* @CMD_OBJ_EXPR: expression
* @CMD_OBJ_MONITOR: monitor
* @CMD_OBJ_EXPORT: export
+ * @CMD_OBJ_METER: meter
+ * @CMD_OBJ_METERS: meters
* @CMD_OBJ_COUNTER: counter
* @CMD_OBJ_COUNTERS: multiple counters
* @CMD_OBJ_QUOTA: quota
CMD_OBJ_EXPR,
CMD_OBJ_MONITOR,
CMD_OBJ_EXPORT,
- CMD_OBJ_FLOWTABLE,
- CMD_OBJ_FLOWTABLES,
+ CMD_OBJ_METER,
+ CMD_OBJ_METERS,
CMD_OBJ_MAP,
CMD_OBJ_MAPS,
CMD_OBJ_COUNTER,
extern struct stmt *set_stmt_alloc(const struct location *loc);
-struct flow_stmt {
+struct meter_stmt {
struct expr *set;
struct expr *key;
struct stmt *stmt;
- const char *table;
+ const char *name;
};
-extern struct stmt *flow_stmt_alloc(const struct location *loc);
+extern struct stmt *meter_stmt_alloc(const struct location *loc);
/**
* enum nft_xt_type - xtables statement types
* @STMT_INVALID: uninitialised
* @STMT_EXPRESSION: expression statement (relational)
* @STMT_VERDICT: verdict statement
- * @STMT_FLOW: flow statement
+ * @STMT_METER: meter statement
* @STMT_COUNTER: counters
* @STMT_PAYLOAD: payload statement
* @STMT_META: meta statement
STMT_INVALID,
STMT_EXPRESSION,
STMT_VERDICT,
- STMT_FLOW,
+ STMT_METER,
STMT_COUNTER,
STMT_PAYLOAD,
STMT_META,
union {
struct expr *expr;
struct exthdr_stmt exthdr;
- struct flow_stmt flow;
+ struct meter_stmt meter;
struct counter_stmt counter;
struct payload_stmt payload;
struct meta_stmt meta;
return expr_evaluate(ctx, &stmt->payload.val);
}
-static int stmt_evaluate_flow(struct eval_ctx *ctx, struct stmt *stmt)
+static int stmt_evaluate_meter(struct eval_ctx *ctx, struct stmt *stmt)
{
struct expr *key, *set, *setref;
expr_set_context(&ctx->ectx, NULL, 0);
- if (expr_evaluate(ctx, &stmt->flow.key) < 0)
+ if (expr_evaluate(ctx, &stmt->meter.key) < 0)
return -1;
- if (expr_is_constant(stmt->flow.key))
- return expr_error(ctx->msgs, stmt->flow.key,
- "Flow key expression can not be constant");
- if (stmt->flow.key->comment)
- return expr_error(ctx->msgs, stmt->flow.key,
- "Flow key expression can not contain comments");
+ if (expr_is_constant(stmt->meter.key))
+ return expr_error(ctx->msgs, stmt->meter.key,
+ "Meter key expression can not be constant");
+ if (stmt->meter.key->comment)
+ return expr_error(ctx->msgs, stmt->meter.key,
+ "Meter key expression can not contain comments");
/* Declare an empty set */
- key = stmt->flow.key;
+ key = stmt->meter.key;
set = set_expr_alloc(&key->location, NULL);
set->set_flags |= NFT_SET_EVAL;
if (key->timeout)
set->set_flags |= NFT_SET_TIMEOUT;
- setref = implicit_set_declaration(ctx, stmt->flow.table ?: "__ft%d",
+ setref = implicit_set_declaration(ctx, stmt->meter.name ?: "__mt%d",
key, set);
- stmt->flow.set = setref;
+ stmt->meter.set = setref;
- if (stmt_evaluate(ctx, stmt->flow.stmt) < 0)
+ if (stmt_evaluate(ctx, stmt->meter.stmt) < 0)
return -1;
- if (!(stmt->flow.stmt->flags & STMT_F_STATEFUL))
- return stmt_binary_error(ctx, stmt->flow.stmt, stmt,
- "Per-flow statement must be stateful");
+ if (!(stmt->meter.stmt->flags & STMT_F_STATEFUL))
+ return stmt_binary_error(ctx, stmt->meter.stmt, stmt,
+ "meter statement must be stateful");
return 0;
}
return stmt_evaluate_payload(ctx, stmt);
