[PATCH nft] src: revisit syntax to update sets and maps from packet path

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



For sets, we allow this:

	nft add rule x y ip protocol tcp update @y { ip saddr}

For maps:

table ip nftlb {
        map persistencia {
            type ipv4_addr : mark
            timeout 1h
            elements = { 192.168.1.132 expires 59m55s : 0x00000064,
                         192.168.56.101 expires 59m24s : 0x00000065 }
        }

        chain pre {
            type nat hook prerouting priority 0; policy accept;
            update @persistencia \
                { @nh,96,32 : numgen inc mod 2 offset 100 }
        }
    }

nft --debug=netlink add rule ip nftlb pre add @persistencia \
        { ip saddr : numgen inc mod 2 offset 100 }

More compact and it doesn't gets it confused with a simple map update
command (interesting that bison didn't spew any conflict error).

Former syntax for sets is preserved.

Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
 src/parser_bison.y       | 11 +++++++++--
 src/statement.c          | 12 +++++++-----
 tests/shell/run-tests.sh |  6 +++++-
 3 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index bdf2fb491736..9c143832eed6 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2713,18 +2713,25 @@ set_stmt		:	SET	set_stmt_op	set_elem_expr_stmt	symbol_expr
 				$$->set.key = $3;
 				$$->set.set = $4;
 			}
+			|	set_stmt_op	symbol_expr	'{' set_elem_expr_stmt	'}'
+			{
+				$$ = set_stmt_alloc(&@$);
+				$$->set.op  = $1;
+				$$->set.key = $4;
+				$$->set.set = $2;
+			}
 			;
 
 set_stmt_op		:	ADD	{ $$ = NFT_DYNSET_OP_ADD; }
 			|	UPDATE	{ $$ = NFT_DYNSET_OP_UPDATE; }
 			;
 
-map_stmt		:	set_stmt_op	MAP '{'	set_elem_expr_stmt	COLON	set_elem_expr_stmt	'}'	symbol_expr
+map_stmt		:	set_stmt_op	symbol_expr '{'	set_elem_expr_stmt	COLON	set_elem_expr_stmt	'}'
 			{
 				$$ = map_stmt_alloc(&@$);
 				$$->map.op  = $1;
 				$$->map.map = map_expr_alloc(&@$, $4, $6);
-				$$->map.set = $8;
+				$$->map.set = $2;
 			}
 			;
 
diff --git a/src/statement.c b/src/statement.c
index 61ba643becc3..d495ec447dfd 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -615,10 +615,11 @@ static const char * const set_stmt_op_names[] = {
 
 static void set_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 {
-	nft_print(octx, "set %s ", set_stmt_op_names[stmt->set.op]);
-	expr_print(stmt->set.key, octx);
-	nft_print(octx, " ");
+	nft_print(octx, "%s ", set_stmt_op_names[stmt->set.op]);
 	expr_print(stmt->set.set, octx);
+	nft_print(octx, "{ ");
+	expr_print(stmt->set.key, octx);
+	nft_print(octx, " } ");
 }
 
 static void set_stmt_destroy(struct stmt *stmt)
@@ -641,12 +642,13 @@ struct stmt *set_stmt_alloc(const struct location *loc)
 
 static void map_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 {
-	nft_print(octx, "%s map { ", set_stmt_op_names[stmt->map.op]);
+	nft_print(octx, "%s ", set_stmt_op_names[stmt->map.op]);
+	expr_print(stmt->map.set, octx);
+	nft_print(octx, "{ ");
 	expr_print(stmt->map.map->map->key, octx);
 	nft_print(octx, " : ");
 	expr_print(stmt->map.map->mappings, octx);
 	nft_print(octx, " } ");
-	expr_print(stmt->map.set, octx);
 }
 
 static void map_stmt_destroy(struct stmt *stmt)
diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh
index 431d55590a7d..769a9f4ecb80 100755
--- a/tests/shell/run-tests.sh
+++ b/tests/shell/run-tests.sh
@@ -109,8 +109,12 @@ do
 		rc_spec="${POSITIVE_RET}"
 		dumppath="$(dirname ${testfile})/dumps"
 		dumpfile="${dumppath}/$(basename ${testfile}).nft"
+
+		DIFF="$(which diff)"
+		[ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+
 		if [ "$rc_got" == "${POSITIVE_RET}" ] && [ -f ${dumpfile} ]; then
-			test_output=$(${DIFF} ${dumpfile} <($NFT list ruleset) 2>&1)
+			${DIFF} ${dumpfile} <($NFT list ruleset) 2>&1
 			rc_spec=$?
 		fi
 
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux