|
 |
8ff5ad |
From 0db42cc2d2647ec61441e29445c9f6e0f8946613 Mon Sep 17 00:00:00 2001
|
|
|
8ff5ad |
From: Phil Sutter <psutter@redhat.com>
|
|
|
8ff5ad |
Date: Thu, 13 Jan 2022 20:37:56 +0100
|
|
|
8ff5ad |
Subject: [PATCH] src: support for restoring element counters
|
|
|
8ff5ad |
|
|
|
8ff5ad |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2039594
|
|
|
8ff5ad |
Upstream Status: nftables commit 1fe6089ddd87e
|
|
|
8ff5ad |
|
|
|
8ff5ad |
commit 1fe6089ddd87ee7869d24c0f8849951220cc9b85
|
|
|
8ff5ad |
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
8ff5ad |
Date: Wed Mar 11 13:00:01 2020 +0100
|
|
|
8ff5ad |
|
|
|
8ff5ad |
src: support for restoring element counters
|
|
|
8ff5ad |
|
|
|
8ff5ad |
This patch allows you to restore counters in dynamic sets:
|
|
|
8ff5ad |
|
|
|
8ff5ad |
table ip test {
|
|
|
8ff5ad |
set test {
|
|
|
8ff5ad |
type ipv4_addr
|
|
|
8ff5ad |
size 65535
|
|
|
8ff5ad |
flags dynamic,timeout
|
|
|
8ff5ad |
timeout 30d
|
|
|
8ff5ad |
gc-interval 1d
|
|
|
8ff5ad |
elements = { 192.168.10.13 expires 19d23h52m27s576ms counter packets 51 bytes 17265 }
|
|
|
8ff5ad |
}
|
|
|
8ff5ad |
chain output {
|
|
|
8ff5ad |
type filter hook output priority 0;
|
|
|
8ff5ad |
update @test { ip saddr }
|
|
|
8ff5ad |
}
|
|
|
8ff5ad |
}
|
|
|
8ff5ad |
|
|
|
8ff5ad |
You can also add counters to elements from the control place, ie.
|
|
|
8ff5ad |
|
|
|
8ff5ad |
table ip test {
|
|
|
8ff5ad |
set test {
|
|
|
8ff5ad |
type ipv4_addr
|
|
|
8ff5ad |
size 65535
|
|
|
8ff5ad |
elements = { 192.168.2.1 counter packets 75 bytes 19043 }
|
|
|
8ff5ad |
}
|
|
|
8ff5ad |
|
|
|
8ff5ad |
chain output {
|
|
|
8ff5ad |
type filter hook output priority filter; policy accept;
|
|
|
8ff5ad |
ip daddr @test
|
|
|
8ff5ad |
}
|
|
|
8ff5ad |
}
|
|
|
8ff5ad |
|
|
|
8ff5ad |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
8ff5ad |
---
|
|
|
8ff5ad |
include/netlink.h | 1 +
|
|
|
8ff5ad |
src/netlink.c | 3 +++
|
|
|
8ff5ad |
src/netlink_linearize.c | 2 +-
|
|
|
8ff5ad |
src/parser_bison.y | 36 +++++++++++++++++++++++++++++++++++-
|
|
|
8ff5ad |
4 files changed, 40 insertions(+), 2 deletions(-)
|
|
|
8ff5ad |
|
|
|
8ff5ad |
diff --git a/include/netlink.h b/include/netlink.h
|
|
|
8ff5ad |
index 88d12ba..059092e 100644
|
|
|
8ff5ad |
--- a/include/netlink.h
|
|
|
8ff5ad |
+++ b/include/netlink.h
|
|
|
8ff5ad |
@@ -97,6 +97,7 @@ extern void netlink_gen_data(const struct expr *expr,
|
|
|
8ff5ad |
extern void netlink_gen_raw_data(const mpz_t value, enum byteorder byteorder,
|
|
|
8ff5ad |
unsigned int len,
|
|
|
8ff5ad |
struct nft_data_linearize *data);
|
|
|
8ff5ad |
+extern struct nftnl_expr *netlink_gen_stmt_stateful(const struct stmt *stmt);
|
|
|
8ff5ad |
|
|
|
8ff5ad |
extern struct expr *netlink_alloc_value(const struct location *loc,
|
|
|
8ff5ad |
const struct nft_data_delinearize *nld);
|
|
|
8ff5ad |
diff --git a/src/netlink.c b/src/netlink.c
|
|
|
8ff5ad |
index 64e51e5..825c2cc 100644
|
|
|
8ff5ad |
--- a/src/netlink.c
|
|
|
8ff5ad |
+++ b/src/netlink.c
|
|
|
8ff5ad |
