Hi,
This patchset adds multi-statement support for set elements. This
requires Linux kernel >= 5.11-rc1 (yet to be released by the time I'm
writing this). The following example shows how to define a dynamic set
that can be updated from the packet path with multi-statement support:
table x {
set y {
type ipv4_addr
flags dynamic
timeout 1h
limit rate 1/second counter
}
chain z {
type filter hook output priority 0;
add @y { ip daddr limit rate 1/second counter }
}
}
You might also want to use this new feature with sets:
table x {
set y {
type ipv4_addr
limit rate 1/second counter
}
chain y {
type filter hook output priority filter; policy accept;
ip daddr @y
}
}
then, add elements to this set:
nft add element x y { 192.168.120.234 limit rate 1/second counter }
I'll follow up with a patch to update the test infrastructure to cover
this new feature.
Pablo Neira Ayuso (2):
src: add support for multi-statement in dynamic sets and maps
src: add set element multi-statement support
include/expression.h | 2 +-
include/list.h | 7 +++
include/rule.h | 2 +-
include/statement.h | 4 +-
src/evaluate.c | 82 +++++++++++++++++++++---------
src/expression.c | 18 +++++--
src/json.c | 10 ++--
src/mnl.c | 17 +++++--
src/netlink.c | 69 +++++++++++++++++++++++--
src/netlink_delinearize.c | 74 ++++++++++++++++++++++-----
src/netlink_linearize.c | 41 ++++++++++++---
src/parser_bison.y | 104 ++++++++++++++++++++++++--------------
src/rule.c | 24 +++++++--
src/segtree.c | 6 +--
src/statement.c | 34 ++++++++++---
15 files changed, 373 insertions(+), 121 deletions(-)
--
2.20.1
