From 87908ff7a12c969ca21338ab7ed27ed93a9b09c3 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Sat, 11 Apr 2015 14:54:19 +0100 Subject: datatype: fix parsing of time type Properly detect time strings in the lexer without quotation marks. Signed-off-by: Patrick McHardy --- src/datatype.c | 4 ---- src/scanner.l | 7 +++++++ 2 files changed, 7 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/datatype.c b/src/datatype.c index c93f76a3..0772b507 100644 --- a/src/datatype.c +++ b/src/datatype.c @@ -775,8 +775,6 @@ static void time_type_print(const struct expr *expr) minutes = seconds / 60; seconds %= 60; - printf("\""); - if (days > 0) printf("%"PRIu64"d", days); if (hours > 0) @@ -785,8 +783,6 @@ static void time_type_print(const struct expr *expr) printf("%"PRIu64"m", minutes); if (seconds > 0) printf("%"PRIu64"s", seconds); - - printf("\""); } enum { diff --git a/src/scanner.l b/src/scanner.l index 73c4f8b1..27d95bfc 100644 --- a/src/scanner.l +++ b/src/scanner.l @@ -117,6 +117,8 @@ quotedstring \"[^"]*\" comment #.*$ slash \/ +timestring ([0-9]+d)?([0-9]+h)?([0-9]+m)?([0-9]+s)? + hex4 ([[:xdigit:]]{1,4}) v680 (({hex4}:){7}{hex4}) v670 ((:)((:{hex4}){7})) @@ -457,6 +459,11 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) return STRING; } +{timestring} { + yylval->string = xstrdup(yytext); + return STRING; + } + {decstring} { errno = 0; yylval->val = strtoull(yytext, NULL, 0); -- cgit v1.2.3 From 262b97bd112cbaed098c7941bd452c7b16a89646 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Sat, 11 Apr 2015 14:56:16 +0100 Subject: datatype: less strict time parsing Don't require hours to be in range 0-23 and minutes/seconds in range 0-59. The time_type is used for relative times where it is entirely reasonable to specify 180s instead of 3m. Signed-off-by: Patrick McHardy --- src/datatype.c | 12 ------------ 1 file changed, 12 deletions(-) (limited to 'src') diff --git a/src/datatype.c b/src/datatype.c index 0772b507..1c837152 100644 --- a/src/datatype.c +++ b/src/datatype.c @@ -831,10 +831,6 @@ static struct error_record *time_type_parse(const struct expr *sym, } h = str2int(tmp, c, k); k = 0; - if (h > 23) { - return error(&sym->location, - "Hour needs to be 0-23"); - } mask |= HOUR; break; case 'm': @@ -844,10 +840,6 @@ static struct error_record *time_type_parse(const struct expr *sym, } m = str2int(tmp, c, k); k = 0; - if (m > 59) { - return error(&sym->location, - "Minute needs to be 0-59"); - } mask |= MIN; break; case 's': @@ -857,10 +849,6 @@ static struct error_record *time_type_parse(const struct expr *sym, } s = str2int(tmp, c, k); k = 0; - if (s > 59) { - return error(&sym->location, - "second needs to be 0-59"); - } mask |= SECS; break; default: -- cgit v1.2.3 From 0974fa84f162aecf16b4c252dcb438f7149856ab Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Sat, 11 Apr 2015 15:59:44 +0100 Subject: datatype: seperate time parsing/printing from time_type Seperate relative time parsing and printing from the time_type to make it usable for set and set element time related parameters. Signed-off-by: Patrick McHardy --- src/datatype.c | 66 ++++++++++++++++++++++++++++++++++++---------------------- 1 file changed, 41 insertions(+), 25 deletions(-) (limited to 'src') diff --git a/src/datatype.c b/src/datatype.c index 1c837152..f93337b1 100644 --- a/src/datatype.c +++ b/src/datatype.c @@ -760,11 +760,9 @@ const struct datatype icmpx_code_type = { .sym_tbl = &icmpx_code_tbl, }; -static void time_type_print(const struct expr *expr) +void time_print(uint64_t seconds) { - uint64_t days, hours, minutes, seconds; - - seconds = mpz_get_uint64(expr->value); + uint64_t days, hours, minutes; days = seconds / 86400; seconds %= 86400; @@ -801,8 +799,8 @@ static uint32_t str2int(char *tmp, const char *c, int k) return atoi(tmp); } -static struct error_record *time_type_parse(const struct expr *sym, - struct expr **res) +struct error_record *time_parse(const struct location *loc, const char *str, + uint64_t *res) { int i, len; unsigned int k = 0; @@ -811,64 +809,82 @@ static struct error_record *time_type_parse(const struct expr *sym, uint64_t d = 0, h = 0, m = 0, s = 0; uint32_t mask = 0; - c = sym->identifier; + c = str; len = strlen(c); for (i = 0; i < len; i++, c++) { switch (*c) { case 'd': - if (mask & DAY) { - return error(&sym->location, + if (mask & DAY) + return error(loc, "Day has been specified twice"); - } + d = str2int(tmp, c, k); k = 0; mask |= DAY; break; case 'h': - if (mask & HOUR) { - return error(&sym->location, + if (mask & HOUR) + return error(loc, "Hour has been specified twice"); - } + h = str2int(tmp, c, k); k = 0; mask |= HOUR; break; case 'm': - if (mask & MIN) { - return error(&sym->location, + if (mask & MIN) + return error(loc, "Minute has been specified twice"); - } + m = str2int(tmp, c, k); k = 0; mask |= MIN; break; case 's': - if (mask & SECS) { - return error(&sym->location, + if (mask & SECS) + return error(loc, "Second has been specified twice"); - } + s = str2int(tmp, c, k); k = 0; mask |= SECS; break; default: if (!isdigit(*c)) - return error(&sym->location, "wrong format"); + return error(loc, "wrong time format"); - if (k++ >= array_size(tmp)) { - return error(&sym->location, - "value too large"); - } + if (k++ >= array_size(tmp)) + return error(loc, "value too large"); break; } } /* default to seconds if no unit was specified */ if (!mask) - s = atoi(sym->identifier); + s = atoi(str); else s = 24*60*60*d+60*60*h+60*m+s; + *res = s; + return NULL; +} + + +static void time_type_print(const struct expr *expr) +{ + time_print(mpz_get_uint64(expr->value)); +} + +static struct error_record *time_type_parse(const struct expr *sym, + struct expr **res) +{ + struct error_record *erec; + uint64_t s; + + erec = time_parse(&sym->location, sym->identifier, &s); + if (erec != NULL) + return erec; + if (s > UINT32_MAX) return error(&sym->location, "value too large"); -- cgit v1.2.3 From 48587aa855a5173b4b1e94290af885000dbd679e Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Sat, 11 Apr 2015 15:41:32 +0100 Subject: parser: add a time_spec rule Signed-off-by: Patrick McHardy --- src/parser_bison.y | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'src') diff --git a/src/parser_bison.y b/src/parser_bison.y index b86381d9..cd4e096a 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -396,6 +396,8 @@ static void location_update(struct location *loc, struct location *rhs, int n) %type identifier string comment_spec %destructor { xfree($$); } identifier string comment_spec +%type time_spec + %type type_identifier %type data_type @@ -1093,6 +1095,20 @@ string : STRING | QUOTED_STRING ; +time_spec : STRING + { + struct error_record *erec; + uint64_t res; + + erec = time_parse(&@1, $1, &res); + if (erec != NULL) { + erec_queue(erec, state->msgs); + YYERROR; + } + $$ = res; + } + ; + family_spec : /* empty */ { $$ = NFPROTO_IPV4; } | family_spec_explicit ; -- cgit v1.2.3 From 6aa18b5216a34a2cd29ad4a1997c37f705f76247 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Sun, 12 Apr 2015 10:41:56 +0100 Subject: parser: fix inconsistencies in set expression rules Set keys are currently defined as a regular expr for pure sets and map_lhs_expr for maps. map_lhs_expr is what can actually be used for a single member, namely a concat_expr or a multiton_expr. The reason why pure sets use expr for the key is to allow recursive set specifications, which doesn't make sense for maps since every element needs a mapping. However, the rule is too wide and also allows map expressions as a key, which obviously doesn't make sense. Rearrange the rules so we have: set_lhs_expr: concat or multiton set_rhs_expr: concat or verdict and special case the recursive set specifications, as they deserve. Besides making it a lot easier to understand what is actually supported, this will be used by the following patch to support timeouts and comments for keys in a uniform way. Signed-off-by: Patrick McHardy --- src/parser_bison.y | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) (limited to 'src') diff --git a/src/parser_bison.y b/src/parser_bison.y index cd4e096a..c934533d 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -470,8 +470,8 @@ static void location_update(struct location *loc, struct location *rhs, int n) %destructor { expr_free($$); } prefix_expr range_expr wildcard_expr %type list_expr %destructor { expr_free($$); } list_expr -%type concat_expr map_lhs_expr -%destructor { expr_free($$); } concat_expr map_lhs_expr +%type concat_expr +%destructor { expr_free($$); } concat_expr %type map_expr %destructor { expr_free($$); } map_expr @@ -484,6 +484,8 @@ static void location_update(struct location *loc, struct location *rhs, int n) %type set_expr set_list_expr set_list_member_expr %destructor { expr_free($$); } set_expr set_list_expr set_list_member_expr +%type set_lhs_expr set_rhs_expr +%destructor { expr_free($$); } set_lhs_expr set_rhs_expr %type expr initializer_expr %destructor { expr_free($$); } expr initializer_expr @@ -1297,13 +1299,12 @@ verdict_map_list_expr : verdict_map_list_member_expr | verdict_map_list_expr COMMA opt_newline ; -verdict_map_list_member_expr: opt_newline map_lhs_expr COLON verdict_expr opt_newline +verdict_map_list_member_expr: opt_newline set_lhs_expr COLON verdict_expr opt_newline { $$ = mapping_expr_alloc(&@$, $2, $4); } ; - counter_stmt : counter_stmt_alloc | counter_stmt_alloc counter_args @@ -1718,10 +1719,6 @@ multiton_expr : prefix_expr | wildcard_expr ; -map_lhs_expr : multiton_expr - | concat_expr - ; - map_expr : concat_expr MAP expr { $$ = map_expr_alloc(&@$, $1, $3); @@ -1729,9 +1726,9 @@ map_expr : concat_expr MAP expr ; expr : concat_expr + | multiton_expr | set_expr | map_expr - | multiton_expr ; set_expr : '{' set_list_expr '}' @@ -1754,20 +1751,28 @@ set_list_expr : set_list_member_expr | set_list_expr COMMA opt_newline ; -set_list_member_expr : opt_newline expr opt_newline +set_list_member_expr : opt_newline