diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-08-24 09:52:22 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-08-24 09:52:22 +0200 |
| commit | a55ca1a24b7b216144dc737f621fb68f4a924e38 (patch) | |
| tree | e104f4c5d5ad34b39f58a3b05b80aba85858d0c0 /src/parser_bison.y | |
| parent | 0e90798e98121abab274434ec60f0b873f510021 (diff) | |
src: integrate stateful expressions into sets and maps
The following example shows how to populate a set from the packet path
using the destination IP address, for each entry there is a counter. The
entry expires after the 1 hour timeout if no packets matching this entry
are seen.
table ip x {
set xyz {
type ipv4_addr
size 65535
flags dynamic,timeout
timeout 1h
}
chain y {
type filter hook output priority filter; policy accept;
update @xyz { ip daddr counter } counter
}
}
Similar example, that creates a mapping better IP address and mark,
where the mark is assigned using an incremental sequence generator from
0 to 1 inclusive.
table ip x {
map xyz {
type ipv4_addr : mark
size 65535
flags dynamic,timeout
timeout 1h
}
chain y {
type filter hook input priority filter; policy accept;
update @xyz { ip saddr counter : numgen inc mod 2 }
}
}
Supported stateful statements are: limit, quota, counter and connlimit.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/parser_bison.y')
| -rw-r--r-- | src/parser_bison.y | 32 |
1 files changed, 26 insertions, 6 deletions
diff --git a/src/parser_bison.y b/src/parser_bison.y index 199ef13d..cc114717 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -561,8 +561,8 @@ int nft_lex(void *, void *, void *); %destructor { stmt_list_free($$); xfree($$); } stmt_list %type <stmt> stmt match_stmt verdict_stmt %destructor { stmt_free($$); } stmt match_stmt verdict_stmt -%type <stmt> counter_stmt counter_stmt_alloc -%destructor { stmt_free($$); } counter_stmt counter_stmt_alloc +%type <stmt> counter_stmt counter_stmt_alloc stateful_stmt +%destructor { stmt_free($$); } counter_stmt counter_stmt_alloc stateful_stmt %type <stmt> payload_stmt %destructor { stmt_free($$); } payload_stmt %type <stmt> ct_stmt @@ -2112,16 +2112,19 @@ stmt_list : stmt } ; +stateful_stmt : counter_stmt + | limit_stmt + | quota_stmt + | connlimit_stmt + ; + stmt : verdict_stmt | match_stmt | meter_stmt - | connlimit_stmt - | counter_stmt | payload_stmt + | stateful_stmt | meta_stmt | log_stmt - | limit_stmt - | quota_stmt | reject_stmt | nat_stmt | tproxy_stmt @@ -2862,6 +2865,14 @@ set_stmt : SET set_stmt_op set_elem_expr_stmt symbol_expr $$->set.key = $4; $$->set.set = $2; } + | set_stmt_op symbol_expr '{' set_elem_expr_stmt stateful_stmt '}' + { + $$ = set_stmt_alloc(&@$); + $$->set.op = $1; + $$->set.key = $4; + $$->set.set = $2; + $$->set.stmt = $5; + } ; set_stmt_op : ADD { $$ = NFT_DYNSET_OP_ADD; } @@ -2876,6 +2887,15 @@ map_stmt : set_stmt_op symbol_expr '{' set_elem_expr_stmt COLON set_elem_expr_s $$->map.data = $6; $$->map.set = $2; } + | set_stmt_op symbol_expr '{' set_elem_expr_stmt stateful_stmt COLON set_elem_expr_stmt '}' + { + $$ = map_stmt_alloc(&@$); + $$->map.op = $1; + $$->map.key = $4; + $$->map.data = $7; + $$->map.stmt = $5; + $$->map.set = $2; + } ; meter_stmt : flow_stmt_legacy_alloc flow_stmt_opts '{' meter_key_expr stmt '}' |