From deaf962ebd7c6b9d8a161d9378a710031e4f1dd6 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 28 Nov 2016 00:03:50 +0100 Subject: src: add support for stateful object maps You can create these maps using explicit map declarations: # nft add table filter # nft add chain filter input { type filter hook input priority 0\; } # nft add map filter badguys { type ipv4_addr : counter \; } # nft add rule filter input counter name ip saddr map @badguys # nft add counter filter badguy1 # nft add counter filter badguy2 # nft add element filter badguys { 192.168.2.3 : "badguy1" } # nft add element filter badguys { 192.168.2.4 : "badguy2" } Or through implicit map definitions: table ip filter { counter http-traffic { packets 8 bytes 672 } chain input { type filter hook input priority 0; policy accept; counter name tcp dport map { 80 : "http-traffic", 443 : "http-traffic"} } } Signed-off-by: Pablo Neira Ayuso --- src/parser_bison.y | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) (limited to 'src/parser_bison.y') diff --git a/src/parser_bison.y b/src/parser_bison.y index 795b0ee2..122e2496 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -1218,7 +1218,6 @@ set_flag : CONSTANT { $$ = NFT_SET_CONSTANT; } map_block_alloc : /* empty */ { $$ = set_alloc(NULL); - $$->flags |= NFT_SET_MAP; } ; @@ -1231,6 +1230,25 @@ map_block : /* empty */ { $$ = $-1; } { $1->keytype = $3; $1->datatype = $5; + $1->flags |= NFT_SET_MAP; + $$ = $1; + } + | map_block TYPE + data_type COLON COUNTER + stmt_seperator + { + $1->keytype = $3; + $1->objtype = NFT_OBJECT_COUNTER; + $1->flags |= NFT_SET_OBJECT; + $$ = $1; + } + | map_block TYPE + data_type COLON QUOTA + stmt_seperator + { + $1->keytype = $3; + $1->objtype = NFT_OBJECT_QUOTA; + $1->flags |= NFT_SET_OBJECT; $$ = $1; } | map_block FLAGS set_flag_list stmt_seperator -- cgit v1.2.3