set_expr opt_newline { $$ = $2; } - | opt_newline map_lhs_expr COLON concat_expr opt_newline + | opt_newline set_lhs_expr opt_newline { - $$ = mapping_expr_alloc(&@$, $2, $4); + $$ = $2; } - | opt_newline map_lhs_expr COLON verdict_expr opt_newline + | opt_newline set_lhs_expr COLON set_rhs_expr opt_newline { $$ = mapping_expr_alloc(&@$, $2, $4); } ; +set_lhs_expr : concat_expr + | multiton_expr + ; + +set_rhs_expr : concat_expr + | verdict_expr + ; + initializer_expr : expr | list_expr ; -- cgit v1.2.3 From 52532335290457cc449564b7e011f73bef3a83e2 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Sat, 11 Apr 2015 17:02:13 +0100 Subject: expr: add set_elem_expr as container for set element attributes Add a new expression type "set_elem_expr" that is used as container for the key in order to attach different attributes, such as timeout values, to the key. The expression hierarchy is as follows: Sets: elem | key Maps: mapping / \ elem data | key Signed-off-by: Patrick McHardy --- src/evaluate.c | 15 ++++++++++++++ src/expression.c | 31 +++++++++++++++++++++++++++ src/netlink.c | 53 +++++++++++++++++++++++++++-------------------- src/netlink_delinearize.c | 3 +++ src/netlink_linearize.c | 2 ++ src/parser_bison.y | 19 ++++++++++++----- src/segtree.c | 8 +++++-- 7 files changed, 101 insertions(+), 30 deletions(-) (limited to 'src') diff --git a/src/evaluate.c b/src/evaluate.c index 7ecb7939..37db107b 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -675,6 +675,19 @@ static int expr_evaluate_list(struct eval_ctx *ctx, struct expr **expr) return 0; } +static int expr_evaluate_set_elem(struct eval_ctx *ctx, struct expr **expr) +{ + struct expr *elem = *expr; + + if (expr_evaluate(ctx, &elem->key) < 0) + return -1; + + elem->dtype = elem->key->dtype; + elem->len = elem->key->len; + elem->flags = elem->key->flags; + return 0; +} + static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr) { struct expr *set = *expr, *i, *next; @@ -1100,6 +1113,8 @@ static int expr_evaluate(struct eval_ctx *ctx, struct expr **expr) return expr_evaluate_list(ctx, expr); case EXPR_SET: return expr_evaluate_set(ctx, expr); + case EXPR_SET_ELEM: + return expr_evaluate_set_elem(ctx, expr); case EXPR_MAP: return expr_evaluate_map(ctx, expr); case EXPR_MAPPING: diff --git a/src/expression.c b/src/expression.c index 5b848da7..67893968 100644 --- a/src/expression.c +++ b/src/expression.c @@ -886,6 +886,33 @@ struct expr *set_ref_expr_alloc(const struct location *loc, struct set *set) return expr; } +static void set_elem_expr_print(const struct expr *expr) +{ + expr_print(expr->key); +} + +static void set_elem_expr_destroy(struct expr *expr) +{ + expr_free(expr->key); +} + +static const struct expr_ops set_elem_expr_ops = { + .type = EXPR_SET_ELEM, + .name = "set element", + .print = set_elem_expr_print, + .destroy = set_elem_expr_destroy, +}; + +struct expr *set_elem_expr_alloc(const struct location *loc, struct expr *key) +{ + struct expr *expr; + + expr = expr_alloc(loc, &set_elem_expr_ops, key->dtype, + key->byteorder, key->len); + expr->key = key; + return expr; +} + void range_expr_value_low(mpz_t rop, const struct expr *expr) { switch (expr->ops->type) { @@ -897,6 +924,8 @@ void range_expr_value_low(mpz_t rop, const struct expr *expr) return range_expr_value_low(rop, expr->left); case EXPR_MAPPING: return range_expr_value_low(rop, expr->left); + case EXPR_SET_ELEM: + return range_expr_value_low(rop, expr->key); default: BUG("invalid range expression type %s\n", expr->ops->name); } @@ -919,6 +948,8 @@ void range_expr_value_high(mpz_t rop, const struct expr *expr) return range_expr_value_high(rop, expr->right); case EXPR_MAPPING: return range_expr_value_high(rop, expr->left); + case EXPR_SET_ELEM: + return range_expr_value_high(rop, expr->key); default: BUG("invalid range expression type %s\n", expr->ops->name); } diff --git a/src/netlink.c b/src/netlink.c index 343d8bea..0827034e 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -205,6 +205,7 @@ struct nft_set *alloc_nft_set(const struct handle *h) static struct nft_set_elem *alloc_nft_setelem(const struct expr *expr) { + const struct expr *elem, *key, *data; struct nft_set_elem *nlse; struct nft_data_linearize nld; @@ -212,24 +213,28 @@ static struct nft_set_elem *alloc_nft_setelem(const struct expr *expr) if (nlse == NULL) memory_allocation_error(); - if (expr->ops->type == EXPR_VALUE || - expr->flags & EXPR_F_INTERVAL_END) { - netlink_gen_data(expr, &nld); - nft_set_elem_attr_set(nlse, NFT_SET_ELEM_ATTR_KEY, - &nld.value, nld.len); + data = NULL; + if (expr->ops->type == EXPR_MAPPING) { + elem = expr->left; + if (!