@@ -136,6 +136,9 @@ static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set,
|
|
|
8ff5ad |
if (elem->expiration)
|
|
|
8ff5ad |
nftnl_set_elem_set_u64(nlse, NFTNL_SET_ELEM_EXPIRATION,
|
|
|
8ff5ad |
elem->expiration);
|
|
|
8ff5ad |
+ if (elem->stmt)
|
|
|
8ff5ad |
+ nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_EXPR,
|
|
|
8ff5ad |
+ netlink_gen_stmt_stateful(elem->stmt), 0);
|
|
|
8ff5ad |
if (elem->comment || expr->elem_flags) {
|
|
|
8ff5ad |
udbuf = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN);
|
|
|
8ff5ad |
if (!udbuf)
|
|
|
8ff5ad |
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
|
|
|
8ff5ad |
index f5c6116..3fa1339 100644
|
|
|
8ff5ad |
--- a/src/netlink_linearize.c
|
|
|
8ff5ad |
+++ b/src/netlink_linearize.c
|
|
|
8ff5ad |
@@ -838,7 +838,7 @@ static struct nftnl_expr *netlink_gen_quota_stmt(const struct stmt *stmt)
|
|
|
8ff5ad |
return nle;
|
|
|
8ff5ad |
}
|
|
|
8ff5ad |
|
|
|
8ff5ad |
-static struct nftnl_expr *netlink_gen_stmt_stateful(const struct stmt *stmt)
|
|
|
8ff5ad |
+struct nftnl_expr *netlink_gen_stmt_stateful(const struct stmt *stmt)
|
|
|
8ff5ad |
{
|
|
|
8ff5ad |
switch (stmt->ops->type) {
|
|
|
8ff5ad |
case STMT_CONNLIMIT:
|
|
|
8ff5ad |
diff --git a/src/parser_bison.y b/src/parser_bison.y
|
|
|
8ff5ad |
index d38ec30..2cdf8ec 100644
|
|
|
8ff5ad |
--- a/src/parser_bison.y
|
|
|
8ff5ad |
+++ b/src/parser_bison.y
|
|
|
8ff5ad |
@@ -3654,7 +3654,7 @@ meter_key_expr_alloc : concat_expr
|
|
|
8ff5ad |
;
|
|
|
8ff5ad |
|
|
|
8ff5ad |
set_elem_expr : set_elem_expr_alloc
|
|
|
8ff5ad |
- | set_elem_expr_alloc set_elem_options
|
|
|
8ff5ad |
+ | set_elem_expr_alloc set_elem_expr_options
|
|
|
8ff5ad |
;
|
|
|
8ff5ad |
|
|
|
8ff5ad |
set_elem_expr_alloc : set_lhs_expr
|
|
|
8ff5ad |
@@ -3684,6 +3684,40 @@ set_elem_option : TIMEOUT time_spec
|
|
|
8ff5ad |
}
|
|
|
8ff5ad |
;
|
|
|
8ff5ad |
|
|
|
8ff5ad |
+set_elem_expr_options : set_elem_expr_option
|
|
|
8ff5ad |
+ {
|
|
|
8ff5ad |
+ $<expr>$ = $<expr>0;
|
|
|
8ff5ad |
+ }
|
|
|
8ff5ad |
+ | set_elem_expr_options set_elem_expr_option
|
|
|
8ff5ad |
+ ;
|
|
|
8ff5ad |
+
|
|
|
8ff5ad |
+set_elem_expr_option : TIMEOUT time_spec
|
|
|
8ff5ad |
+ {
|
|
|
8ff5ad |
+ $<expr>0->timeout = $2;
|
|
|
8ff5ad |
+ }
|
|
|
8ff5ad |
+ | EXPIRES time_spec
|
|
|
8ff5ad |
+ {
|
|
|
8ff5ad |
+ $<expr>0->expiration = $2;
|
|
|
8ff5ad |
+ }
|
|
|
8ff5ad |
+ | COUNTER
|
|
|
8ff5ad |
+ {
|
|
|
8ff5ad |
+ $<expr>0->stmt = counter_stmt_alloc(&@$);
|
|
|
8ff5ad |
+ }
|
|
|
8ff5ad |
+ | COUNTER PACKETS NUM BYTES NUM
|
|
|
8ff5ad |
+ {
|
|
|
8ff5ad |
+ struct stmt *stmt;
|
|
|
8ff5ad |
+
|
|
|
8ff5ad |
+ stmt = counter_stmt_alloc(&@$);
|
|
|
8ff5ad |
+ stmt->counter.packets = $3;
|
|
|
8ff5ad |
+ stmt->counter.bytes = $5;
|
|
|
8ff5ad |
+ $<expr>0->stmt = stmt;
|
|
|
8ff5ad |
+ }
|
|
|
8ff5ad |
+ | comment_spec
|
|
|
8ff5ad |
+ {
|
|
|
8ff5ad |
+ $<expr>0->comment = $1;
|
|
|
8ff5ad |
+ }
|
|
|
8ff5ad |
+ ;
|
|
|
8ff5ad |
+
|
|
|
8ff5ad |
set_lhs_expr : concat_rhs_expr
|
|
|
8ff5ad |
| wildcard_expr
|
|
|
8ff5ad |
;
|
|
|
8ff5ad |
--
|
|
|
8ff5ad |
2.31.1
|
|
|
8ff5ad |
|