For sets, we allow this:
nft add rule x y ip protocol tcp update @y { ip saddr}
For maps:
table ip nftlb {
map persistencia {
type ipv4_addr : mark
timeout 1h
elements = { 192.168.1.132 expires 59m55s : 0x00000064,
192.168.56.101 expires 59m24s : 0x00000065 }
}
chain pre {
type nat hook prerouting priority 0; policy accept;
update @persistencia \
{ @nh,96,32 : numgen inc mod 2 offset 100 }
}
}
nft --debug=netlink add rule ip nftlb pre add @persistencia \
{ ip saddr : numgen inc mod 2 offset 100 }
More compact and it doesn't gets it confused with a simple map update
command (interesting that bison didn't spew any conflict error).
Former syntax for sets is preserved.
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
src/parser_bison.y | 11 +++++++++--
src/statement.c | 12 +++++++-----
tests/shell/run-tests.sh | 6 +++++-
3 files changed, 21 insertions(+), 8 deletions(-)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index bdf2fb491736..9c143832eed6 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2713,18 +2713,25 @@ set_stmt : SET set_stmt_op set_elem_expr_stmt symbol_expr
$$->set.key = $3;
$$->set.set = $4;
}
+ | set_stmt_op symbol_expr '{' set_elem_expr_stmt '}'
+ {
+ $$ = set_stmt_alloc(&@$);
+ $$->set.op = $1;
+ $$->set.key = $4;
+ $$->set.set = $2;
+ }
;
set_stmt_op : ADD { $$ = NFT_DYNSET_OP_ADD; }
| UPDATE { $$ = NFT_DYNSET_OP_UPDATE; }
;
-map_stmt : set_stmt_op MAP '{' set_elem_expr_stmt COLON set_elem_expr_stmt '}' symbol_expr
+map_stmt : set_stmt_op symbol_expr '{' set_elem_expr_stmt COLON set_elem_expr_stmt '}'
{
$$ = map_stmt_alloc(&@$);
$$->map.op = $1;
$$->map.map = map_expr_alloc(&@$, $4, $6);
- $$->map.set = $8;
+ $$->map.set = $2;
}
;
diff --git a/src/statement.c b/src/statement.c
index 61ba643becc3..d495ec447dfd 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -615,10 +615,11 @@ static const char * const set_stmt_op_names[] = {
static void set_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
{
- nft_print(octx, "set %s ", set_stmt_op_names[stmt->set.op]);
- expr_print(stmt->set.key, octx);
- nft_print(octx, " ");
+ nft_print(octx, "%s ", set_stmt_op_names[stmt->set.op]);
expr_print(stmt->set.set, octx);
+ nft_print(octx, "{ ");
+ expr_print(stmt->set.key, octx);
+ nft_print(octx, " } ");
}
static void set_stmt_destroy(struct stmt *stmt)
@@ -641,12 +642,13 @@ struct stmt *set_stmt_alloc(const struct location *loc)
static void map_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
{
- nft_print(octx, "%s map { ", set_stmt_op_names[stmt->map.op]);
+ nft_print(octx, "%s ", set_stmt_op_names[stmt->map.op]);
+ expr_print(stmt->map.set, octx);
+ nft_print(octx, "{ ");
expr_print(stmt->map.map->map->key, octx);
nft_print(octx, " : ");
expr_print(stmt->map.map->mappings, octx);
nft_print(octx, " } ");
- expr_print(stmt->map.set, octx);
}
static void map_stmt_destroy(struct stmt *stmt)
diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh
index 431d55590a7d..769a9f4ecb80 100755
--- a/tests/shell/run-tests.sh
+++ b/tests/shell/run-tests.sh
@@ -109,8 +109,12 @@ do
rc_spec="${POSITIVE_RET}"
dumppath="$(dirname ${testfile})/dumps"
dumpfile="${dumppath}/$(basename ${testfile}).nft"
+
+ DIFF="$(which diff)"
+ [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+
if [ "$rc_got" == "${POSITIVE_RET}" ] && [ -f ${dumpfile} ]; then
- test_output=$(${DIFF} ${dumpfile} <($NFT list ruleset) 2>&1)
+ ${DIFF} ${dumpfile} <($NFT list ruleset) 2>&1
rc_spec=$?
fi
--
2.11.0
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
