* [PATCH nft 1/2] parser: fix typo
@ 2017-08-23 20:42 Pablo M. Bermudo Garay
2017-08-23 20:42 ` [PATCH nft 2/2] src: limit stateful object support Pablo M. Bermudo Garay
2017-08-23 22:24 ` [PATCH nft 1/2] parser: fix typo Pablo Neira Ayuso
0 siblings, 2 replies; 6+ messages in thread
From: Pablo M. Bermudo Garay @ 2017-08-23 20:42 UTC (permalink / raw)
To: netfilter-devel; +Cc: pablo, Pablo M. Bermudo Garay
Separator was misspelled as "seperator" in a symbol name.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
---
src/parser_bison.y | 74 +++++++++++++++++++++++++++---------------------------
1 file changed, 37 insertions(+), 37 deletions(-)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 18be53e..ca86df5 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -699,7 +699,7 @@ input : /* empty */
}
;
-stmt_seperator : NEWLINE
+stmt_separator : NEWLINE
| SEMICOLON
;
@@ -707,7 +707,7 @@ opt_newline : NEWLINE
| /* empty */
;
-common_block : INCLUDE QUOTED_STRING stmt_seperator
+common_block : INCLUDE QUOTED_STRING stmt_separator
{
if (scanner_include_file(scanner, $2, &@$) < 0) {
xfree($2);
@@ -715,7 +715,7 @@ common_block : INCLUDE QUOTED_STRING stmt_seperator
}
xfree($2);
}
- | DEFINE identifier '=' initializer_expr stmt_seperator
+ | DEFINE identifier '=' initializer_expr stmt_separator
{
struct scope *scope = current_scope(state);
@@ -728,7 +728,7 @@ common_block : INCLUDE QUOTED_STRING stmt_seperator
symbol_bind(scope, $2, $4);
xfree($2);
}
- | error stmt_seperator
+ | error stmt_separator
{
if (++state->nerrs == max_errors)
YYABORT;
@@ -737,8 +737,8 @@ common_block : INCLUDE QUOTED_STRING stmt_seperator
;
line : common_block { $$ = NULL; }
- | stmt_seperator { $$ = NULL; }
- | base_cmd stmt_seperator { $$ = $1; }
+ | stmt_separator { $$ = NULL; }
+ | base_cmd stmt_separator { $$ = $1; }
| base_cmd TOKEN_EOF
{
/*
@@ -851,7 +851,7 @@ add_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_QUOTA, &$2, &@$, $3);
}
- | CT STRING obj_spec ct_obj_alloc '{' ct_block '}' stmt_seperator
+ | CT STRING obj_spec ct_obj_alloc '{' ct_block '}' stmt_separator
{
struct error_record *erec;
int type;
@@ -930,7 +930,7 @@ create_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_QUOTA, &$2, &@$, $3);
}
- | CT STRING obj_spec ct_obj_alloc '{' ct_block '}' stmt_seperator
+ | CT STRING obj_spec ct_obj_alloc '{' ct_block '}' stmt_separator
{
struct error_record *erec;
int type;
@@ -1238,11 +1238,11 @@ table_options : FLAGS STRING
table_block : /* empty */ { $$ = $<table>-1; }
| table_block common_block
- | table_block stmt_seperator
- | table_block table_options stmt_seperator
+ | table_block stmt_separator
+ | table_block table_options stmt_separator
| table_block CHAIN chain_identifier
chain_block_alloc '{' chain_block '}'
- stmt_seperator
+ stmt_separator
{
$4->location = @3;
handle_merge(&$4->handle, &$3);
@@ -1253,7 +1253,7 @@ table_block : /* empty */ { $$ = $<table>-1; }
}
| table_block SET set_identifier
set_block_alloc '{' set_block '}'
- stmt_seperator
+ stmt_separator
{
$4->location = @3;
handle_merge(&$4->handle, &$3);
@@ -1263,7 +1263,7 @@ table_block : /* empty */ { $$ = $<table>-1; }
}
| table_block MAP set_identifier
map_block_alloc '{' map_block '}'
