diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-03-16 10:14:47 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-03-16 12:02:11 +0100 |
commit | e7395266640aed088e312ca1da3c147b64059988 (patch) | |
tree | 0ff60c8670ee5a1a4928cc81eb281426de01b387 /src/statement.c | |
parent | 6c15ee2bab56cabb678cbd46cebd25703c363ab2 (diff) |
src: revisit syntax to update sets and maps from packet path
For sets, we allow this:
nft add rule x y ip protocol tcp update @y { ip saddr}
For maps:
table ip nftlb {
map persistencia {
type ipv4_addr : mark
timeout 1h
elements = { 192.168.1.132 expires 59m55s : 0x00000064,
192.168.56.101 expires 59m24s : 0x00000065 }
}
chain pre {
type nat hook prerouting priority 0; policy accept;
update @persistencia \
{ @nh,96,32 : numgen inc mod 2 offset 100 }
}
}
nft --debug=netlink add rule ip nftlb pre add @persistencia \
{ ip saddr : numgen inc mod 2 offset 100 }
More compact and it doesn't gets it confused with a simple map update
command (interesting that bison didn't spew any conflict error).
Former syntax for sets is preserved.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/statement.c')
-rw-r--r-- | src/statement.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/src/statement.c b/src/statement.c index 61ba643b..d495ec44 100644 --- a/src/statement.c +++ b/src/statement.c @@ -615,10 +615,11 @@ static const char * const set_stmt_op_names[] = { static void set_stmt_print(const struct stmt *stmt, struct output_ctx *octx) { - nft_print(octx, "set %s ", set_stmt_op_names[stmt->set.op]); - expr_print(stmt->set.key, octx); - nft_print(octx, " "); + nft_print(octx, "%s ", set_stmt_op_names[stmt->set.op]); expr_print(stmt->set.set, octx); + nft_print(octx, "{ "); + expr_print(stmt->set.key, octx); + nft_print(octx, " } "); } static void set_stmt_destroy(struct stmt *stmt) @@ -641,12 +642,13 @@ struct stmt *set_stmt_alloc(const struct location *loc) static void map_stmt_print(const struct stmt *stmt, struct output_ctx *octx) { - nft_print(octx, "%s map { ", set_stmt_op_names[stmt->map.op]); + nft_print(octx, "%s ", set_stmt_op_names[stmt->map.op]); + expr_print(stmt->map.set, octx); + nft_print(octx, "{ "); expr_print(stmt->map.map->map->key, octx); nft_print(octx, " : "); expr_print(stmt->map.map->mappings, octx); nft_print(octx, " } "); - expr_print(stmt->map.set, octx); } static void map_stmt_destroy(struct stmt *stmt) |