]> git.ipfire.org Git - thirdparty/nftables.git/commitdiff
parser_bison: update flow table syntax
authorPablo Neira Ayuso <pablo@netfilter.org>
Fri, 13 May 2016 17:28:44 +0000 (19:28 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Fri, 13 May 2016 18:06:42 +0000 (20:06 +0200)
Before we release next nft version, update the syntax to wrap the flow
table definition between brackets, eg.

 # nft add rule filter input tcp dport 22 ct state new \
flow table ssh { ip saddr limit rate 10/second }

 # nft add rule filter input \
        flow table acct { iif . ip saddr timeout 60s counter }

When playing around with this in your initial patchset I found very
confusing that it may not look obvious to users that they can only use
one single statement.

For example:

 # nft add rule filter input \
        flow table acct iif . ip saddr timeout 60s counter limit rate 10/second
                                                           ~~~~~~~~~~~~~~~~~~~~

Note that this limit rate applies globally, so this patch resolves this
ambiguity.

This may cause us problems in the future too if we extend this to
support more than one single statement per flowtable entry (Not
telling we need this now, but if someone comes up with a useful
usecase, we should be capable of extending this).

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src/parser_bison.y
src/statement.c

index 8a7785b33bc27005181b716af96cee5423fa0095..76cf65cb4a822b0a330adc343a14ff35b09b53fa 100644 (file)
@@ -1765,17 +1765,17 @@ set_stmt_op             :       ADD     { $$ = NFT_DYNSET_OP_ADD; }
                        |       UPDATE  { $$ = NFT_DYNSET_OP_UPDATE; }
                        ;
 
-flow_stmt              :       flow_stmt_alloc         flow_stmt_opts  flow_key_expr   stmt
+flow_stmt              :       flow_stmt_alloc         flow_stmt_opts  '{' flow_key_expr stmt '}'
                        {
-                               $1->flow.key  = $3;
-                               $1->flow.stmt = $4;
+                               $1->flow.key  = $4;
+                               $1->flow.stmt = $5;
                                $$->location  = @$;
                                $$ = $1;
                        }
-                       |       flow_stmt_alloc         flow_key_expr   stmt
+                       |       flow_stmt_alloc         '{' flow_key_expr stmt '}'
                        {
-                               $1->flow.key  = $2;
-                               $1->flow.stmt = $3;
+                               $1->flow.key  = $3;
+                               $1->flow.stmt = $4;
                                $$->location  = @$;
                                $$ = $1;
                        }
index 988cfeb7a0893836c9bdd2a3316baf61d0a4c83c..76f528b3435fa903996b2f297149dc65f9e6db57 100644 (file)
@@ -112,9 +112,11 @@ static void flow_stmt_print(const struct stmt *stmt)
                expr_print(stmt->flow.set);
                printf(" ");
        }
+       printf("{ ");
        expr_print(stmt->flow.key);
        printf(" ");
        stmt_print(stmt->flow.stmt);
+       printf("} ");
 }
 
 static void flow_stmt_destroy(struct stmt *stmt)