- stmt_seperator
+ stmt_separator
{
$4->location = @3;
handle_merge(&$4->handle, &$3);
@@ -1273,7 +1273,7 @@ table_block : /* empty */ { $$ = $<table>-1; }
}
| table_block COUNTER obj_identifier
obj_block_alloc '{' counter_block '}'
- stmt_seperator
+ stmt_separator
{
$4->location = @3;
$4->type = NFT_OBJECT_COUNTER;
@@ -1284,7 +1284,7 @@ table_block : /* empty */ { $$ = $<table>-1; }
}
| table_block QUOTA obj_identifier
obj_block_alloc '{' quota_block '}'
- stmt_seperator
+ stmt_separator
{
$4->location = @3;
$4->type = NFT_OBJECT_QUOTA;
@@ -1293,7 +1293,7 @@ table_block : /* empty */ { $$ = $<table>-1; }
list_add_tail(&$4->list, &$1->objs);
$$ = $1;
}
- | table_block CT ct_obj_kind obj_identifier obj_block_alloc '{' ct_block '}' stmt_seperator
+ | table_block CT ct_obj_kind obj_identifier obj_block_alloc '{' ct_block '}' stmt_separator
{
struct error_record *erec;
int type;
@@ -1322,10 +1322,10 @@ chain_block_alloc : /* empty */
chain_block : /* empty */ { $$ = $<chain>-1; }
| chain_block common_block
- | chain_block stmt_seperator
- | chain_block hook_spec stmt_seperator
- | chain_block policy_spec stmt_seperator
- | chain_block rule stmt_seperator
+ | chain_block stmt_separator
+ | chain_block hook_spec stmt_separator
+ | chain_block policy_spec stmt_separator
+ | chain_block rule stmt_separator
{
list_add_tail(&$2->list, &$1->rules);
$$ = $1;
@@ -1340,23 +1340,23 @@ set_block_alloc : /* empty */
set_block : /* empty */ { $$ = $<set>-1; }
| set_block common_block
- | set_block stmt_seperator
- | set_block TYPE data_type stmt_seperator
+ | set_block stmt_separator
+ | set_block TYPE data_type stmt_separator
{
$1->keytype = $3;
$$ = $1;
}
- | set_block FLAGS set_flag_list stmt_seperator
+ | set_block FLAGS set_flag_list stmt_separator
{
$1->flags = $3;
$$ = $1;
}
- | set_block TIMEOUT time_spec stmt_seperator
+ | set_block TIMEOUT time_spec stmt_separator
{
$1->timeout = $3 * 1000;
$$ = $1;
}
- | set_block GC_INTERVAL time_spec stmt_seperator
+ | set_block GC_INTERVAL time_spec stmt_separator
{
$1->gc_int = $3 * 1000;
$$ = $1;
@@ -1366,7 +1366,7 @@ set_block : /* empty */ { $$ = $<set>-1; }
$1->init = $4;
$$ = $1;
}
- | set_block set_mechanism stmt_seperator
+ | set_block set_mechanism stmt_separator
;
set_block_expr : set_expr
@@ -1393,10 +1393,10 @@ map_block_alloc : /* empty */
map_block : /* empty */ { $$ = $<set>-1; }
| map_block common_block
- | map_block stmt_seperator
+ | map_block stmt_separator
| map_block TYPE
data_type COLON data_type
- stmt_seperator
+ stmt_separator
{
$1->keytype = $3;
$1->datatype = $5;
@@ -1405,7 +1405,7 @@ map_block : /* empty */ { $$ = $<set>-1; }
}
| map_block TYPE
data_type COLON COUNTER
- stmt_seperator
+ stmt_separator
{
$1->keytype = $3;
$1->objtype = NFT_OBJECT_COUNTER;
@@ -1414,14 +1414,14 @@ map_block : /* empty */ { $$ = $<set>-1; }
}
| map_block TYPE
data_type COLON QUOTA
- stmt_seperator
+ stmt_separator
{
$1->keytype = $3;
$1->objtype = NFT_OBJECT_QUOTA;
$1->flags |= NFT_SET_OBJECT;
$$ = $1;
}
- | map_block FLAGS set_flag_list stmt_seperator
+ | map_block FLAGS set_flag_list stmt_separator
{
$1->flags |= $3;
$$ = $1;
@@ -1431,7 +1431,7 @@ map_block : /* empty */ { $$ = $<set>-1; }
$1->init = $4;