case STMT_EXTHDR:
return stmt_evaluate_exthdr(ctx, stmt);
- case STMT_FLOW:
- return stmt_evaluate_flow(ctx, stmt);
+ case STMT_METER:
+ return stmt_evaluate_meter(ctx, stmt);
case STMT_META:
return stmt_evaluate_meta(ctx, stmt);
case STMT_CT:
return cmd_error(ctx, "Could not process rule: Set '%s' does not exist",
cmd->handle.set);
return 0;
- case CMD_OBJ_FLOWTABLE:
+ case CMD_OBJ_METER:
table = table_lookup(&cmd->handle, ctx->cache);
if (table == NULL)
return cmd_error(ctx, "Could not process rule: Table '%s' does not exist",
cmd->handle.table);
set = set_lookup(table, cmd->handle.set);
if (set == NULL || !(set->flags & NFT_SET_EVAL))
- return cmd_error(ctx, "Could not process rule: Flow table '%s' does not exist",
+ return cmd_error(ctx, "Could not process rule: Meter '%s' does not exist",
cmd->handle.set);
return 0;
case CMD_OBJ_MAP:
return 0;
case CMD_OBJ_CHAINS:
case CMD_OBJ_RULESET:
- case CMD_OBJ_FLOWTABLES:
+ case CMD_OBJ_METERS:
case CMD_OBJ_MAPS:
return 0;
default:
return cmd_error(ctx, "Could not process rule: Map '%s' does not exist",
cmd->handle.set);
return 0;
- case CMD_OBJ_FLOWTABLE:
+ case CMD_OBJ_METER:
table = table_lookup(&cmd->handle, ctx->cache);
if (table == NULL)
return cmd_error(ctx, "Could not process rule: Table '%s' does not exist",
cmd->handle.table);
set = set_lookup(table, cmd->handle.set);
if (set == NULL || !(set->flags & NFT_SET_EVAL))
- return cmd_error(ctx, "Could not process rule: Flow table '%s' does not exist",
+ return cmd_error(ctx, "Could not process rule: Meter '%s' does not exist",
cmd->handle.set);
return 0;
default:
{
if (expr->set->flags & NFT_SET_ANONYMOUS) {
if (expr->set->flags & NFT_SET_EVAL)
- nft_print(octx, "table %s", expr->set->handle.set);
+ nft_print(octx, "%s", expr->set->handle.set);
else
expr_print(expr->set->init, octx);
} else {
}
if (dstmt != NULL) {
- stmt = flow_stmt_alloc(loc);
- stmt->flow.set = set_ref_expr_alloc(loc, set);
- stmt->flow.key = expr;
- stmt->flow.stmt = dstmt;
+ stmt = meter_stmt_alloc(loc);
+ stmt->meter.set = set_ref_expr_alloc(loc, set);
+ stmt->meter.key = expr;
+ stmt->meter.stmt = dstmt;
} else {
stmt = set_stmt_alloc(loc);
stmt->set.set = set_ref_expr_alloc(loc, set);
case STMT_PAYLOAD:
stmt_payload_postprocess(&rctx);
break;
- case STMT_FLOW:
- expr_postprocess(&rctx, &stmt->flow.key);
+ case STMT_METER:
+ expr_postprocess(&rctx, &stmt->meter.key);
break;
case STMT_META:
if (stmt->meta.expr != NULL)
static void netlink_gen_set_stmt(struct netlink_linearize_ctx *ctx,
const struct stmt *stmt)
{
- struct set *set = stmt->flow.set->set;
+ struct set *set = stmt->meter.set->set;
struct nftnl_expr *nle;
enum nft_registers sreg_key;
nftnl_rule_add_expr(ctx->nlr, nle);
}
-static void netlink_gen_flow_stmt(struct netlink_linearize_ctx *ctx,
- const struct stmt *stmt)
+static void netlink_gen_meter_stmt(struct netlink_linearize_ctx *ctx,
+ const struct stmt *stmt)
{
struct nftnl_expr *nle;
enum nft_registers sreg_key;
enum nft_dynset_ops op;
struct set *set;
- sreg_key = get_register(ctx, stmt->flow.key->key);
- netlink_gen_expr(ctx, stmt->flow.key->key, sreg_key);
