From 0db42cc2d2647ec61441e29445c9f6e0f8946613 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Thu, 13 Jan 2022 20:37:56 +0100 Subject: [PATCH] src: support for restoring element counters Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2039594 Upstream Status: nftables commit 1fe6089ddd87e commit 1fe6089ddd87ee7869d24c0f8849951220cc9b85 Author: Pablo Neira Ayuso Date: Wed Mar 11 13:00:01 2020 +0100 src: support for restoring element counters This patch allows you to restore counters in dynamic sets: table ip test { set test { type ipv4_addr size 65535 flags dynamic,timeout timeout 30d gc-interval 1d elements = { 192.168.10.13 expires 19d23h52m27s576ms counter packets 51 bytes 17265 } } chain output { type filter hook output priority 0; update @test { ip saddr } } } You can also add counters to elements from the control place, ie. table ip test { set test { type ipv4_addr size 65535 elements = { 192.168.2.1 counter packets 75 bytes 19043 } } chain output { type filter hook output priority filter; policy accept; ip daddr @test } } Signed-off-by: Pablo Neira Ayuso --- include/netlink.h | 1 + src/netlink.c | 3 +++ src/netlink_linearize.c | 2 +- src/parser_bison.y | 36 +++++++++++++++++++++++++++++++++++- 4 files changed, 40 insertions(+), 2 deletions(-) diff --git a/include/netlink.h b/include/netlink.h index 88d12ba..059092e 100644 --- a/include/netlink.h +++ b/include/netlink.h @@ -97,6 +97,7 @@ extern void netlink_gen_data(const struct expr *expr, extern void netlink_gen_raw_data(const mpz_t value, enum byteorder byteorder, unsigned int len, struct nft_data_linearize *data); +extern struct nftnl_expr *netlink_gen_stmt_stateful(const struct stmt *stmt); extern struct expr *netlink_alloc_value(const struct location *loc, const struct nft_data_delinearize *nld); diff --git a/src/netlink.c b/src/netlink.c index 64e51e5..825c2cc 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -136,6 +136,9 @@ static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set, if (elem->expiration) nftnl_set_elem_set_u64(nlse, NFTNL_SET_ELEM_EXPIRATION, elem->expiration); + if (elem->stmt) + nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_EXPR, + netlink_gen_stmt_stateful(elem->stmt), 0); if (elem->comment || expr->elem_flags) { udbuf = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN); if (!udbuf) diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c index f5c6116..3fa1339 100644 --- a/src/netlink_linearize.c +++ b/src/netlink_linearize.c @@ -838,7 +838,7 @@ static struct nftnl_expr *netlink_gen_quota_stmt(const struct stmt *stmt) return nle; } -static struct nftnl_expr *netlink_gen_stmt_stateful(const struct stmt *stmt) +struct nftnl_expr *netlink_gen_stmt_stateful(const struct stmt *stmt) { switch (stmt->ops->type) { case STMT_CONNLIMIT: diff --git a/src/parser_bison.y b/src/parser_bison.y index d38ec30..2cdf8ec 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -3654,7 +3654,7 @@ meter_key_expr_alloc : concat_expr ; set_elem_expr : set_elem_expr_alloc - | set_elem_expr_alloc set_elem_options + | set_elem_expr_alloc set_elem_expr_options ; set_elem_expr_alloc : set_lhs_expr @@ -3684,6 +3684,40 @@ set_elem_option : TIMEOUT time_spec } ; +set_elem_expr_options : set_elem_expr_option + { + $$ = $0; + } + | set_elem_expr_options set_elem_expr_option + ; + +set_elem_expr_option : TIMEOUT time_spec + { + $0->timeout = $2; + } + | EXPIRES time_spec + { + $0->expiration = $2; + } + | COUNTER + { + $0->stmt = counter_stmt_alloc(&@$); + } + | COUNTER PACKETS NUM BYTES NUM + { + struct stmt *stmt; + + stmt = counter_stmt_alloc(&@$); + stmt->counter.packets = $3; + stmt->counter.bytes = $5; + $0->stmt = stmt; + } + | comment_spec + { + $0->comment = $1; + } + ; + set_lhs_expr : concat_rhs_expr | wildcard_expr ; -- 2.31.1