diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-03-06 17:48:58 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-03-12 23:35:33 +0100 |
| commit | b8f8ddfff7335d3a8bebf5d85085974ae36f4099 (patch) | |
| tree | a7308bfb5a5a5de4397ab88de2bbddf9d53c0a14 /tests/shell | |
| parent | e828d933424470b495feb841b67b70ba216e8ecb (diff) | |
evaluate: translate meter into dynamic set
129f9d153279 ("nft: migrate man page examples with `meter` directive to
sets") already replaced meters by dynamic sets.
This patch removes NFT_SET_ANONYMOUS flag from the implicit set that is
instantiated via meter, so the listing shows a dynamic set instead which
is the recommended approach these days.
Therefore, a batch like this:
add table t
add chain t c
add rule t c tcp dport 80 meter m size 128 { ip saddr timeout 1s limit rate 10/second }
gets translated to a dynamic set:
table ip t {
set m {
type ipv4_addr
size 128
flags dynamic,timeout
}
chain c {
tcp dport 80 update @m { ip saddr timeout 1s limit rate 10/second burst 5 packets }
}
}
Check for NFT_SET_ANONYMOUS flag is also relaxed for list and flush
meter commands:
# nft list meter ip t m
table ip t {
set m {
type ipv4_addr
size 128
flags dynamic,timeout
}
}
# nft flush meter ip t m
As a side effect the legacy 'list meter' and 'flush meter' commands allow
to flush a dynamic set to retain backward compatibility.
This patch updates testcases/sets/0022type_selective_flush_0 and
testcases/sets/0038meter_list_0 as well as the json output which now
uses the dynamic set representation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell')
6 files changed, 71 insertions, 24 deletions
diff --git a/tests/shell/testcases/sets/0022type_selective_flush_0 b/tests/shell/testcases/sets/0022type_selective_flush_0 index 6062913b..48f6875b 100755 --- a/tests/shell/testcases/sets/0022type_selective_flush_0 +++ b/tests/shell/testcases/sets/0022type_selective_flush_0 @@ -16,7 +16,7 @@ $NFT -f - <<< "$RULESET" # Commands that should be invalid declare -a cmds=( - "flush set t m" "flush set t f" + "flush set t m" "flush map t s" "flush map t f" "flush meter t s" "flush meter t m" ) diff --git a/tests/shell/testcases/sets/0038meter_list_0 b/tests/shell/testcases/sets/0038meter_list_0 index e9e0f6fb..7c37c1d8 100755 --- a/tests/shell/testcases/sets/0038meter_list_0 +++ b/tests/shell/testcases/sets/0038meter_list_0 @@ -14,7 +14,12 @@ RULESET=" " expected_output="table ip t { - meter m { + set s { + type ipv4_addr + size 256 + flags dynamic,timeout + } + set m { type ipv4_addr size 128 flags dynamic diff --git a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft index c82c12a1..c6281ae8 100644 --- a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft +++ b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft @@ -34,6 +34,19 @@ } }, { + "set": { + "family": "ip", + "name": "f", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 1024, + "flags": [ + "dynamic" + ] + } + }, + { "chain": { "family": "ip", "table": "t", @@ -61,22 +74,24 @@ } }, { - "meter": { - "key": { + "set": { + "op": "add", + "elem": { "payload": { "protocol": "ip", "field": "saddr" } }, - "stmt": { - "limit": { - "rate": 10, - "burst": 5, - "per": "second" + "set": "@f", + "stmt": [ + { + "limit": { + "rate": 10, + "burst": 5, + "per": "second" + } } - }, - "size": 1024, - "name": "f" + ] } } ] diff --git a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft index 0a4cb0a5..38987ded 100644 --- a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft +++ b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft @@ -7,7 +7,13 @@ table ip t { type ipv4_addr : inet_service } + set f { + type ipv4_addr + size 1024 + flags dynamic + } + chain c { - tcp dport 80 meter f size 1024 { ip saddr limit rate 10/second burst 5 packets } + tcp dport 80 add @f { ip saddr limit rate 10/second burst 5 packets } } } diff --git a/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft b/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft index be24687c..853fb5e3 100644 --- a/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft +++ b/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft @@ -29,6 +29,19 @@ } }, { + "set": { + "family": "ip", + "name": "m", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 128, + "flags": [ + "dynamic" + ] + } + }, + { "chain": { "family": "ip", "table": "t", @@ -56,22 +69,24 @@ } }, { - "meter": { - "key": { + "set": { + "op": "add", + "elem": { "payload": { "protocol": "ip", "field": "saddr" } }, - "stmt": { - "limit": { - "rate": 10, - "burst": 5, - "per": "second" + "set": "@m", + "stmt": [ + { + "limit": { + "rate": 10, + "burst": 5, + "per": "second" + } } - }, - "size": 128, - "name": "m" + ] } } ] diff --git a/tests/shell/testcases/sets/dumps/0038meter_list_0.nft b/tests/shell/testcases/sets/dumps/0038meter_list_0.nft index f274086b..8037dfa5 100644 --- a/tests/shell/testcases/sets/dumps/0038meter_list_0.nft +++ b/tests/shell/testcases/sets/dumps/0038meter_list_0.nft @@ -5,7 +5,13 @@ table ip t { flags dynamic,timeout } + set m { + type ipv4_addr + size 128 + flags dynamic + } + chain c { - tcp dport 80 meter m size 128 { ip saddr limit rate 10/second burst 5 packets } + tcp dport 80 add @m { ip saddr limit rate 10/second burst 5 packets } } } |