From a55ca1a24b7b216144dc737f621fb68f4a924e38 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 24 Aug 2018 09:52:22 +0200
Subject: src: integrate stateful expressions into sets and maps

The following example shows how to populate a set from the packet path
using the destination IP address, for each entry there is a counter. The
entry expires after the 1 hour timeout if no packets matching this entry
are seen.

 table ip x {
        set xyz {
                type ipv4_addr
                size 65535
                flags dynamic,timeout
                timeout 1h
        }

        chain y {
                type filter hook output priority filter; policy accept;
                update @xyz { ip daddr counter } counter
        }
 }

Similar example, that creates a mapping better IP address and mark,
where the mark is assigned using an incremental sequence generator from
0 to 1 inclusive.

 table ip x {
        map xyz {
                type ipv4_addr : mark
                size 65535
                flags dynamic,timeout
                timeout 1h
        }

        chain y {
                type filter hook input priority filter; policy accept;
                update @xyz { ip saddr counter : numgen inc mod 2 }
        }
 }

Supported stateful statements are: limit, quota, counter and connlimit.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/netlink_linearize.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'src/netlink_linearize.c')

diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 821fcd0a..0bd946a1 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -1269,6 +1269,10 @@ static void netlink_gen_set_stmt(struct netlink_linearize_ctx *ctx,
 	nftnl_expr_set_str(nle, NFTNL_EXPR_DYNSET_SET_NAME, set->handle.set.name);
 	nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_SET_ID, set->handle.set_id);
 	nftnl_rule_add_expr(ctx->nlr, nle);
+
+	if (stmt->set.stmt)
+		nftnl_expr_set(nle, NFTNL_EXPR_DYNSET_EXPR,
+			       netlink_gen_stmt_stateful(ctx, stmt->set.stmt), 0);
 }
 
 static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx,
@@ -1296,6 +1300,10 @@ static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx,
 	nftnl_expr_set_str(nle, NFTNL_EXPR_DYNSET_SET_NAME, set->handle.set.name);
 	nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_SET_ID, set->handle.set_id);
 
+	if (stmt->map.stmt)
+		nftnl_expr_set(nle, NFTNL_EXPR_DYNSET_EXPR,
+			       netlink_gen_stmt_stateful(ctx, stmt->map.stmt), 0);
+
 	nftnl_rule_add_expr(ctx->nlr, nle);
 }
 
-- 
cgit v1.2.3