|
 |
b59ec1 |
From 7cb1f51b1791434fa513b516e416a18d27ad1eb9 Mon Sep 17 00:00:00 2001
|
|
|
b59ec1 |
From: Phil Sutter <psutter@redhat.com>
|
|
|
b59ec1 |
Date: Fri, 17 Feb 2023 17:52:16 +0100
|
|
|
b59ec1 |
Subject: [PATCH] netlink_linearize: fix timeout with map updates
|
|
|
b59ec1 |
|
|
|
b59ec1 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2094894
|
|
|
b59ec1 |
Upstream Status: nftables commit 284c038ef4c69
|
|
|
b59ec1 |
|
|
|
b59ec1 |
commit 284c038ef4c69d042ef91272d90c143019ecea1f
|
|
|
b59ec1 |
Author: Florian Westphal <fw@strlen.de>
|
|
|
b59ec1 |
Date: Mon Dec 12 11:04:35 2022 +0100
|
|
|
b59ec1 |
|
|
|
b59ec1 |
netlink_linearize: fix timeout with map updates
|
|
|
b59ec1 |
|
|
|
b59ec1 |
Map updates can use timeouts, just like with sets, but the
|
|
|
b59ec1 |
linearization step did not pass this info to the kernel.
|
|
|
b59ec1 |
|
|
|
b59ec1 |
meta l4proto tcp update @pinned { ip saddr . ct original proto-src timeout 90s : ip daddr . tcp dport
|
|
|
b59ec1 |
|
|
|
b59ec1 |
Listing this won't show the "timeout 90s" because kernel never saw it to
|
|
|
b59ec1 |
begin with.
|
|
|
b59ec1 |
|
|
|
b59ec1 |
Also update evaluation step to reject a timeout that was set on
|
|
|
b59ec1 |
the data part: Timeouts are only allowed for the key-value pair
|
|
|
b59ec1 |
as a whole.
|
|
|
b59ec1 |
|
|
|
b59ec1 |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
b59ec1 |
|
|
|
b59ec1 |
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
|
b59ec1 |
---
|
|
|
b59ec1 |
src/evaluate.c | 3 +++
|
|
|
b59ec1 |
src/netlink_linearize.c | 4 ++++
|
|
|
b59ec1 |
2 files changed, 7 insertions(+)
|
|
|
b59ec1 |
|
|
|
b59ec1 |
diff --git a/src/evaluate.c b/src/evaluate.c
|
|
|
b59ec1 |
index 7f81411..6d0a0f5 100644
|
|
|
b59ec1 |
--- a/src/evaluate.c
|
|
|
b59ec1 |
+++ b/src/evaluate.c
|
|
|
b59ec1 |
@@ -3858,6 +3858,9 @@ static int stmt_evaluate_map(struct eval_ctx *ctx, struct stmt *stmt)
|
|
|
b59ec1 |
if (stmt->map.data->comment != NULL)
|
|
|
b59ec1 |
return expr_error(ctx->msgs, stmt->map.data,
|
|
|
b59ec1 |
"Data expression comments are not supported");
|
|
|
b59ec1 |
+ if (stmt->map.data->timeout > 0)
|
|
|
b59ec1 |
+ return expr_error(ctx->msgs, stmt->map.data,
|
|
|
b59ec1 |
+ "Data expression timeouts are not supported");
|
|
|
b59ec1 |
|
|
|
b59ec1 |
list_for_each_entry(this, &stmt->map.stmt_list, list) {
|
|
|
b59ec1 |
if (stmt_evaluate(ctx, this) < 0)
|
|
|
b59ec1 |
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
|
|
|
b59ec1 |
index c8bbcb7..6de0a96 100644
|
|
|
b59ec1 |
--- a/src/netlink_linearize.c
|
|
|
b59ec1 |
+++ b/src/netlink_linearize.c
|
|
|
b59ec1 |
@@ -1520,6 +1520,10 @@ static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx,
|
|
|
b59ec1 |
nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_SET_ID, set->handle.set_id);
|
|
|
b59ec1 |
nft_rule_add_expr(ctx, nle, &stmt->location);
|
|
|
b59ec1 |
|
|
|
b59ec1 |
+ if (stmt->map.key->timeout > 0)
|
|
|
b59ec1 |
+ nftnl_expr_set_u64(nle, NFTNL_EXPR_DYNSET_TIMEOUT,
|
|
|
b59ec1 |
+ stmt->map.key->timeout);
|
|
|
b59ec1 |
+
|
|
|
b59ec1 |
list_for_each_entry(this, &stmt->map.stmt_list, list)
|
|
|
b59ec1 |
num_stmts++;
|
|
|
b59ec1 |
|
|
|
b59ec1 |
--
|
|
|
b59ec1 |
2.39.2
|
|
|
b59ec1 |
|