Update parser to allow for maps with synproxy.
Fixes: f44ab88b1088 ("src: add synproxy stateful object support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| QUOTA close_scope_quota { $$ = NFT_OBJECT_QUOTA; }
| LIMIT close_scope_limit { $$ = NFT_OBJECT_LIMIT; }
| SECMARK close_scope_secmark { $$ = NFT_OBJECT_SECMARK; }
+ | SYNPROXY { $$ = NFT_OBJECT_SYNPROXY; }
;
map_block : /* empty */ { $$ = $<set>-1; }
quota user124 {
over 2000 bytes
}
+ synproxy https-synproxy {
+ mss 1460
+ wscale 7
+ timestamp sack-perm
+ }
+ synproxy other-synproxy {
+ mss 1460
+ wscale 5
+ }
set y {
type ipv4_addr
}
type ipv4_addr : quota
elements = { 192.168.2.2 : "user124", 192.168.2.3 : "user124"}
}
+ map test2 {
+ type ipv4_addr : synproxy
+ flags interval
+ elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
+ }
chain y {
type filter hook input priority 0; policy accept;
counter name ip saddr map { 192.168.2.2 : "user123", 1.1.1.1 : "user123", 2.2.2.2 : "user123"}
+ synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
quota name ip saddr map @test drop
}
}"
over 2000 bytes
}
+ synproxy https-synproxy {
+ mss 1460
+ wscale 7
+ timestamp sack-perm
+ }
+
+ synproxy other-synproxy {
+ mss 1460
+ wscale 5
+ }
+
set y {
type ipv4_addr
}
elements = { 192.168.2.2 : "user124", 192.168.2.3 : "user124" }
}
+ map test2 {
+ type ipv4_addr : synproxy
+ flags interval
+ elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
+ }
+
chain y {
type filter hook input priority filter; policy accept;
counter name ip saddr map { 1.1.1.1 : "user123", 2.2.2.2 : "user123", 192.168.2.2 : "user123" }
+ synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
quota name ip saddr map @test drop
}
}
projects / thirdparty / nftables.git / commitdiff