- release_register(ctx, stmt->flow.key->key);
+ sreg_key = get_register(ctx, stmt->meter.key->key);
+ netlink_gen_expr(ctx, stmt->meter.key->key, sreg_key);
+ release_register(ctx, stmt->meter.key->key);
- set = stmt->flow.set->set;
- if (stmt->flow.key->timeout)
+ set = stmt->meter.set->set;
+ if (stmt->meter.key->timeout)
op = NFT_DYNSET_OP_UPDATE;
else
op = NFT_DYNSET_OP_ADD;
nle = alloc_nft_expr("dynset");
netlink_put_register(nle, NFTNL_EXPR_DYNSET_SREG_KEY, sreg_key);
- if (stmt->flow.key->timeout)
+ if (stmt->meter.key->timeout)
nftnl_expr_set_u64(nle, NFTNL_EXPR_DYNSET_TIMEOUT,
- stmt->flow.key->timeout);
+ stmt->meter.key->timeout);
nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_OP, op);
nftnl_expr_set_str(nle, NFTNL_EXPR_DYNSET_SET_NAME, set->handle.set);
nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_SET_ID, set->handle.set_id);
nftnl_expr_set(nle, NFTNL_EXPR_DYNSET_EXPR,
- netlink_gen_stmt_stateful(ctx, stmt->flow.stmt), 0);
+ netlink_gen_stmt_stateful(ctx, stmt->meter.stmt), 0);
nftnl_rule_add_expr(ctx->nlr, nle);
}
return netlink_gen_expr(ctx, stmt->expr, NFT_REG_VERDICT);
case STMT_VERDICT:
return netlink_gen_verdict_stmt(ctx, stmt);
- case STMT_FLOW:
- return netlink_gen_flow_stmt(ctx, stmt);
+ case STMT_METER:
+ return netlink_gen_meter_stmt(ctx, stmt);
case STMT_EXTHDR:
return netlink_gen_exthdr_stmt(ctx, stmt);
case STMT_PAYLOAD:
%token SIZE "size"
%token FLOW "flow"
+%token METER "meter"
+%token METERS "meters"
%token <val> NUM "number"
%token <string> STRING "string"
%type <stmt> set_stmt
%destructor { stmt_free($$); } set_stmt
%type <val> set_stmt_op
-%type <stmt> flow_stmt flow_stmt_alloc
-%destructor { stmt_free($$); } flow_stmt flow_stmt_alloc
+%type <stmt> meter_stmt meter_stmt_alloc
+%destructor { stmt_free($$); } meter_stmt meter_stmt_alloc
%type <expr> symbol_expr verdict_expr integer_expr variable_expr
%destructor { expr_free($$); } symbol_expr verdict_expr integer_expr variable_expr
%type <expr> set_elem_expr_stmt set_elem_expr_stmt_alloc
%destructor { expr_free($$); } set_elem_expr_stmt set_elem_expr_stmt_alloc
-%type <expr> flow_key_expr flow_key_expr_alloc
-%destructor { expr_free($$); } flow_key_expr flow_key_expr_alloc
+%type <expr> meter_key_expr meter_key_expr_alloc
+%destructor { expr_free($$); } meter_key_expr meter_key_expr_alloc
%type <expr> expr initializer_expr keyword_expr
%destructor { expr_free($$); } expr initializer_expr keyword_expr
}
| FLOW TABLES ruleset_spec
{
- $$ = cmd_alloc(CMD_LIST, CMD_OBJ_FLOWTABLES, &$3, &@$, NULL);
+ $$ = cmd_alloc(CMD_LIST, CMD_OBJ_METERS, &$3, &@$, NULL);
}
| FLOW TABLE set_spec
{
- $$ = cmd_alloc(CMD_LIST, CMD_OBJ_FLOWTABLE, &$3, &@$, NULL);
+ $$ = cmd_alloc(CMD_LIST, CMD_OBJ_METER, &$3, &@$, NULL);
+ }
+ | METERS ruleset_spec
+ {
+ $$ = cmd_alloc(CMD_LIST, CMD_OBJ_METERS, &$2, &@$, NULL);
+ }
+ | METER set_spec
+ {
+ $$ = cmd_alloc(CMD_LIST, CMD_OBJ_METER, &$2, &@$, NULL);
}
| MAPS ruleset_spec
{
}
| FLOW TABLE set_spec
{
- $$ = cmd_alloc(CMD_FLUSH, CMD_OBJ_FLOWTABLE, &$3, &@$, NULL);
+ $$ = cmd_alloc(CMD_FLUSH, CMD_OBJ_METER, &$3, &@$, NULL);
+ }
+ | METER set_spec
