diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-03-11 13:00:01 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-03-18 19:10:02 +0100 |
commit | 1fe6089ddd87ee7869d24c0f8849951220cc9b85 (patch) | |
tree | 5d46d6d74efac46d27e0605c1b50cb7ac08620db /src | |
parent | 3f3e897f429659ff6c8387245d0d4115952a6c31 (diff) |
src: support for restoring element counters
This patch allows you to restore counters in dynamic sets:
table ip test {
set test {
type ipv4_addr
size 65535
flags dynamic,timeout
timeout 30d
gc-interval 1d
elements = { 192.168.10.13 expires 19d23h52m27s576ms counter packets 51 bytes 17265 }
}
chain output {
type filter hook output priority 0;
update @test { ip saddr }
}
}
You can also add counters to elements from the control place, ie.
table ip test {
set test {
type ipv4_addr
size 65535
elements = { 192.168.2.1 counter packets 75 bytes 19043 }
}
chain output {
type filter hook output priority filter; policy accept;
ip daddr @test
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/netlink.c | 3 | ||||
-rw-r--r-- | src/netlink_linearize.c | 2 | ||||
-rw-r--r-- | src/parser_bison.y | 36 |
3 files changed, 39 insertions, 2 deletions
diff --git a/src/netlink.c b/src/netlink.c index 671923f3..e10af564 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -138,6 +138,9 @@ static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set, if (elem->expiration) nftnl_set_elem_set_u64(nlse, NFTNL_SET_ELEM_EXPIRATION, elem->expiration); + if (elem->stmt) + nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_EXPR, + netlink_gen_stmt_stateful(elem->stmt), 0); if (elem->comment || expr->elem_flags) { udbuf = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN); if (!udbuf) diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c index 5b3c43c6..e70e63b3 100644 --- a/src/netlink_linearize.c +++ b/src/netlink_linearize.c @@ -880,7 +880,7 @@ static struct nftnl_expr *netlink_gen_quota_stmt(const struct stmt *stmt) return nle; } -static struct nftnl_expr *netlink_gen_stmt_stateful(const struct stmt *stmt) +struct nftnl_expr *netlink_gen_stmt_stateful(const struct stmt *stmt) { switch (stmt->ops->type) { case STMT_CONNLIMIT: diff --git a/src/parser_bison.y b/src/parser_bison.y index 26ce4e08..3d65d208 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -3671,7 +3671,7 @@ meter_key_expr_alloc : concat_expr ; set_elem_expr : set_elem_expr_alloc - | set_elem_expr_alloc set_elem_options + | set_elem_expr_alloc set_elem_expr_options ; set_elem_expr_alloc : set_lhs_expr @@ -3701,6 +3701,40 @@ set_elem_option : TIMEOUT time_spec } ; +set_elem_expr_options : set_elem_expr_option + { + $<expr>$ = $<expr>0; + } + | set_elem_expr_options set_elem_expr_option + ; + +set_elem_expr_option : TIMEOUT time_spec + { + $<expr>0->timeout = $2; + } + | EXPIRES time_spec + { + $<expr>0->expiration = $2; + } + | COUNTER + { + $<expr>0->stmt = counter_stmt_alloc(&@$); + } + | COUNTER PACKETS NUM BYTES NUM + { + struct stmt *stmt; + + stmt = counter_stmt_alloc(&@$); + stmt->counter.packets = $3; + stmt->counter.bytes = $5; + $<expr>0->stmt = stmt; + } + | comment_spec + { + $<expr>0->comment = $1; + } + ; + set_lhs_expr : concat_rhs_expr | wildcard_expr ; |