(expr->flags & EXPR_F_INTERVAL_END)) + data = expr->right; } else { - assert(expr->ops->type == EXPR_MAPPING); - netlink_gen_data(expr->left, &nld); - nft_set_elem_attr_set(nlse, NFT_SET_ELEM_ATTR_KEY, - &nld.value, nld.len); - netlink_gen_data(expr->right, &nld); - switch (expr->right->ops->type) { + elem = expr; + } + key = elem->key; + + netlink_gen_data(key, &nld); + nft_set_elem_attr_set(nlse, NFT_SET_ELEM_ATTR_KEY, &nld.value, nld.len); + + if (data != NULL) { + netlink_gen_data(data, &nld); + switch (data->ops->type) { case EXPR_VERDICT: nft_set_elem_attr_set_u32(nlse, NFT_SET_ELEM_ATTR_VERDICT, - expr->right->verdict); - if (expr->chain != NULL) + data->verdict); + if (data->chain != NULL) nft_set_elem_attr_set(nlse, NFT_SET_ELEM_ATTR_CHAIN, - nld.chain, strlen(nld.chain)); + nld.chain, strlen(nld.chain)); break; case EXPR_VALUE: nft_set_elem_attr_set(nlse, NFT_SET_ELEM_ATTR_DATA, @@ -1368,7 +1373,7 @@ static int netlink_delinearize_setelem(struct nft_set_elem *nlse, struct set *set) { struct nft_data_delinearize nld; - struct expr *expr, *data; + struct expr *expr, *key, *data; uint32_t flags = 0; nld.value = @@ -1376,17 +1381,19 @@ static int netlink_delinearize_setelem(struct nft_set_elem *nlse, if (nft_set_elem_attr_is_set(nlse, NFT_SET_ELEM_ATTR_FLAGS)) flags = nft_set_elem_attr_get_u32(nlse, NFT_SET_ELEM_ATTR_FLAGS); - expr = netlink_alloc_value(&netlink_location, &nld); - expr->dtype = set->keytype; - expr->byteorder = set->keytype->byteorder; + key = netlink_alloc_value(&netlink_location, &nld); + key->dtype = set->keytype; + key->byteorder = set->keytype->byteorder; if (!(set->flags & SET_F_INTERVAL) && - expr->byteorder == BYTEORDER_HOST_ENDIAN) - mpz_switch_byteorder(expr->value, expr->len / BITS_PER_BYTE); + key->byteorder == BYTEORDER_HOST_ENDIAN) + mpz_switch_byteorder(key->value, key->len / BITS_PER_BYTE); + + if (key->dtype->basetype != NULL && + key->dtype->basetype->type == TYPE_BITMASK) + key = bitmask_expr_to_binops(key); - if (expr->dtype->basetype != NULL && - expr->dtype->basetype->type == TYPE_BITMASK) - expr = bitmask_expr_to_binops(expr); + expr = set_elem_expr_alloc(&netlink_location, key); if (flags & NFT_SET_ELEM_INTERVAL_END) { expr->flags |= EXPR_F_INTERVAL_END; diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index ec1a9646..c564a8a5 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -1033,6 +1033,9 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, expr_postprocess(ctx, stmt, &expr->left); expr_postprocess(ctx, stmt, &expr->right); break; + case EXPR_SET_ELEM: + expr_postprocess(ctx, stmt, &expr->key); + break; case EXPR_SET_REF: case EXPR_EXTHDR: case EXPR_META: diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c index 9bef67b3..d1414c14 100644 --- a/src/netlink_linearize.c +++ b/src/netlink_linearize.c @@ -528,6 +528,8 @@ static void netlink_gen_expr(struct netlink_linearize_ctx *ctx, return netlink_gen_meta(ctx, expr, dreg); case EXPR_CT: return netlink_gen_ct(ctx, expr, dreg); + case EXPR_SET_ELEM: + return netlink_gen_expr(ctx, expr->key, dreg); default: BUG("unknown expression type %s\n", expr->ops->name); } diff --git a/src/parser_bison.y b/src/parser_bison.y index c934533d..9fbc590c 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -484,8 +484,8 @@ static void location_update(struct location *loc, struct location *rhs, int n) %type set_expr set_list_expr set_list_member_expr %destructor { expr_free($$); } set_expr set_list_expr set_list_member_expr -%type set_lhs_expr set_rhs_expr -%destructor { expr_free($$); } set_lhs_expr set_rhs_expr +%type set_elem_expr set_elem_expr_alloc set_lhs_expr set_rhs_expr +%destructor { expr_free($$); } set_elem_expr set_elem_expr_alloc set_lhs_expr set_rhs_expr %type expr initializer_expr %destructor { expr_free($$); } expr initializer_expr @@ -1299,7 +1299,7 @@ verdict_map_list_expr : verdict_map_list_member_expr | verdict_map_list_expr COMMA opt_newline ; -verdict_map_list_member_expr: opt_newline set_lhs_expr COLON verdict_expr opt_newline +verdict_map_list_member_expr: opt_newline set_elem_expr COLON verdict_expr opt_newline { $$ = mapping_expr_alloc(&@$, $2, $4); } @@ -1755,16 +1755,25 @@ set_list_member_expr : opt_newline set_expr opt_newline { $$ = $2; } - | opt_newline set_lhs_expr opt_newline + | opt_newline set_elem_expr opt_newline { $$ = $2; } - | opt_newline set_lhs_expr COLON set_rhs_expr opt_newline + | opt_newline set_elem_expr COLON set_rhs_expr opt_newline { $$ = mapping_expr_alloc(&@$, $2, $4); } ; +set_elem_expr : set_elem_expr_alloc + ; + +set_elem_expr_alloc : set_lhs_expr + { + $$ = set_elem_expr_alloc(&@1, $1); + } + ; + set_lhs_expr : concat_expr | multiton_expr ; diff --git a/src/segtree.c b/src/segtree.c index 65221e9d..060951c0 100644 --- a/src/segtree.c +++ b/src/segtree.c @@ -419,6 +419,7 @@ static void set_insert_interval(struct expr *set, struct seg_tree *tree, expr = constant_expr_alloc(&internal_location, tree->keytype, tree->byteorder, tree->keylen, NULL); mpz_set(expr->value, ei->left); + expr = set_elem_expr_alloc(&internal_location, expr); if (ei->expr != NULL && ei->expr->ops->type == EXPR_MAPPING) expr = mapping_expr_alloc(&ei->expr->location, expr, @@ -473,9 +474,9 @@ extern void interval_map_decompose(struct expr *set); static struct expr *expr_value(struct expr *expr) { if (expr->ops->type == EXPR_MAPPING) - return expr->left; + return expr->left->key; else - return expr; + return expr->key; } static int expr_value_cmp(const void *p1, const void *p2) @@ -565,6 +566,7 @@ void interval_map_decompose(struct expr *set) mpz_set(tmp->value, range); tmp = range_expr_alloc(&low->location, expr_value(low), tmp); + tmp = set_elem_expr_alloc(&low->location, tmp); if (low->ops->type == EXPR_MAPPING) tmp = mapping_expr_alloc(&tmp->location, tmp, low->right); @@ -576,6 +578,7 @@ void interval_map_decompose(struct expr *set) prefix_len = expr_value(i)->len - mpz_scan0(range, 0); prefix = prefix_expr_alloc(&low->location, expr_value(low), prefix_len); + prefix = set_elem_expr_alloc(&low->location, prefix); if (low->ops->type == EXPR_MAPPING) prefix = mapping_expr_alloc(&low->location, prefix, low->right); @@ -598,6 +601,7 @@ void interval_map_decompose(struct expr *set) mpz_init_bitmask(i->value, i->len); i = range_expr_alloc(&low->location, expr_value(low), i); + i = set_elem_expr_alloc(&low->location, i); if (low->ops->type == EXPR_MAPPING) i = mapping_expr_alloc(&i->location, i, low->right); -- cgit v1.2.3 From 38a077f7af8a2151b565e3cb324901b48afd299e Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Mon, 23 Mar 2015 21:34:57 +0000 Subject: set: add timeout support for sets Timeout support can be enabled in one of two ways: 1. Using a default timeout value: set test { type ipv4_addr; timeout 1h; } 2. Using the timeout flag without a default: set test { type ipv4_addr; flags timeout; } Optionally a garbage collection interval can be specified using gc-interval ; Signed-off-by: Patrick McHardy --- src/evaluate.c | 4 ++++ src/netlink.c | 10 ++++++++++ src/parser_bison.y | 13 +++++++++++++ src/rule.c | 23 ++++++++++++++++++++++- src/scanner.l | 2 ++ 5 files changed, 51 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/evaluate.c b/src/evaluate.c index 37db107b..04ca08df 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1737,6 +1737,10 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set) return -1; } + /* Default timeout value implies timeout support */ + if (set->timeout) + set->flags |= SET_F_TIMEOUT; + if (!(set->flags & SET_F_MAP)) return 0; diff --git a/src/netlink.c b/src/netlink.c index 0827034e..e1d6421f 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -1068,6 +1068,11 @@ static struct set *netlink_delinearize_set(struct netlink_ctx *ctx, set->datalen = data_len * BITS_PER_BYTE; } + if (nft_set_attr_is_set(nls, NFT_SET_ATTR_TIMEOUT)) + set->timeout = nft_set_attr_get_u64(nls, NFT_SET_ATTR_TIMEOUT); + if (nft_set_attr_is_set(nls, NFT_SET_ATTR_GC_INTERVAL)) + set->gc_int = nft_set_attr_get_u32(nls, NFT_SET_ATTR_GC_INTERVAL); + if (nft_set_attr_is_set(nls, NFT_SET_ATTR_POLICY)) set->policy = nft_set_attr_get_u32(nls, NFT_SET_ATTR_POLICY); @@ -1131,6 +1136,11 @@ static int netlink_add_set_batch(struct netlink_ctx *ctx, nft_set_attr_set_u32(nls, NFT_SET_ATTR_DATA_LEN, set->datalen / BITS_PER_BYTE); } + if (set->timeout) + nft_set_attr_set_u64(nls, NFT_SET_ATTR_TIMEOUT, set->timeout); + if (set->gc_int) + nft_set_attr_set_u32(nls, NFT_SET_ATTR_GC_INTERVAL, set->gc_int); + set->handle.set_id = ++set_id; nft_set_attr_set_u32(nls, NFT_SET_ATTR_ID, set->handle.set_id); diff --git a/src/parser_bison.y b/src/parser_bison.y index 9fbc590c..80831878 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -201,6 +201,8 @@ static void location_update(struct location *loc, struct location *rhs, int n) %token CONSTANT "constant" %token INTERVAL "interval" +%token TIMEOUT "timeout" +%token GC_INTERVAL "gc-interval" %token ELEMENTS "elements" %token POLICY "policy" @@ -944,6 +946,16 @@ set_block : /* empty */ { $$ = $-1; } $1->flags = $3; $$ = $1; } + | set_block TIMEOUT time_spec stmt_seperator + { + $1->timeout = $3 * 1000; + $$ = $1; + } + | set_block GC_INTERVAL time_spec stmt_seperator + { + $1->gc_int = $3 * 1000; + $$ = $1; + } | set_block ELEMENTS '=' set_expr { $1->init = $4; @@ -961,6 +973,7 @@ set_flag_list : set_flag_list COMMA set_flag set_flag : CONSTANT { $$ = SET_F_CONSTANT; } | INTERVAL { $$ = SET_F_INTERVAL; } + | TIMEOUT { $$ = SET_F_TIMEOUT; } ; map_block_alloc : /* empty */ diff --git a/src/rule.c b/src/rule.c index 71143807..b2090ddd 100644 --- a/src/rule.c +++ b/src/rule.c @@ -136,6 +136,7 @@ static void do_set_print(const struct set *set, struct print_fmt_options *opts) { const char *delim = ""; const char *type; + uint32_t flags; type = set->flags & SET_F_MAP ? "map" : "set"; printf("%s%s", opts->tab, type); @@ -167,7 +168,12 @@ static void do_set_print(const struct set *set, struct print_fmt_options *opts) } } - if (set->flags & (SET_F_CONSTANT | SET_F_INTERVAL)) { + flags = set->flags; + /* "timeout" flag is redundant if a default timeout exists */ + if (set->timeout) + flags &= ~SET_F_TIMEOUT; + + if (flags & (SET_F_CONSTANT | SET_F_INTERVAL | SET_F_TIMEOUT)) { printf("%s%sflags ", opts->tab, opts->tab); if (set->flags & SET_F_CONSTANT) { printf("%sconstant", delim); @@ -177,6 +183,21 @@ static void do_set_print(const struct set *set, struct print_fmt_options *opts) printf("%sinterval", delim); delim = ","; } + if (set->flags & SET_F_TIMEOUT) { + printf("%stimeout", delim); + delim = ","; + } + printf("%s", opts->nl); + } + + if (set->timeout) { + printf("%s%stimeout ", opts->tab, opts->tab); + time_print(set->timeout / 1000); + printf("%s", opts->nl); + } + if (set->gc_int) { + printf("%s%sgc-interval ", opts->tab, opts->tab); + time_print(set->gc_int / 1000); printf("%s", opts->nl); } diff --git a/src/scanner.l b/src/scanner.l index 27d95bfc..4231d270 100644 --- a/src/scanner.l +++ b/src/scanner.l @@ -271,6 +271,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "constant" { return CONSTANT; } "interval" { return INTERVAL; } +"timeout" { return TIMEOUT; } +"gc-interval" { return GC_INTERVAL; } "elements" { return ELEMENTS; } "policy" { return POLICY; } -- cgit v1.2.3 From 7b5248972d9f2122c7b3683ca205d3165e7a9255 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Thu, 19 Mar 2015 13:34:18 +0000 Subject: setelem: add timeout support for set elements Support specifying per element timeout values and displaying the expiration time. If an element should not use the default timeout value of the set, an element specific value can be specified as follows: # nft add element filter test { 192.168.0.1, 192.168.0.2 timeout 10m} For listing of elements that use the default timeout value, just the expiration time is shown, otherwise the element specific timeout value is also displayed: set test { type ipv4_addr timeout 1h elements = { 192.168.0.2 timeout 10m expires 9m59s, 192.168.0.1 expires 59m59s} } Signed-off-by: Patrick McHardy --- src/expression.c | 8 ++++++++ src/netlink.c | 7 +++++++ src/parser_bison.y | 14 ++++++++++++++ 3 files changed, 29 insertions(+) (limited to 'src') diff --git a/src/expression.c b/src/expression.c index 67893968..2037c607 100644 --- a/src/expression.c +++ b/src/expression.c @@ -889,6 +889,14 @@ struct expr *set_ref_expr_alloc(const struct location *loc, struct set *set) static void set_elem_expr_print(const struct expr *expr) { expr_print(expr->key); + if (expr->timeout) { + printf(" timeout "); + time_print(expr->timeout / 1000); + } + if (expr->expiration) { + printf(" expires "); + time_print(expr->expiration / 1000); + } } static void set_elem_expr_destroy(struct expr *expr) diff --git a/src/netlink.c b/src/netlink.c index e1d6421f..7d675d7f 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -225,6 +225,9 @@ static struct nft_set_elem *alloc_nft_setelem(const struct expr *expr) netlink_gen_data(key, &nld); nft_set_elem_attr_set(nlse, NFT_SET_ELEM_ATTR_KEY, &nld.value, nld.len); + if (elem->timeout) + nft_set_elem_attr_set_u64(nlse, NFT_SET_ELEM_ATTR_TIMEOUT, + elem->timeout); if (data != NULL) { netlink_gen_data(data, &nld); @@ -1404,6 +1407,10 @@ static int netlink_delinearize_setelem(struct nft_set_elem *nlse, key = bitmask_expr_to_binops(key); expr = set_elem_expr_alloc(&netlink_location, key); + if (nft_set_elem_attr_is_set(nlse, NFT_SET_ELEM_ATTR_TIMEOUT)) + expr->timeout = nft_set_elem_attr_get_u64(nlse, NFT_SET_ELEM_ATTR_TIMEOUT); + if (nft_set_elem_attr_is_set(nlse, NFT_SET_ELEM_ATTR_EXPIRATION)) + expr->expiration = nft_set_elem_attr_get_u64(nlse, NFT_SET_ELEM_ATTR_EXPIRATION); if (flags & NFT_SET_ELEM_INTERVAL_END) { expr->flags |= EXPR_F_INTERVAL_END; diff --git a/src/parser_bison.y b/src/parser_bison.y index 80831878..736704a5 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -1779,6 +1779,7 @@ set_list_member_expr : opt_newline set_expr opt_newline ; set_elem_expr : set_elem_expr_alloc + | set_elem_expr_alloc set_elem_options ; set_elem_expr_alloc : set_lhs_expr @@ -1787,6 +1788,19 @@ set_elem_expr_alloc : set_lhs_expr } ; +set_elem_options : set_elem_option + { + $$ = $0; + } + | set_elem_options set_elem_option + ; + +set_elem_option : TIMEOUT time_spec + { + $0->timeout = $2 * 1000; + } + ; + set_lhs_expr : concat_expr | multiton_expr ; -- cgit v1.2.3 From 35960e1e19bfe9135e33f13615d7d403d129192b Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Fri, 20 Mar 2015 06:30:29 +0000 Subject: setelem: add support for attaching comments to set elements Syntax: # nft add element filter test { 192.168.0.1 comment "some host" } Signed-off-by: Patrick McHardy --- src/expression.c | 3 +++ src/netlink.c | 11 +++++++++++ src/parser_bison.y | 4 ++++ 3 files changed, 18 insertions(+) (limited to 'src') diff --git a/src/expression.c b/src/expression.c index 2037c607..3edc5501 100644 --- a/src/expression.c +++ b/src/expression.c @@ -897,10 +897,13 @@ static void set_elem_expr_print(const struct expr *expr) printf(" expires "); time_print(expr->expiration / 1000); } + if (expr->comment) + printf(" comment \"%s\"", expr->comment); } static void set_elem_expr_destroy(struct expr *expr) { + xfree(expr->comment); expr_free(expr->key); } diff --git a/src/netlink.c b/src/netlink.c index 