+ {
+ $$ = cmd_alloc(CMD_FLUSH, CMD_OBJ_METER, &$2, &@$, NULL);
}
| RULESET ruleset_spec
{
stmt : verdict_stmt
| match_stmt
- | flow_stmt
+ | meter_stmt
| counter_stmt
| payload_stmt
| meta_stmt
| UPDATE { $$ = NFT_DYNSET_OP_UPDATE; }
;
-flow_stmt : flow_stmt_alloc flow_stmt_opts '{' flow_key_expr stmt '}'
+meter_stmt : meter_stmt_alloc meter_stmt_opts '{' meter_key_expr stmt '}'
{
- $1->flow.key = $4;
- $1->flow.stmt = $5;
+ $1->meter.key = $4;
+ $1->meter.stmt = $5;
$$->location = @$;
$$ = $1;
}
- | flow_stmt_alloc '{' flow_key_expr stmt '}'
+ | meter_stmt_alloc '{' meter_key_expr stmt '}'
{
- $1->flow.key = $3;
- $1->flow.stmt = $4;
+ $1->meter.key = $3;
+ $1->meter.stmt = $4;
$$->location = @$;
$$ = $1;
}
;
-flow_stmt_alloc : FLOW
+meter_stmt_alloc : FLOW
+ {
+ $$ = meter_stmt_alloc(&@$);
+ }
+ | METER
{
- $$ = flow_stmt_alloc(&@$);
+ $$ = meter_stmt_alloc(&@$);
}
;
-flow_stmt_opts : flow_stmt_opt
+meter_stmt_opts : meter_stmt_opt
{
$<stmt>$ = $<stmt>0;
}
- | flow_stmt_opts flow_stmt_opt
+ | meter_stmt_opts meter_stmt_opt
;
-flow_stmt_opt : TABLE identifier
+meter_stmt_opt : TABLE identifier
+ {
+ $<stmt>0->meter.name = $2;
+ }
+ | NAME identifier
{
- $<stmt>0->flow.table = $2;
+ $<stmt>0->meter.name = $2;
}
;
}
;
-flow_key_expr : flow_key_expr_alloc
- | flow_key_expr_alloc set_elem_options
+meter_key_expr : meter_key_expr_alloc
+ | meter_key_expr_alloc set_elem_options
{
$$->location = @$;
$$ = $1;
}
;
-flow_key_expr_alloc : concat_expr
+meter_key_expr_alloc : concat_expr
{
$$ = set_elem_expr_alloc(&@1, $1);
}
if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
type = "map";
else if (set->flags & NFT_SET_EVAL)
- type = "flow table";
+ type = "meter";
else
type = "set";
(set->flags & NFT_SET_ANONYMOUS ||
set->flags & NFT_SET_MAP))
continue;
- if (cmd->obj == CMD_OBJ_FLOWTABLES &&
+ if (cmd->obj == CMD_OBJ_METERS &&
!(set->flags & NFT_SET_EVAL))
continue;
if (cmd->obj == CMD_OBJ_MAPS &&
return do_list_set(ctx, cmd, table);
case CMD_OBJ_RULESET:
return do_list_ruleset(ctx, cmd);
- case CMD_OBJ_FLOWTABLES:
+ case CMD_OBJ_METERS:
return do_list_sets(ctx, cmd);
- case CMD_OBJ_FLOWTABLE:
+ case CMD_OBJ_METER:
return do_list_set(ctx, cmd, table);
case CMD_OBJ_MAPS:
return do_list_sets(ctx, cmd);
return netlink_flush_chain(ctx, &cmd->handle, &cmd->location);
case CMD_OBJ_SET:
case CMD_OBJ_MAP:
- case CMD_OBJ_FLOWTABLE:
+ case CMD_OBJ_METER:
return netlink_flush_setelems(ctx, &cmd->handle,
&cmd->location);
case CMD_OBJ_RULESET:
"memory" { return MEMORY; }
"flow" { return FLOW; }
+"meter" { return METER; }
+"meters" { return METERS; }
"counter" { return COUNTER; }
"name" { return NAME; }
return stmt;
}
-static void flow_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
+static void meter_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
{
- nft_print(octx, "flow ");
- if (stmt->flow.set) {
- expr_print(stmt->flow.set, octx);
+ nft_print(octx, "meter ");
+ if (stmt->meter.set) {
+ expr_print(stmt->meter.set, octx);
nft_print(octx, " ");
}
nft_print(octx, "{ ");
- expr_print(stmt->flow.key, octx);
+ expr_print(stmt->meter.key, octx);
nft_print(octx, " ");
