For sets, we allow this: nft add rule x y ip protocol tcp update @y { ip saddr} For maps: table ip nftlb { map persistencia { type ipv4_addr : mark timeout 1h elements = { 192.168.1.132 expires 59m55s : 0x00000064, 192.168.56.101 expires 59m24s : 0x00000065 } } chain pre { type nat hook prerouting priority 0; policy accept; update @persistencia \ { @nh,96,32 : numgen inc mod 2 offset 100 } } } nft --debug=netlink add rule ip nftlb pre add @persistencia \ { ip saddr : numgen inc mod 2 offset 100 } More compact and it doesn't gets it confused with a simple map update command (interesting that bison didn't spew any conflict error). Former syntax for sets is preserved. Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> --- A chunk that was not part of this slipped through. src/parser_bison.y | 11 +++++++++-- src/statement.c | 12 +++++++----- 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/src/parser_bison.y b/src/parser_bison.y index bdf2fb491736..9c143832eed6 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -2713,18 +2713,25 @@ set_stmt : SET set_stmt_op set_elem_expr_stmt symbol_expr $$->set.key = $3; $$->set.set = $4; } + | set_stmt_op symbol_expr '{' set_elem_expr_stmt '}' + { + $$ = set_stmt_alloc(&@$); + $$->set.op = $1; + $$->set.key = $4; + $$->set.set = $2; + } ; set_stmt_op : ADD { $$ = NFT_DYNSET_OP_ADD; } | UPDATE { $$ = NFT_DYNSET_OP_UPDATE; } ; -map_stmt : set_stmt_op MAP '{' set_elem_expr_stmt COLON set_elem_expr_stmt '}' symbol_expr +map_stmt : set_stmt_op symbol_expr '{' set_elem_expr_stmt COLON set_elem_expr_stmt '}' { $$ = map_stmt_alloc(&@$); $$->map.op = $1; $$->map.map = map_expr_alloc(&@$, $4, $6); - $$->map.set = $8; + $$->map.set = $2; } ; diff --git a/src/statement.c b/src/statement.c index 61ba643becc3..d495ec447dfd 100644 --- a/src/statement.c +++ b/src/statement.c @@ -615,10 +615,11 @@ static const char * const set_stmt_op_names[] = { static void set_stmt_print(const struct stmt *stmt, struct output_ctx *octx) { - nft_print(octx, "set %s ", set_stmt_op_names[stmt->set.op]); - expr_print(stmt->set.key, octx); - nft_print(octx, " "); + nft_print(octx, "%s ", set_stmt_op_names[stmt->set.op]); expr_print(stmt->set.set, octx); + nft_print(octx, "{ "); + expr_print(stmt->set.key, octx); + nft_print(octx, " } "); } static void set_stmt_destroy(struct stmt *stmt) @@ -641,12 +642,13 @@ struct stmt *set_stmt_alloc(const struct location *loc) static void map_stmt_print(const struct stmt *stmt, struct output_ctx *octx) { - nft_print(octx, "%s map { ", set_stmt_op_names[stmt->map.op]); + nft_print(octx, "%s ", set_stmt_op_names[stmt->map.op]); + expr_print(stmt->map.set, octx); + nft_print(octx, "{ "); expr_print(stmt->map.map->map->key, octx); nft_print(octx, " : "); expr_print(stmt->map.map->mappings, octx); nft_print(octx, " } "); - expr_print(stmt->map.set, octx); } static void map_stmt_destroy(struct stmt *stmt) -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html