$$ = $1;
}
- | map_block set_mechanism stmt_seperator
+ | map_block set_mechanism stmt_separator
;
set_mechanism : POLICY set_policy_spec
@@ -1489,7 +1489,7 @@ obj_block_alloc : /* empty */
counter_block : /* empty */ { $$ = $<obj>-1; }
| counter_block common_block
- | counter_block stmt_seperator
+ | counter_block stmt_separator
| counter_block counter_config
{
$1->counter = *$2;
@@ -1499,7 +1499,7 @@ counter_block : /* empty */ { $$ = $<obj>-1; }
quota_block : /* empty */ { $$ = $<obj>-1; }
| quota_block common_block
- | quota_block stmt_seperator
+ | quota_block stmt_separator
| quota_block quota_config
{
$1->quota = *$2;
@@ -1509,7 +1509,7 @@ quota_block : /* empty */ { $$ = $<obj>-1; }
ct_block : /* empty */ { $$ = $<obj>-1; }
| ct_block common_block
- | ct_block stmt_seperator
+ | ct_block stmt_separator
| ct_block ct_config
{
$$ = $1;
@@ -2717,7 +2717,7 @@ ct_l4protoname : TCP { $$ = IPPROTO_TCP; }
| UDP { $$ = IPPROTO_UDP; }
;
-ct_config : TYPE QUOTED_STRING PROTOCOL ct_l4protoname stmt_seperator
+ct_config : TYPE QUOTED_STRING PROTOCOL ct_l4protoname stmt_separator
{
struct ct_helper *ct;
int ret;
@@ -2732,7 +2732,7 @@ ct_config : TYPE QUOTED_STRING PROTOCOL ct_l4protoname stmt_seperator
ct->l4proto = $4;
}
- | L3PROTOCOL family_spec_explicit stmt_seperator
+ | L3PROTOCOL family_spec_explicit stmt_separator
{
$<obj>0->ct_helper.l3proto = $2;
}
--
2.14.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH nft 2/2] src: limit stateful object support
2017-08-23 20:42 [PATCH nft 1/2] parser: fix typo Pablo M. Bermudo Garay
@ 2017-08-23 20:42 ` Pablo M. Bermudo Garay
2017-08-23 21:06 ` Pablo M. Bermudo Garay
2017-08-23 22:24 ` [PATCH nft 1/2] parser: fix typo Pablo Neira Ayuso
1 sibling, 1 reply; 6+ messages in thread
From: Pablo M. Bermudo Garay @ 2017-08-23 20:42 UTC (permalink / raw)
To: netfilter-devel; +Cc: pablo, Pablo M. Bermudo Garay
This patch adds support for a new type of stateful object: limit.
Creation, deletion and listing operations are supported.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
---
include/linux/netfilter/nf_tables.h | 3 +-
include/rule.h | 13 +++++
include/statement.h | 1 +
src/evaluate.c | 5 ++
src/netlink.c | 19 +++++++
src/parser_bison.y | 101 ++++++++++++++++++++++++++++++++++--
src/rule.c | 43 ++++++++++++++-
src/scanner.l | 1 +
src/statement.c | 3 +-
9 files changed, 183 insertions(+), 6 deletions(-)
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 5441b19..f328944 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1278,7 +1278,8 @@ enum nft_ct_helper_attributes {
#define NFT_OBJECT_COUNTER 1
#define NFT_OBJECT_QUOTA 2
#define NFT_OBJECT_CT_HELPER 3
-#define __NFT_OBJECT_MAX 4
+#define NFT_OBJECT_LIMIT 4
+#define __NFT_OBJECT_MAX 5
#define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1)
/**
diff --git a/include/rule.h b/include/rule.h
index 10ac0e2..94f7bb5 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -272,6 +272,14 @@ struct ct_helper {
uint8_t l4proto;
};
+struct limit {
+ uint64_t rate;
+ uint64_t unit;
+ uint32_t burst;
+ uint32_t type;
+ uint32_t flags;
+};
+
/**
* struct obj - nftables stateful object statement
*
@@ -291,6 +299,7 @@ struct obj {
struct counter counter;
