src: revisit syntax to update sets and maps from packet path

For sets, we allow this:

	nft add rule x y ip protocol tcp update @y { ip saddr}

For maps:

table ip nftlb {
        map persistencia {
            type ipv4_addr : mark
            timeout 1h
            elements = { 192.168.1.132 expires 59m55s : 0x00000064,
                         192.168.56.101 expires 59m24s : 0x00000065 }
        }

        chain pre {
            type nat hook prerouting priority 0; policy accept;
            update @persistencia \
                { @nh,96,32 : numgen inc mod 2 offset 100 }
        }
    }

nft --debug=netlink add rule ip nftlb pre add @persistencia \
        { ip saddr : numgen inc mod 2 offset 100 }

More compact and it doesn't gets it confused with a simple map update
command (interesting that bison didn't spew any conflict error).

Former syntax for sets is preserved.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/doc/nft.xml b/doc/nft.xml
index d3765fac45fd8c3c0b842936ccb28b626d952328..07f4f2770a4aa9632ad2c450ae1594c07de1c8a9 100644 (file)
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -5375,15 +5375,15 @@ dup to ip daddr map { 192.168.7.1 : "eth0", 192.168.7.2 : "eth1" }
                        </para>
                        <para>
                                <cmdsynopsis>
-                                               <command>set</command>
                                                <group choice="req">
                                                        <arg>add</arg>
                                                        <arg>update</arg>
                                                </group>
-                                               <replaceable>expression</replaceable>
-                                                       <arg choice="opt">timeout <replaceable>timeout</replaceable></arg>
-                                                       <arg choice="opt">comment<replaceable>string</replaceable></arg>
                                                <replaceable>@setname</replaceable>
+                                               <replaceable>{ expression </replaceable>
+                                                       <arg choice="opt">timeout <replaceable>timeout</replaceable></arg>
+                                                       <arg choice="opt">comment <replaceable>string</replaceable></arg>
+                                               <replaceable>}</replaceable>
                                </cmdsynopsis>
                        </para>
                        <para>
@@ -5401,7 +5401,7 @@ dup to ip daddr map { 192.168.7.1 : "eth0", 192.168.7.2 : "eth1" }
 
     # add source ip addresses to the backlist if more than 10 tcp connection requests occured per second and ip address.
     # entries will timeout after one minute, after which they might be re-added if limit condition persists.
-    nft add rule ip filter input tcp flags syn tcp dport ssh flow table flood { ip saddr timeout 10s limit rate over 10/second} set add ip saddr timeout 1m @blackhole drop
+    nft add rule ip filter input tcp flags syn tcp dport ssh meter flood { ip saddr timeout 10s limit rate over 10/second} add @blackhole { ip saddr timeout 1m } drop
 
     # inspect state of the rate limit meter:
     nft list meter ip filter flood

diff --git a/src/parser_bison.y b/src/parser_bison.y
index bdf2fb491736a7fed5288f8946942105330fc93d..9c143832eed6e4b445847c26a6cf55aaf868df60 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2713,18 +2713,25 @@ set_stmt                :       SET     set_stmt_op     set_elem_expr_stmt      symbol_expr
                                $$->set.key = $3;
                                $$->set.set = $4;
                        }
+                       |       set_stmt_op     symbol_expr     '{' set_elem_expr_stmt  '}'
+                       {
+                               $$ = set_stmt_alloc(&@$);
+                               $$->set.op  = $1;
+                               $$->set.key = $4;
+                               $$->set.set = $2;
+                       }
                        ;
 
 set_stmt_op            :       ADD     { $$ = NFT_DYNSET_OP_ADD; }
                        |       UPDATE  { $$ = NFT_DYNSET_OP_UPDATE; }
                        ;
 
-map_stmt               :       set_stmt_op     MAP '{' set_elem_expr_stmt      COLON   set_elem_expr_stmt      '}'     symbol_expr
+map_stmt               :       set_stmt_op     symbol_expr '{' set_elem_expr_stmt      COLON   set_elem_expr_stmt      '}'
                        {
                                $$ = map_stmt_alloc(&@$);
                                $$->map.op  = $1;
                                $$->map.map = map_expr_alloc(&@$, $4, $6);
-                               $$->map.set = $8;
+                               $$->map.set = $2;
                        }
                        ;
 

diff --git a/src/statement.c b/src/statement.c
index 61ba643becc3613dd5e89e7ac9af13f0ca4ffa0d..d495ec447dfdc07ec33c9801cd459c21e6aa62b8 100644 (file)
--- a/src/statement.c
+++ b/src/statement.c
@@ -615,10 +615,11 @@ static const char * const set_stmt_op_names[] = {
 
 static void set_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 {
-       nft_print(octx, "set %s ", set_stmt_op_names[stmt->set.op]);
-       expr_print(stmt->set.key, octx);
-       nft_print(octx, " ");
+       nft_print(octx, "%s ", set_stmt_op_names[stmt->set.op]);
        expr_print(stmt->set.set, octx);
+       nft_print(octx, "{ ");
+       expr_print(stmt->set.key, octx);
+       nft_print(octx, " } ");
 }
 
 static void set_stmt_destroy(struct stmt *stmt)
@@ -641,12 +642,13 @@ struct stmt *set_stmt_alloc(const struct location *loc)
 
 static void map_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 {
-       nft_print(octx, "%s map { ", set_stmt_op_names[stmt->map.op]);
+       nft_print(octx, "%s ", set_stmt_op_names[stmt->map.op]);
+       expr_print(stmt->map.set, octx);
+       nft_print(octx, "{ ");
        expr_print(stmt->map.map->map->key, octx);
        nft_print(octx, " : ");
        expr_print(stmt->map.map->mappings, octx);
        nft_print(octx, " } ");
-       expr_print(stmt->map.set, octx);
 }
 
 static void map_stmt_destroy(struct stmt *stmt)