diff options
| author | Florian Westphal <fw@strlen.de> | 2023-08-02 17:47:14 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2023-08-03 13:06:19 +0200 |
| commit | 5c25c5a35cbd27911d233efd01efcb9be35c85af (patch) | |
| tree | 8aa679c74461357dec26e930ee476b86d24668c3 | |
| parent | a8260c056a69aaca33d6604079ebac3d07d2551c (diff) | |
parser: allow ct timeouts to use time_spec values
For some reason the parser only allows raw numbers (seconds)
for ct timeouts, e.g.
ct timeout ttcp {
protocol tcp;
policy = { syn_sent : 3, ...
Also permit time_spec, e.g. "established : 5d".
Print the nicer time formats on output, but retain
raw numbers support on input for compatibility.
Signed-off-by: Florian Westphal <fw@strlen.de>
| -rw-r--r-- | doc/stateful-objects.txt | 2 | ||||
| -rw-r--r-- | src/parser_bison.y | 10 | ||||
| -rw-r--r-- | src/rule.c | 9 | ||||
| -rwxr-xr-x | tests/shell/testcases/listing/0013objects_0 | 2 | ||||
| -rw-r--r-- | tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft | 2 |
5 files changed, 16 insertions, 9 deletions
diff --git a/doc/stateful-objects.txt b/doc/stateful-objects.txt index e3c79220..00d3c5f1 100644 --- a/doc/stateful-objects.txt +++ b/doc/stateful-objects.txt @@ -94,7 +94,7 @@ table ip filter { ct timeout customtimeout { protocol tcp; l3proto ip - policy = { established: 120, close: 20 } + policy = { established: 2m, close: 20s } } chain output { diff --git a/src/parser_bison.y b/src/parser_bison.y index ef5011c1..36172713 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -673,7 +673,7 @@ int nft_lex(void *, void *, void *); %type <string> identifier type_identifier string comment_spec %destructor { xfree($$); } identifier type_identifier string comment_spec -%type <val> time_spec quota_used +%type <val> time_spec time_spec_or_num_s quota_used %type <expr> data_type_expr data_type_atom_expr %destructor { expr_free($$); } data_type_expr data_type_atom_expr @@ -2790,6 +2790,11 @@ time_spec : STRING } ; +/* compatibility kludge to allow either 60, 60s, 1m, ... */ +time_spec_or_num_s : NUM + | time_spec { $$ = $1 / 1000u; } + ; + family_spec : /* empty */ { $$ = NFPROTO_IPV4; } | family_spec_explicit ; @@ -4812,8 +4817,7 @@ timeout_states : timeout_state } ; -timeout_state : STRING COLON NUM - +timeout_state : STRING COLON time_spec_or_num_s { struct timeout_state *ts; @@ -1684,11 +1684,14 @@ static void print_proto_timeout_policy(uint8_t l4, const uint32_t *timeout, nft_print(octx, "%s%spolicy = { ", opts->tab, opts->tab); for (i = 0; i < timeout_protocol[l4].array_size; i++) { if (timeout[i] != timeout_protocol[l4].dflt_timeout[i]) { + uint64_t timeout_ms; + if (comma) nft_print(octx, ", "); - nft_print(octx, "%s : %u", - timeout_protocol[l4].state_to_name[i], - timeout[i]); + timeout_ms = timeout[i] * 1000u; + nft_print(octx, "%s : ", + timeout_protocol[l4].state_to_name[i]); + time_print(timeout_ms, octx); comma = true; } } diff --git a/tests/shell/testcases/listing/0013objects_0 b/tests/shell/testcases/listing/0013objects_0 index 4d39143d..c81b94e2 100755 --- a/tests/shell/testcases/listing/0013objects_0 +++ b/tests/shell/testcases/listing/0013objects_0 @@ -15,7 +15,7 @@ EXPECTED="table ip test { ct timeout cttime { protocol udp l3proto ip - policy = { unreplied : 15, replied : 12 } + policy = { unreplied : 15s, replied : 12s } } ct expectation ctexpect { diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft index 7cff1ed5..c5d9649e 100644 --- a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft +++ b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft @@ -2,7 +2,7 @@ table ip filter { ct timeout cttime { protocol tcp l3proto ip - policy = { established : 123, close : 12 } + policy = { established : 2m3s, close : 12s } } chain c { |