struct quota quota;
struct ct_helper ct_helper;
+ struct limit limit;
};
};
@@ -357,6 +366,8 @@ enum cmd_ops {
* @CMD_OBJ_COUNTERS: multiple counters
* @CMD_OBJ_QUOTA: quota
* @CMD_OBJ_QUOTAS: multiple quotas
+ * @CMD_OBJ_LIMIT: limit
+ * @CMD_OBJ_LIMITS: multiple limits
*/
enum cmd_obj {
CMD_OBJ_INVALID,
@@ -381,6 +392,8 @@ enum cmd_obj {
CMD_OBJ_QUOTAS,
CMD_OBJ_CT_HELPER,
CMD_OBJ_CT_HELPERS,
+ CMD_OBJ_LIMIT,
+ CMD_OBJ_LIMITS,
};
struct export {
diff --git a/include/statement.h b/include/statement.h
index 6d8aaa8..2f702c3 100644
--- a/include/statement.h
+++ b/include/statement.h
@@ -325,5 +325,6 @@ extern void stmt_list_free(struct list_head *list);
extern void stmt_print(const struct stmt *stmt, struct output_ctx *octx);
const char *get_rate(uint64_t byte_rate, uint64_t *rate);
+const char *get_unit(uint64_t u);
#endif /* NFTABLES_STATEMENT_H */
diff --git a/src/evaluate.c b/src/evaluate.c
index 3989d5e..a92a66d 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2997,6 +2997,7 @@ static int cmd_evaluate_add(struct eval_ctx *ctx, struct cmd *cmd)
case CMD_OBJ_COUNTER:
case CMD_OBJ_QUOTA:
case CMD_OBJ_CT_HELPER:
+ case CMD_OBJ_LIMIT:
return 0;
default:
BUG("invalid command object type %u\n", cmd->obj);
@@ -3022,6 +3023,7 @@ static int cmd_evaluate_delete(struct eval_ctx *ctx, struct cmd *cmd)
case CMD_OBJ_COUNTER:
case CMD_OBJ_QUOTA:
case CMD_OBJ_CT_HELPER:
+ case CMD_OBJ_LIMIT:
return 0;
default:
BUG("invalid command object type %u\n", cmd->obj);
@@ -3111,9 +3113,12 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd)
return cmd_evaluate_list_obj(ctx, cmd, NFT_OBJECT_COUNTER);
case CMD_OBJ_CT_HELPER:
return cmd_evaluate_list_obj(ctx, cmd, NFT_OBJECT_CT_HELPER);
+ case CMD_OBJ_LIMIT:
+ return cmd_evaluate_list_obj(ctx, cmd, NFT_OBJECT_LIMIT);
case CMD_OBJ_COUNTERS:
case CMD_OBJ_QUOTAS:
case CMD_OBJ_CT_HELPERS:
+ case CMD_OBJ_LIMITS:
case CMD_OBJ_SETS:
if (cmd->handle.table == NULL)
return 0;
diff --git a/src/netlink.c b/src/netlink.c
index f6eb08f..a165809 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -328,6 +328,13 @@ alloc_nftnl_obj(const struct handle *h, struct obj *obj)
nftnl_obj_set_u16(nlo, NFTNL_OBJ_CT_HELPER_L3PROTO,
obj->ct_helper.l3proto);
break;
+ case NFT_OBJECT_LIMIT:
+ nftnl_obj_set_u64(nlo, NFTNL_OBJ_LIMIT_RATE, obj->limit.rate);
+ nftnl_obj_set_u64(nlo, NFTNL_OBJ_LIMIT_UNIT, obj->limit.unit);
+ nftnl_obj_set_u32(nlo, NFTNL_OBJ_LIMIT_BURST, obj->limit.burst);
+ nftnl_obj_set_u32(nlo, NFTNL_OBJ_LIMIT_TYPE, obj->limit.type);
+ nftnl_obj_set_u32(nlo, NFTNL_OBJ_LIMIT_FLAGS, obj->limit.flags);
+ break;
default:
BUG("Unknown type %d\n", obj->type);
break;
@@ -1743,6 +1750,18 @@ static struct obj *netlink_delinearize_obj(struct netlink_ctx *ctx,
obj->ct_helper.l3proto = nftnl_obj_get_u16(nlo, NFTNL_OBJ_CT_HELPER_L3PROTO);
obj->ct_helper.l4proto = nftnl_obj_get_u8(nlo, NFTNL_OBJ_CT_HELPER_L4PROTO);
break;
+ case NFT_OBJECT_LIMIT:
+ obj->limit.rate =
+ nftnl_obj_get_u64(nlo, NFTNL_OBJ_LIMIT_RATE);
+ obj->limit.unit =
+ nftnl_obj_get_u64(nlo, NFTNL_OBJ_LIMIT_UNIT);
+ obj->limit.burst =
+ nftnl_obj_get_u32(nlo, NFTNL_OBJ_LIMIT_BURST);
+ obj->limit.type =
+ nftnl_obj_get_u32(nlo, NFTNL_OBJ_LIMIT_TYPE);
+ obj->limit.flags =
