nft add set filter blackhole { type ipv4_addr\;} nft add element filter blackhole { 192.168.1.4, 192.168.1.5 } nft add rule ip input ip saddr @blackhole drop
/** * enum nft_dynset_attributes - dynset expression attributes * * @NFTA_DYNSET_SET_NAME: name of set the to add data to (NLA_STRING) * @NFTA_DYNSET_SET_ID: uniquely identifier of the set in the transaction (NLA_U32) * @NFTA_DYNSET_OP: operation (NLA_U32) * @NFTA_DYNSET_SREG_KEY: source register of the key (NLA_U32) * @NFTA_DYNSET_SREG_DATA: source register of the data (NLA_U32) * @NFTA_DYNSET_TIMEOUT: timeout value for the new element (NLA_U64) * @NFTA_DYNSET_EXPR: expression (NLA_NESTED: nft_expr_attributes) * @NFTA_DYNSET_FLAGS: flags (NLA_U32) * @NFTA_DYNSET_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes) */ enumnft_dynset_attributes { NFTA_DYNSET_UNSPEC, NFTA_DYNSET_SET_NAME, NFTA_DYNSET_SET_ID, NFTA_DYNSET_OP, NFTA_DYNSET_SREG_KEY, NFTA_DYNSET_SREG_DATA, NFTA_DYNSET_TIMEOUT, NFTA_DYNSET_EXPR, NFTA_DYNSET_PAD, NFTA_DYNSET_FLAGS, NFTA_DYNSET_EXPRESSIONS, __NFTA_DYNSET_MAX, };
/** * struct nft_set_type - nf_tables set type * * @ops: set ops for this type * @features: features supported by the implementation */ structnft_set_type { conststructnft_set_opsops; u32 features; };
/** * struct nft_set_desc - description of set elements * * @klen: key length * @dlen: data length * @size: number of set elements * @field_len: length of each field in concatenation, bytes * @field_count: number of concatenated fields in element * @expr: set must support for expressions */ structnft_set_desc { unsignedint klen; unsignedint dlen; unsignedint size; u8 field_len[NFT_REG32_COUNT]; u8 field_count; bool expr; };
for (i = 0, entry_size = 0; i < desc->field_count; i++) { unsignedlong rules;
if (desc->field_len[i] > NFT_PIPAPO_MAX_BYTES) return0;
/* Worst-case ranges for each concatenated field: each n-bit * field can expand to up to n * 2 rules in each bucket, and * each rule also needs a mapping bucket. */ rules = ilog2(desc->field_len[i] * BITS_PER_BYTE) * 2; entry_size += rules * NFT_PIPAPO_BUCKETS(NFT_PIPAPO_GROUP_BITS_INIT) / BITS_PER_BYTE; entry_size += rules * sizeof(union nft_pipapo_map_bucket); }
/* Rules in lookup and mapping tables are needed for each entry */ size = desc->size * entry_size; if (size && div_u64(size, desc->size) != entry_size) return0;