From e7395266640aed088e312ca1da3c147b64059988 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 16 Mar 2018 10:14:47 +0100
Subject: src: revisit syntax to update sets and maps from packet path

For sets, we allow this:

	nft add rule x y ip protocol tcp update @y { ip saddr}

For maps:

table ip nftlb {
        map persistencia {
            type ipv4_addr : mark
            timeout 1h
            elements = { 192.168.1.132 expires 59m55s : 0x00000064,
                         192.168.56.101 expires 59m24s : 0x00000065 }
        }

        chain pre {
            type nat hook prerouting priority 0; policy accept;
            update @persistencia \
                { @nh,96,32 : numgen inc mod 2 offset 100 }
        }
    }

nft --debug=netlink add rule ip nftlb pre add @persistencia \
        { ip saddr : numgen inc mod 2 offset 100 }

More compact and it doesn't gets it confused with a simple map update
command (interesting that bison didn't spew any conflict error).

Former syntax for sets is preserved.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 doc/nft.xml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'doc')

diff --git a/doc/nft.xml b/doc/nft.xml
index d3765fac..07f4f277 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -5375,15 +5375,15 @@ dup to ip daddr map { 192.168.7.1 : "eth0", 192.168.7.2 : "eth1" }
 			</para>
 			<para>
 				<cmdsynopsis>
-						<command>set</command>
 						<group choice="req">
 							<arg>add</arg>
 							<arg>update</arg>
 						</group>
-						<replaceable>expression</replaceable>
-							<arg choice="opt">timeout <replaceable>timeout</replaceable></arg>
-							<arg choice="opt">comment<replaceable>string</replaceable></arg>
 						<replaceable>@setname</replaceable>
+						<replaceable>{ expression </replaceable>
+							<arg choice="opt">timeout <replaceable>timeout</replaceable></arg>
+							<arg choice="opt">comment <replaceable>string</replaceable></arg>
+						<replaceable>}</replaceable>
 				</cmdsynopsis>
 			</para>
 			<para>
@@ -5401,7 +5401,7 @@ dup to ip daddr map { 192.168.7.1 : "eth0", 192.168.7.2 : "eth1" }
 
     # add source ip addresses to the backlist if more than 10 tcp connection requests occured per second and ip address.
     # entries will timeout after one minute, after which they might be re-added if limit condition persists.
-    nft add rule ip filter input tcp flags syn tcp dport ssh flow table flood { ip saddr timeout 10s limit rate over 10/second} set add ip saddr timeout 1m @blackhole drop
+    nft add rule ip filter input tcp flags syn tcp dport ssh meter flood { ip saddr timeout 10s limit rate over 10/second} add @blackhole { ip saddr timeout 1m } drop
 
     # inspect state of the rate limit meter:
     nft list meter ip filter flood
-- 
cgit v1.2.3