+ nftnl_obj_get_u32(nlo, NFTNL_OBJ_LIMIT_FLAGS);
+ break;
}
obj->type = type;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index ca86df5..e410298 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -142,6 +142,7 @@ static void location_update(struct location *loc, struct location *rhs, int n)
struct counter *counter;
struct quota *quota;
struct ct *ct;
+ struct limit *limit;
const struct datatype *datatype;
struct handle_spec handle_spec;
struct position_spec position_spec;
@@ -393,6 +394,7 @@ static void location_update(struct location *loc, struct location *rhs, int n)
%token COUNTERS "counters"
%token QUOTAS "quotas"
+%token LIMITS "limits"
%token LOG "log"
%token PREFIX "prefix"
@@ -501,7 +503,7 @@ static void location_update(struct location *loc, struct location *rhs, int n)
%type <set> map_block_alloc map_block
%destructor { set_free($$); } map_block_alloc
-%type <obj> obj_block_alloc counter_block quota_block ct_block
+%type <obj> obj_block_alloc counter_block quota_block ct_block limit_block
%destructor { obj_free($$); } obj_block_alloc
%type <list> stmt_list
@@ -589,8 +591,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
%type <expr> and_rhs_expr exclusive_or_rhs_expr inclusive_or_rhs_expr
%destructor { expr_free($$); } and_rhs_expr exclusive_or_rhs_expr inclusive_or_rhs_expr
-%type <obj> counter_obj quota_obj ct_obj_alloc
-%destructor { obj_free($$); } counter_obj quota_obj ct_obj_alloc
+%type <obj> counter_obj quota_obj ct_obj_alloc limit_obj
+%destructor { obj_free($$); } counter_obj quota_obj ct_obj_alloc limit_obj
%type <expr> relational_expr
%destructor { expr_free($$); } relational_expr
@@ -661,6 +663,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
%destructor { xfree($$); } counter_config
%type <quota> quota_config
%destructor { xfree($$); } quota_config
+%type <limit> limit_config
+%destructor { xfree($$); } limit_config
%type <expr> tcp_hdr_expr
%destructor { expr_free($$); } tcp_hdr_expr
@@ -864,6 +868,10 @@ add_cmd : TABLE table_spec
$$ = cmd_alloc_obj_ct(CMD_ADD, type, &$3, &@$, $4);
}
+ | LIMIT obj_spec limit_obj
+ {
+ $$ = cmd_alloc(CMD_ADD, CMD_OBJ_LIMIT, &$2, &@$, $3);
+ }
;
replace_cmd : RULE ruleid_spec rule
@@ -943,6 +951,10 @@ create_cmd : TABLE table_spec
$$ = cmd_alloc_obj_ct(CMD_CREATE, type, &$3, &@$, $4);
}
+ | LIMIT obj_spec limit_obj
+ {
+ $$ = cmd_alloc(CMD_CREATE, CMD_OBJ_LIMIT, &$2, &@$, $3);
+ }
;
insert_cmd : RULE rule_position rule
@@ -996,6 +1008,10 @@ delete_cmd : TABLE table_spec
$$ = cmd_alloc_obj_ct(CMD_DELETE, type, &$3, &@$, $4);
}
+ | LIMIT obj_spec
+ {
+ $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_LIMIT, &$2, &@$, NULL);
+ }
;
list_cmd : TABLE table_spec
@@ -1050,6 +1066,18 @@ list_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_LIST, CMD_OBJ_QUOTA, &$2, &@$, NULL);
}
+ | LIMITS ruleset_spec
+ {
+ $$ = cmd_alloc(CMD_LIST, CMD_OBJ_LIMITS, &$2, &@$, NULL);
+ }
+ | LIMITS TABLE table_spec
+ {
+ $$ = cmd_alloc(CMD_LIST, CMD_OBJ_LIMITS, &$3, &@$, NULL);
+ }
+ | LIMIT obj_spec
+ {
+ $$ = cmd_alloc(CMD_LIST, CMD_OBJ_LIMIT, &$2, &@$, NULL);
+ }
| RULESET ruleset_spec
{
$$ = cmd_alloc(CMD_LIST, CMD_OBJ_RULESET, &$2, &@$, NULL);
@@ -1311,6 +1339,17 @@ table_block : /* empty */ { $$ = $<table>-1; }
