struct set_stmt {
struct expr *set;
struct expr *key;
+ struct stmt *stmt;
enum nft_dynset_ops op;
};
struct expr *set;
struct expr *key;
struct expr *data;
+ struct stmt *stmt;
enum nft_dynset_ops op;
};
if (stmt->set.key->comment != NULL)
return expr_error(ctx->msgs, stmt->set.key,
"Key expression comments are not supported");
+ if (stmt->set.stmt) {
+ if (stmt_evaluate(ctx, stmt->set.stmt) < 0)
+ return -1;
+ if (!(stmt->set.stmt->flags & STMT_F_STATEFUL))
+ return stmt_binary_error(ctx, stmt->set.stmt, stmt,
+ "meter statement must be stateful");
+ }
return 0;
}
if (stmt->map.data->comment != NULL)
return expr_error(ctx->msgs, stmt->map.data,
"Data expression comments are not supported");
+ if (stmt->map.stmt) {
+ if (stmt_evaluate(ctx, stmt->map.stmt) < 0)
+ return -1;
+ if (!(stmt->map.stmt->flags & STMT_F_STATEFUL))
+ return stmt_binary_error(ctx, stmt->map.stmt, stmt,
+ "meter statement must be stateful");
+ }
return 0;
}
nft_print(octx, " expires ");
time_print(expr->expiration, octx);
}
- if (expr->comment)
- nft_print(octx, " comment \"%s\"", expr->comment);
-
if (expr->stmt) {
- nft_print(octx, " : ");
+ nft_print(octx, " ");
stmt_print(expr->stmt, octx);
}
+ if (expr->comment)
+ nft_print(octx, " comment \"%s\"", expr->comment);
}
static void set_elem_expr_destroy(struct expr *expr)
expr_data = netlink_get_register(ctx, loc, sreg_data);
}
- if (dstmt != NULL) {
- stmt = meter_stmt_alloc(loc);
- stmt->meter.set = set_ref_expr_alloc(loc, set);
- stmt->meter.key = expr;
- stmt->meter.stmt = dstmt;
- stmt->meter.size = set->desc.size;
- } else if (expr_data != NULL) {
+ if (expr_data != NULL) {
stmt = map_stmt_alloc(loc);
stmt->map.set = set_ref_expr_alloc(loc, set);
stmt->map.key = expr;
stmt->map.data = expr_data;
+ stmt->map.stmt = dstmt;
stmt->map.op = nftnl_expr_get_u32(nle, NFTNL_EXPR_DYNSET_OP);
} else {
- stmt = set_stmt_alloc(loc);
- stmt->set.set = set_ref_expr_alloc(loc, set);
- stmt->set.op = nftnl_expr_get_u32(nle, NFTNL_EXPR_DYNSET_OP);
- stmt->set.key = expr;
+ if (dstmt != NULL && set->flags & NFT_SET_ANONYMOUS) {
+ stmt = meter_stmt_alloc(loc);
+ stmt->meter.set = set_ref_expr_alloc(loc, set);
+ stmt->meter.key = expr;
+ stmt->meter.stmt = dstmt;
+ stmt->meter.size = set->desc.size;
+ } else {
+ stmt = set_stmt_alloc(loc);
+ stmt->set.set = set_ref_expr_alloc(loc, set);
+ stmt->set.op = nftnl_expr_get_u32(nle, NFTNL_EXPR_DYNSET_OP);
+ stmt->set.key = expr;
+ stmt->set.stmt = dstmt;
+ }
}
ctx->stmt = stmt;
nftnl_expr_set_str(nle, NFTNL_EXPR_DYNSET_SET_NAME, set->handle.set.name);
nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_SET_ID, set->handle.set_id);
nftnl_rule_add_expr(ctx->nlr, nle);
+
+ if (stmt->set.stmt)
+ nftnl_expr_set(nle, NFTNL_EXPR_DYNSET_EXPR,
+ netlink_gen_stmt_stateful(ctx, stmt->set.stmt), 0);