octx->stateless++;
- stmt_print(stmt->flow.stmt, octx);
+ stmt_print(stmt->meter.stmt, octx);
octx->stateless--;
nft_print(octx, "} ");
}
-static void flow_stmt_destroy(struct stmt *stmt)
+static void meter_stmt_destroy(struct stmt *stmt)
{
- expr_free(stmt->flow.key);
- expr_free(stmt->flow.set);
- stmt_free(stmt->flow.stmt);
+ expr_free(stmt->meter.key);
+ expr_free(stmt->meter.set);
+ stmt_free(stmt->meter.stmt);
}
-static const struct stmt_ops flow_stmt_ops = {
- .type = STMT_FLOW,
- .name = "flow",
- .print = flow_stmt_print,
- .destroy = flow_stmt_destroy,
+static const struct stmt_ops meter_stmt_ops = {
+ .type = STMT_METER,
+ .name = "meter",
+ .print = meter_stmt_print,
+ .destroy = meter_stmt_destroy,
};
-struct stmt *flow_stmt_alloc(const struct location *loc)
+struct stmt *meter_stmt_alloc(const struct location *loc)
{
- return stmt_alloc(loc, &flow_stmt_ops);
+ return stmt_alloc(loc, &meter_stmt_ops);
}
static void counter_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
*ip;test-ip;input
-flow table xyz { ip saddr timeout 30s counter};ok
+meter name xyz { ip saddr timeout 30s counter};ok
-# flow table xyz { ip saddr timeout 30s counter}
+# meter name xyz { ip saddr timeout 30s counter}
xyz test-ip 31
xyz test-ip 0
ip test-ip input
*ip6;test-ip6;input
-flow table acct_out { meta iif . ip6 saddr timeout 600s counter };ok;flow table acct_out { iif . ip6 saddr timeout 10m counter}
-flow table acct_out { ip6 saddr . meta iif timeout 600s counter };ok;flow table acct_out { ip6 saddr . iif timeout 10m counter}
+meter name acct_out { meta iif . ip6 saddr timeout 600s counter };ok;meter name acct_out { iif . ip6 saddr timeout 10m counter}
+meter name acct_out { ip6 saddr . meta iif timeout 600s counter };ok;meter name acct_out { ip6 saddr . iif timeout 10m counter}
-# flow table acct_out { meta iif . ip6 saddr timeout 600s counter }
+# meter name acct_out { meta iif . ip6 saddr timeout 600s counter }
acct_out test-ip6 31
acct_out test-ip6 0
ip6 test-ip6 input
[ payload load 16b @ network header + 8 => reg 9 ]
[ dynset update reg_key 1 set acct_out timeout 600000ms expr [ counter pkts 0 bytes 0 ] ]
-# flow table acct_out { ip6 saddr . meta iif timeout 600s counter }
+# meter name acct_out { ip6 saddr . meta iif timeout 600s counter }
acct_out test-ip6 31
acct_out test-ip6 0
ip6 test-ip6 input
#!/bin/bash
# This tests the selectiveness of flush command on structures that use the
-# generic set infrastructure (sets, maps and flow tables).
+# generic set infrastructure (sets, maps and meters).
tmpfile=$(mktemp)
if [ ! -w $tmpfile ] ; then
add chain t c
add set t s {type ipv4_addr;}
add map t m {type ipv4_addr : inet_service;}
-add rule t c tcp dport 80 flow table f {ip saddr limit rate 10/second}
+add rule t c tcp dport 80 meter name f {ip saddr limit rate 10/second}
" >$tmpfile
$NFT -f $tmpfile
declare -a cmds=(
"flush set t m" "flush set t f"
"flush map t s" "flush map t f"
- "flush flow table t s" "flush flow table t m"
+ "flush meter name t s" "flush meter name t m"
)
for i in "${cmds[@]}"
projects / thirdparty / nftables.git / commitdiff