list_add_tail(&$5->list, &$1->objs);
$$ = $1;
}
+ | table_block LIMIT obj_identifier
+ obj_block_alloc '{' limit_block '}'
+ stmt_separator
+ {
+ $4->location = @3;
+ $4->type = NFT_OBJECT_LIMIT;
+ handle_merge(&$4->handle, &$3);
+ handle_free(&$3);
+ list_add_tail(&$4->list, &$1->objs);
+ $$ = $1;
+ }
;
chain_block_alloc : /* empty */
@@ -1516,6 +1555,15 @@ ct_block : /* empty */ { $$ = $<obj>-1; }
}
;
+limit_block : /* empty */ { $$ = $<obj>-1; }
+ | limit_block common_block
+ | limit_block stmt_separator
+ | limit_block limit_config
+ {
+ $1->limit = *$2;
+ $$ = $1;
+ }
+ ;
type_identifier : STRING { $$ = $1; }
| MARK { $$ = xstrdup("mark"); }
@@ -1989,6 +2037,12 @@ limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst
$$->limit.type = NFT_LIMIT_PKT_BYTES;
$$->limit.flags = $3;
}
+ | LIMIT NAME stmt_expr
+ {
+ $$ = objref_stmt_alloc(&@$);
+ $$->objref.type = NFT_OBJECT_LIMIT;
+ $$->objref.expr = $3;
+ }
;
quota_mode : OVER { $$ = NFT_QUOTA_F_INV; }
@@ -2745,6 +2799,47 @@ ct_obj_alloc :
}
;
+limit_config : RATE limit_mode NUM SLASH time_unit limit_burst
+ {
+ struct limit *limit;
+ limit = xzalloc(sizeof(*limit));
+ limit->rate = $3;
+ limit->unit = $5;
+ limit->burst = $6;
+ limit->type = NFT_LIMIT_PKTS;
+ limit->flags = $2;
+ $$ = limit;
+ }
+ | RATE limit_mode NUM STRING limit_burst
+ {
+ struct limit *limit;
+ struct error_record *erec;
+ uint64_t rate, unit;
+
+ erec = rate_parse(&@$, $4, &rate, &unit);
+ if (erec != NULL) {
+ erec_queue(erec, state->msgs);
+ YYERROR;
+ }
+
+ limit = xzalloc(sizeof(*limit));
+ limit->rate = rate * $3;
+ limit->unit = unit;
+ limit->burst = $5;
+ limit->type = NFT_LIMIT_PKT_BYTES;
+ limit->flags = $2;
+ $$ = limit;
+ }
+ ;
+
+limit_obj : limit_config
+ {
+ $$ = obj_alloc(&@$);
+ $$->type = NFT_OBJECT_LIMIT;
+ $$->limit = *$1;
+ }
+ ;
+
relational_expr : expr /* implicit */ rhs_expr
{
$$ = relational_expr_alloc(&@$, OP_IMPLICIT, $1, $2);
diff --git a/src/rule.c b/src/rule.c
index ef12bec..ae973bd 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -959,6 +959,7 @@ void cmd_free(struct cmd *cmd)
case CMD_OBJ_COUNTER:
case CMD_OBJ_QUOTA:
case CMD_OBJ_CT_HELPER:
+ case CMD_OBJ_LIMIT:
obj_free(cmd->object);
break;
default:
@@ -1046,6 +1047,7 @@ static int do_command_add(struct netlink_ctx *ctx, struct cmd *cmd, bool excl)
case CMD_OBJ_COUNTER:
case CMD_OBJ_QUOTA:
case CMD_OBJ_CT_HELPER:
+ case CMD_OBJ_LIMIT:
return netlink_add_obj(ctx, &cmd->handle, cmd->object, flags);
default:
BUG("invalid command object type %u\n", cmd->obj);
@@ -1132,6 +1134,9 @@ static int do_command_delete(struct netlink_ctx *ctx, struct cmd *cmd)
case CMD_OBJ_CT_HELPER:
return netlink_delete_obj(ctx, &cmd->handle, &cmd->location,
NFT_OBJECT_CT_HELPER);
+ case CMD_OBJ_LIMIT:
+ return netlink_delete_obj(ctx, &cmd->handle, &cmd->location,
+ NFT_OBJECT_LIMIT);
default:
BUG("invalid command object type %u\n", cmd->obj);
}
@@ -1292,6 +1297,37 @@ static void obj_print_data(const struct obj *obj,
printf("\t\tl3proto %s", family2str(obj->ct_helper.l3proto));
break;
}
+ case NFT_OBJECT_LIMIT: {
+ bool inv = obj->limit.flags & NFT_LIMIT_F_INV;
+ const char *data_unit;
+ uint64_t rate;
+
+ printf(" %s {%s%s%s", obj->handle.obj,