}
static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx,
nftnl_expr_set_str(nle, NFTNL_EXPR_DYNSET_SET_NAME, set->handle.set.name);
nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_SET_ID, set->handle.set_id);
+ if (stmt->map.stmt)
+ nftnl_expr_set(nle, NFTNL_EXPR_DYNSET_EXPR,
+ netlink_gen_stmt_stateful(ctx, stmt->map.stmt), 0);
+
nftnl_rule_add_expr(ctx->nlr, nle);
}
%destructor { stmt_list_free($$); xfree($$); } stmt_list
%type <stmt> stmt match_stmt verdict_stmt
%destructor { stmt_free($$); } stmt match_stmt verdict_stmt
-%type <stmt> counter_stmt counter_stmt_alloc
-%destructor { stmt_free($$); } counter_stmt counter_stmt_alloc
+%type <stmt> counter_stmt counter_stmt_alloc stateful_stmt
+%destructor { stmt_free($$); } counter_stmt counter_stmt_alloc stateful_stmt
%type <stmt> payload_stmt
%destructor { stmt_free($$); } payload_stmt
%type <stmt> ct_stmt
}
;
+stateful_stmt : counter_stmt
+ | limit_stmt
+ | quota_stmt
+ | connlimit_stmt
+ ;
+
stmt : verdict_stmt
| match_stmt
| meter_stmt
- | connlimit_stmt
- | counter_stmt
| payload_stmt
+ | stateful_stmt
| meta_stmt
| log_stmt
- | limit_stmt
- | quota_stmt
| reject_stmt
| nat_stmt
| tproxy_stmt
$$->set.key = $4;
$$->set.set = $2;
}
+ | set_stmt_op symbol_expr '{' set_elem_expr_stmt stateful_stmt '}'
+ {
+ $$ = set_stmt_alloc(&@$);
+ $$->set.op = $1;
+ $$->set.key = $4;
+ $$->set.set = $2;
+ $$->set.stmt = $5;
+ }
;
set_stmt_op : ADD { $$ = NFT_DYNSET_OP_ADD; }
$$->map.data = $6;
$$->map.set = $2;
}
+ | set_stmt_op symbol_expr '{' set_elem_expr_stmt stateful_stmt COLON set_elem_expr_stmt '}'
+ {
+ $$ = map_stmt_alloc(&@$);
+ $$->map.op = $1;
+ $$->map.key = $4;
+ $$->map.data = $7;
+ $$->map.stmt = $5;
+ $$->map.set = $2;
+ }
;
meter_stmt : flow_stmt_legacy_alloc flow_stmt_opts '{' meter_key_expr stmt '}'
const char *type;
uint32_t flags;
- if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
- type = "map";
- else if (set->flags & NFT_SET_EVAL)
+ if ((set->flags & (NFT_SET_EVAL | NFT_SET_ANONYMOUS)) ==
+ (NFT_SET_EVAL | NFT_SET_ANONYMOUS))
type = "meter";
+ else if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
+ type = "map";
else
type = "set";
expr_print(stmt->set.set, octx);
nft_print(octx, " { ");
expr_print(stmt->set.key, octx);
+ if (stmt->set.stmt) {
+ nft_print(octx, " ");
+ octx->stateless++;
+ stmt_print(stmt->set.stmt, octx);
+ octx->stateless--;
+ }
nft_print(octx, " }");
}
expr_print(stmt->map.set, octx);
nft_print(octx, " { ");
expr_print(stmt->map.key, octx);
+ if (stmt->map.stmt) {
+ nft_print(octx, " ");
+ octx->stateless++;
+ stmt_print(stmt->map.stmt, octx);
+ octx->stateless--;
+ }
nft_print(octx, " : ");
expr_print(stmt->map.data, octx);
nft_print(octx, " }");
projects / thirdparty / nftables.git / commitdiff
