destructor { stmt_free($$); } log_stmt log_stmt_alloc
%type <val> level_type log_flags log_flags_tcp log_flag_tcp
-%type <stmt> limit_stmt quota_stmt
-%destructor { stmt_free($$); } limit_stmt quota_stmt
+%type <stmt> limit_stmt quota_stmt connlimit_stmt
+%destructor { stmt_free($$); } limit_stmt quota_stmt connlimit_stmt
%type <val> limit_burst limit_mode time_unit quota_mode
%type <stmt> reject_stmt reject_stmt_alloc
%destructor { stmt_free($$); } reject_stmt reject_stmt_alloc
@@ -2062,6 +2062,7 @@ stmt_list : stmt
stmt : verdict_stmt
| match_stmt
| meter_stmt
+ | connlimit_stmt
| counter_stmt
| payload_stmt
| meta_stmt
@@ -2129,6 +2130,19 @@ verdict_map_list_member_expr: opt_newline set_elem_expr COLON verdict_expr opt_n
}
;
+connlimit_stmt : CT COUNT NUM
+ {
+ $$ = connlimit_stmt_alloc(&@$);
+ $$->connlimit.count = $3;
+ }
+ | CT COUNT OVER NUM
+ {
+ $$ = connlimit_stmt_alloc(&@$);
+ $$->connlimit.count = $4;
+ $$->connlimit.flags = NFT_CONNLIMIT_F_INV;
+ }
+ ;
+
counter_stmt : counter_stmt_alloc
| counter_stmt_alloc counter_args