+ opts->nl, opts->tab, opts->tab);
+ switch (obj->limit.type) {
+ case NFT_LIMIT_PKTS:
+ printf("limit rate %s%" PRIu64 "/%s",
+ inv ? "over " : "", obj->limit.rate,
+ get_unit(obj->limit.unit));
+ if (obj->limit.burst > 0)
+ printf(" burst %u packets", obj->limit.burst);
+ break;
+ case NFT_LIMIT_PKT_BYTES:
+ data_unit = get_rate(obj->limit.rate, &rate);
+
+ printf("limit rate %s%" PRIu64 " %s/%s",
+ inv ? "over " : "", rate, data_unit,
+ get_unit(obj->limit.unit));
+ if (obj->limit.burst > 0) {
+ uint64_t burst;
+
+ data_unit = get_rate(obj->limit.burst, &burst);
+ printf(" burst %"PRIu64" %s", burst, data_unit);
+ }
+ break;
+ }
+ }
+ break;
default:
printf("unknown {%s", opts->nl);
break;
@@ -1302,11 +1338,12 @@ static const char *obj_type_name_array[] = {
[NFT_OBJECT_COUNTER] = "counter",
[NFT_OBJECT_QUOTA] = "quota",
[NFT_OBJECT_CT_HELPER] = "",
+ [NFT_OBJECT_LIMIT] = "limit",
};
const char *obj_type_name(enum stmt_types type)
{
- assert(type <= NFT_OBJECT_CT_HELPER && obj_type_name_array[type]);
+ assert(type <= NFT_OBJECT_MAX && obj_type_name_array[type]);
return obj_type_name_array[type];
}
@@ -1315,6 +1352,7 @@ static uint32_t obj_type_cmd_array[NFT_OBJECT_MAX + 1] = {
[NFT_OBJECT_COUNTER] = CMD_OBJ_COUNTER,
[NFT_OBJECT_QUOTA] = CMD_OBJ_QUOTA,
[NFT_OBJECT_CT_HELPER] = CMD_OBJ_CT_HELPER,
+ [NFT_OBJECT_LIMIT] = CMD_OBJ_LIMIT,
};
uint32_t obj_type_to_cmd(uint32_t type)
@@ -1546,6 +1584,9 @@ static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd)
case CMD_OBJ_CT_HELPER:
case CMD_OBJ_CT_HELPERS:
return do_list_obj(ctx, cmd, NFT_OBJECT_CT_HELPER);
+ case CMD_OBJ_LIMIT:
+ case CMD_OBJ_LIMITS:
+ return do_list_obj(ctx, cmd, NFT_OBJECT_LIMIT);
default:
BUG("invalid command object type %u\n", cmd->obj);
}
diff --git a/src/scanner.l b/src/scanner.l
index b6ba32d..ef424e4 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -300,6 +300,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"counters" { return COUNTERS; }
"quotas" { return QUOTAS; }
+"limits" { return LIMITS; }
"log" { return LOG; }
"prefix" { return PREFIX; }
diff --git a/src/statement.c b/src/statement.c
index 58f8aaf..0b2c28b 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -175,6 +175,7 @@ static const char *objref_type[NFT_OBJECT_MAX + 1] = {
[NFT_OBJECT_COUNTER] = "counter",
[NFT_OBJECT_QUOTA] = "quota",
[NFT_OBJECT_CT_HELPER] = "cthelper",
+ [NFT_OBJECT_LIMIT] = "limit",
};
static const char *objref_type_name(uint32_t type)
@@ -286,7 +287,7 @@ struct stmt *log_stmt_alloc(const struct location *loc)
return stmt_alloc(loc, &log_stmt_ops);
}
-static const char *get_unit(uint64_t u)
+const char *get_unit(uint64_t u)
{
switch (u) {
case 1: return "second";
--
2.14.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH nft 2/2] src: limit stateful object support
2017-08-23 20:42 ` [PATCH nft 2/2] src: limit stateful object support Pablo M. Bermudo Garay
@ 2017-08-23 21:06 ` Pablo M. Bermudo Garay
2017-08-23 21:51 ` Pablo Neira Ayuso
0 siblings, 1 reply; 6+ messages in thread
From: Pablo M. Bermudo Garay @ 2017-08-23 21:06 UTC (permalink / raw)
To: netfilter-devel; +Cc: Pablo Neira Ayuso
Maybe the commit title is confusing, since "limit" seems the typical
imperative mood instead of a noun.
