From a55ca1a24b7b216144dc737f621fb68f4a924e38 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 24 Aug 2018 09:52:22 +0200 Subject: src: integrate stateful expressions into sets and maps The following example shows how to populate a set from the packet path using the destination IP address, for each entry there is a counter. The entry expires after the 1 hour timeout if no packets matching this entry are seen. table ip x { set xyz { type ipv4_addr size 65535 flags dynamic,timeout timeout 1h } chain y { type filter hook output priority filter; policy accept; update @xyz { ip daddr counter } counter } } Similar example, that creates a mapping better IP address and mark, where the mark is assigned using an incremental sequence generator from 0 to 1 inclusive. table ip x { map xyz { type ipv4_addr : mark size 65535 flags dynamic,timeout timeout 1h } chain y { type filter hook input priority filter; policy accept; update @xyz { ip saddr counter : numgen inc mod 2 } } } Supported stateful statements are: limit, quota, counter and connlimit. Signed-off-by: Pablo Neira Ayuso --- src/parser_bison.y | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) (limited to 'src/parser_bison.y') diff --git a/src/parser_bison.y b/src/parser_bison.y index 199ef13d..cc114717 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -561,8 +561,8 @@ int nft_lex(void *, void *, void *); %destructor { stmt_list_free($$); xfree($$); } stmt_list %type stmt match_stmt verdict_stmt %destructor { stmt_free($$); } stmt match_stmt verdict_stmt -%type counter_stmt counter_stmt_alloc -%destructor { stmt_free($$); } counter_stmt counter_stmt_alloc +%type counter_stmt counter_stmt_alloc stateful_stmt +%destructor { stmt_free($$); } counter_stmt counter_stmt_alloc stateful_stmt %type payload_stmt %destructor { stmt_free($$); } payload_stmt %type ct_stmt @@ -2112,16 +2112,19 @@ stmt_list : stmt } ; +stateful_stmt : counter_stmt + | limit_stmt + | quota_stmt + | connlimit_stmt + ; + stmt : verdict_stmt | match_stmt | meter_stmt - | connlimit_stmt - | counter_stmt | payload_stmt + | stateful_stmt | meta_stmt | log_stmt - | limit_stmt - | quota_stmt | reject_stmt | nat_stmt | tproxy_stmt @@ -2862,6 +2865,14 @@ set_stmt : SET set_stmt_op set_elem_expr_stmt symbol_expr $$->set.key = $4; $$->set.set = $2; } + | set_stmt_op symbol_expr '{' set_elem_expr_stmt stateful_stmt '}' + { + $$ = set_stmt_alloc(&@$); + $$->set.op = $1; + $$->set.key = $4; + $$->set.set = $2; + $$->set.stmt = $5; + } ; set_stmt_op : ADD { $$ = NFT_DYNSET_OP_ADD; } @@ -2876,6 +2887,15 @@ map_stmt : set_stmt_op symbol_expr '{' set_elem_expr_stmt COLON set_elem_expr_s $$->map.data = $6; $$->map.set = $2; } + | set_stmt_op symbol_expr '{' set_elem_expr_stmt stateful_stmt COLON set_elem_expr_stmt '}' + { + $$ = map_stmt_alloc(&@$); + $$->map.op = $1; + $$->map.key = $4; + $$->map.data = $7; + $$->map.stmt = $5; + $$->map.set = $2; + } ; meter_stmt : flow_stmt_legacy_alloc flow_stmt_opts '{' meter_key_expr stmt '}' -- cgit v1.2.3