git.ipfire.org Git - thirdparty/nftables.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 24 Nov 2017 12:58:57 +0000 (13:58 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 24 Nov 2017 14:50:01 +0000 (15:50 +0100)
commit	24a912eea21f9d18909c53a865cf623839616281
tree	993eca503a34b8073efcd5fac93f8b78d1f67810	tree \| snapshot
parent	48661c54357aea271bf87ab2b6ef907eafc97e9a	commit \| diff

parser_bison: dismiss anonymous meters

The former 'flow table' syntax allows flow tables with no name:

# nft add rule x y flow { ip saddr counter }

However, when listing, it leaks the name that it is autoallocating.

# nft list ruleset
table ip x {
        chain y {
                flow table __mt0 { ip saddr counter}
        }
}

Which is odd since then restoring will use such a name.

Remove anonymous flow table/meters, so everyone needs to specify a name.

There is no way to fix this, given anonymous flag tells us that the set
behind this meter is bound to a rule, hence, released once the rule is
going - the term "anonymous" was not good choice as a flag in first
place. Only possibility is to strcmp for __ft to identify this is a
nameless meter, which is a hack.

Moreover, having no name means you cannot flush the set behind this
meter, which criples this feature for no reason.

On top of it, the wiki only documents named meters, and we have a record
of users complaining on this behaviour.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Florian Westphal <fw@strlen.de>

src/evaluate.c		diff \| blob \| blame \| history
src/parser_bison.y		diff \| blob \| blame \| history