Pablo, should I resend the patches with a better title?
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH nft 2/2] src: limit stateful object support
2017-08-23 21:06 ` Pablo M. Bermudo Garay
@ 2017-08-23 21:51 ` Pablo Neira Ayuso
2017-08-24 9:20 ` Pablo M. Bermudo Garay
0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2017-08-23 21:51 UTC (permalink / raw)
To: Pablo M. Bermudo Garay; +Cc: netfilter-devel
On Wed, Aug 23, 2017 at 11:06:14PM +0200, Pablo M. Bermudo Garay wrote:
> Maybe the commit title is confusing, since "limit" seems the typical
> imperative mood instead of a noun.
>
> Pablo, should I resend the patches with a better title?
No - unless I find anything more relevant that triggers a v2 - I can
mangle it here. Please tell me what title you want and I'll mangle
this before applying.
Thanks.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH nft 1/2] parser: fix typo
2017-08-23 20:42 [PATCH nft 1/2] parser: fix typo Pablo M. Bermudo Garay
2017-08-23 20:42 ` [PATCH nft 2/2] src: limit stateful object support Pablo M. Bermudo Garay
@ 2017-08-23 22:24 ` Pablo Neira Ayuso
1 sibling, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2017-08-23 22:24 UTC (permalink / raw)
To: Pablo M. Bermudo Garay; +Cc: netfilter-devel
On Wed, Aug 23, 2017 at 10:42:55PM +0200, Pablo M. Bermudo Garay wrote:
> Separator was misspelled as "seperator" in a symbol name.
Applied this one, thanks!
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH nft 2/2] src: limit stateful object support
2017-08-23 21:51 ` Pablo Neira Ayuso
@ 2017-08-24 9:20 ` Pablo M. Bermudo Garay
0 siblings, 0 replies; 6+ messages in thread
From: Pablo M. Bermudo Garay @ 2017-08-24 9:20 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
2017-08-23 23:51 GMT+02:00 Pablo Neira Ayuso <pablo@netfilter.org>:
> On Wed, Aug 23, 2017 at 11:06:14PM +0200, Pablo M. Bermudo Garay wrote:
>> Maybe the commit title is confusing, since "limit" seems the typical
>> imperative mood instead of a noun.
>>
>> Pablo, should I resend the patches with a better title?
>
> No - unless I find anything more relevant that triggers a v2 - I can
> mangle it here. Please tell me what title you want and I'll mangle
> this before applying.
>
> Thanks.
I think that something like "src: add stateful object support for
limit" is fine for both libnftnl and nft commits.
Thanks.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-08-24 9:20 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-23 20:42 [PATCH nft 1/2] parser: fix typo Pablo M. Bermudo Garay
2017-08-23 20:42 ` [PATCH nft 2/2] src: limit stateful object support Pablo M. Bermudo Garay
2017-08-23 21:06 ` Pablo M. Bermudo Garay
2017-08-23 21:51 ` Pablo Neira Ayuso
2017-08-24 9:20 ` Pablo M. Bermudo Garay
2017-08-23 22:24 ` [PATCH nft 1/2] parser: fix typo Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.