7d675d7f..d31387f8 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -228,6 +228,9 @@ static struct nft_set_elem *alloc_nft_setelem(const struct expr *expr) if (elem->timeout) nft_set_elem_attr_set_u64(nlse, NFT_SET_ELEM_ATTR_TIMEOUT, elem->timeout); + if (elem->comment) + nft_set_elem_attr_set(nlse, NFT_SET_ELEM_ATTR_USERDATA, + elem->comment, strlen(elem->comment) + 1); if (data != NULL) { netlink_gen_data(data, &nld); @@ -1411,6 +1414,14 @@ static int netlink_delinearize_setelem(struct nft_set_elem *nlse, expr->timeout = nft_set_elem_attr_get_u64(nlse, NFT_SET_ELEM_ATTR_TIMEOUT); if (nft_set_elem_attr_is_set(nlse, NFT_SET_ELEM_ATTR_EXPIRATION)) expr->expiration = nft_set_elem_attr_get_u64(nlse, NFT_SET_ELEM_ATTR_EXPIRATION); + if (nft_set_elem_attr_is_set(nlse, NFT_SET_ELEM_ATTR_USERDATA)) { + const void *data; + uint32_t len; + + data = nft_set_elem_attr_get(nlse, NFT_SET_ELEM_ATTR_USERDATA, &len); + expr->comment = xmalloc(len); + memcpy((char *)expr->comment, data, len); + } if (flags & NFT_SET_ELEM_INTERVAL_END) { expr->flags |= EXPR_F_INTERVAL_END; diff --git a/src/parser_bison.y b/src/parser_bison.y index 736704a5..0f2d71a3 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -1799,6 +1799,10 @@ set_elem_option : TIMEOUT time_spec { $0->timeout = $2 * 1000; } + | COMMENT string + { + $0->comment = $2; + } ; set_lhs_expr : concat_expr -- cgit v1.2.3 From a9467e55973b10c2e8fe37525514c961580f8506 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Thu, 19 Mar 2015 13:34:18 +0000 Subject: nftables: add set statemet The set statement is used to dynamically add or update elements in a set. Syntax: # nft filter input set add tcp dport @myset # nft filter input set add ip saddr timeout 10s @myset # nft filter input set update ip saddr timeout 10s @myset Signed-off-by: Patrick McHardy --- src/evaluate.c | 28 +++++++++++++++++++++++++++- src/netlink_delinearize.c | 38 ++++++++++++++++++++++++++++++++++++++ src/netlink_linearize.c | 24 ++++++++++++++++++++++++ src/parser_bison.y | 18 ++++++++++++++++++ src/scanner.l | 1 + src/statement.c | 31 +++++++++++++++++++++++++++++++ 6 files changed, 139 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/evaluate.c b/src/evaluate.c index 04ca08df..e260a803 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -614,7 +614,7 @@ static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr) struct expr *i, *next; list_for_each_entry_safe(i, next, &(*expr)->expressions, list) { - if (dtype && off == 0) + if (expr_is_constant(*expr) && dtype && off == 0) return expr_binary_error(ctx->msgs, i, *expr, "unexpected concat component, " "expecting %s", @@ -1661,6 +1661,30 @@ static int stmt_evaluate_log(struct eval_ctx *ctx, struct stmt *stmt) return 0; } +static int stmt_evaluate_set(struct eval_ctx *ctx, struct stmt *stmt) +{ + expr_set_context(&ctx->ectx, NULL, 0); + if (expr_evaluate(ctx, &stmt->set.set) < 0) + return -1; + if (stmt->set.set->ops->type != EXPR_SET_REF) + return expr_error(ctx->msgs, stmt->set.set, + "Expression does not refer to a set"); + + if (stmt_evaluate_arg(ctx, stmt, + stmt->set.set->set->keytype, + stmt->set.set->set->keylen, + &stmt->set.key) < 0) + return -1; + if (expr_is_constant(stmt->set.key)) + return expr_error(ctx->msgs, stmt->set.key, + "Key expression can not be constant"); + if (stmt->set.key->comment != NULL) + return expr_error(ctx->msgs, stmt->set.key, + "Key expression comments are not supported"); + + return 0; +} + int stmt_evaluate(struct eval_ctx *ctx, struct stmt *stmt) { #ifdef DEBUG @@ -1695,6 +1719,8 @@ int stmt_evaluate(struct eval_ctx *ctx, struct stmt *stmt) return stmt_evaluate_redir(ctx, stmt); case STMT_QUEUE: return stmt_evaluate_queue(ctx, stmt); + case STMT_SET: + return stmt_evaluate_set(ctx, stmt); default: BUG("unknown statement type %s\n", stmt->ops->name); } diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index c564a8a5..b041579f 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -694,6 +694,40 @@ static void netlink_parse_queue(struct netlink_parse_ctx *ctx, list_add_tail(&stmt->list, &ctx->rule->stmts); } +static void netlink_parse_dynset(struct netlink_parse_ctx *ctx, + const struct location *loc, + const struct nft_rule_expr *nle) +{ + struct expr *expr; + struct stmt *stmt; + struct set *set; + enum nft_registers sreg; + const char *name; + + name = nft_rule_expr_get_str(nle, NFT_EXPR_DYNSET_SET_NAME); + set = set_lookup(ctx->table, name); + if (set == NULL) + return netlink_error(ctx, loc, + "Unknown set '%s' in dynset statement", + name); + + sreg = netlink_parse_register(nle, NFT_EXPR_DYNSET_SREG_KEY); + expr = netlink_get_register(ctx, loc, sreg); + if (expr == NULL) + return netlink_error(ctx, loc, + "Dynset statement has no key expression"); + + expr = set_elem_expr_alloc(&expr->location, expr); + expr->timeout = nft_rule_expr_get_u64(nle, NFT_EXPR_DYNSET_TIMEOUT); + + stmt = set_stmt_alloc(loc); + stmt->set.set = set_ref_expr_alloc(loc, set); + stmt->set.op = nft_rule_expr_get_u32(nle, NFT_EXPR_DYNSET_OP); + stmt->set.key = expr; + + list_add_tail(&stmt->list, &ctx->rule->stmts); +} + static const struct { const char *name; void (*parse)(struct netlink_parse_ctx *ctx, @@ -717,6 +751,7 @@ static const struct { { .name = "masq", .parse = netlink_parse_masq }, { .name = "redir", .parse = netlink_parse_redir }, { .name = "queue", .parse = netlink_parse_queue }, + { .name = "dynset", .parse = netlink_parse_dynset }, }; static int netlink_parse_expr(struct nft_rule_expr *nle, void *arg) @@ -1140,6 +1175,9 @@ static void rule_parse_postprocess(struct netlink_parse_ctx *ctx, struct rule *r case STMT_REJECT: stmt_reject_postprocess(rctx, stmt); break; + case STMT_SET: + expr_postprocess(&rctx, stmt, &stmt->set.key); + break; default: break; } diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c index d1414c14..09ba2eff 100644 --- a/src/netlink_linearize.c +++ b/src/netlink_linearize.c @@ -800,6 +800,28 @@ static void netlink_gen_ct_stmt(struct netlink_linearize_ctx *ctx, nft_rule_add_expr(ctx->nlr, nle); } +static void netlink_gen_set_stmt(struct netlink_linearize_ctx *ctx, + const struct stmt *stmt) +{ + struct nft_rule_expr *nle; + enum nft_registers sreg_key; + + sreg_key = get_register(ctx); + netlink_gen_expr(ctx, stmt->set.key, sreg_key); + release_register(ctx); + + nle = alloc_nft_expr("dynset"); + netlink_put_register(nle, NFT_EXPR_DYNSET_SREG_KEY, sreg_key); + nft_rule_expr_set_u64(nle, NFT_EXPR_DYNSET_TIMEOUT, + stmt->set.key->timeout); + nft_rule_expr_set_u32(nle, NFT_EXPR_DYNSET_OP, stmt->set.op); + nft_rule_expr_set_str(nle, NFT_EXPR_DYNSET_SET_NAME, + stmt->set.set->set->handle.set); + nft_rule_expr_set_u32(nle, NFT_EXPR_DYNSET_SET_ID, + stmt->set.set->set->handle.set_id); + nft_rule_add_expr(ctx->nlr, nle); +} + static void netlink_gen_stmt(struct netlink_linearize_ctx *ctx, const struct stmt *stmt) { @@ -828,6 +850,8 @@ static void netlink_gen_stmt(struct netlink_linearize_ctx *ctx, return netlink_gen_queue_stmt(ctx, stmt); case STMT_CT: return netlink_gen_ct_stmt(ctx, stmt); + case STMT_SET: + return netlink_gen_set_stmt(ctx, stmt); default: BUG("unknown statement type %s\n", stmt->ops->name); } diff --git a/src/parser_bison.y b/src/parser_bison.y index 0f2d71a3..eac3fcbe 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -181,6 +181,7 @@ static void location_update(struct location *loc, struct location *rhs, int n) %token INET "inet" %token ADD "add" +%token UPDATE "update" %token CREATE "create" %token INSERT "insert" %token DELETE "delete" @@ -456,6 +457,9 @@ static void location_update(struct location *loc, struct location *rhs, int n) %type queue_stmt queue_stmt_alloc %destructor { stmt_free($$); } queue_stmt queue_stmt_alloc %type queue_stmt_flags queue_stmt_flag +%type set_stmt +%destructor { stmt_free($$); } set_stmt +%type set_stmt_op %type symbol_expr verdict_expr integer_expr %destructor { expr_free($$); } symbol_expr verdict_expr integer_expr @@ -1267,6 +1271,7 @@ stmt : verdict_stmt | ct_stmt | masq_stmt | redir_stmt + | set_stmt ; verdict_stmt : verdict_expr @@ -1579,6 +1584,19 @@ queue_stmt_flag : BYPASS { $$ = NFT_QUEUE_FLAG_BYPASS; } | FANOUT { $$ = NFT_QUEUE_FLAG_CPU_FANOUT; } ; +set_stmt : SET set_stmt_op set_elem_expr symbol_expr + { + $$ = set_stmt_alloc(&@$); + $$->set.op = $2; + $$->set.key = $3; + $$->set.set = $4; + } + ; + +set_stmt_op : ADD { $$ = NFT_DYNSET_OP_ADD; } + | UPDATE { $$ = NFT_DYNSET_OP_UPDATE; } + ; + match_stmt : relational_expr { $$ = expr_stmt_alloc(&@$, $1); diff --git a/src/scanner.l b/src/scanner.l index 4231d270..985ea2a3 100644 --- a/src/scanner.l +++ b/src/scanner.l @@ -257,6 +257,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "inet" { return INET; } "add" { return ADD; } +"update" { return UPDATE; } "create" { return CREATE; } "insert" { return INSERT; } "delete" { return DELETE; } diff --git a/src/statement.c b/src/statement.c index d72c6e9b..9ebc5938 100644 --- a/src/statement.c +++ b/src/statement.c @@ -377,3 +377,34 @@ struct stmt *redir_stmt_alloc(const struct location *loc) { return stmt_alloc(loc, &redir_stmt_ops); } + +static const char * const set_stmt_op_names[] = { + [NFT_DYNSET_OP_ADD] = "add", + [NFT_DYNSET_OP_UPDATE] = "update", +}; + +static void set_stmt_print(const struct stmt *stmt) +{ + printf("set %s ", set_stmt_op_names[stmt->set.op]); + expr_print(stmt->set.key); + printf(" "); + expr_print(stmt->set.set); +} + +static void set_stmt_destroy(struct stmt *stmt) +{ + expr_free(stmt->set.key); + expr_free(stmt->set.set); +} + +static const struct stmt_ops set_stmt_ops = { + .type = STMT_SET, + .name = "set", + .print = set_stmt_print, + .destroy = set_stmt_destroy, +}; + +struct stmt *set_stmt_alloc(const struct location *loc) +{ + return stmt_alloc(loc, &set_stmt_ops); +} -- cgit v1.2.3 From efd5d125dff0dd295a3dfccd3491fc18b4fc164a Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sat, 30 May 2015 17:59:18 +0200 Subject: netlink_delinearize: pass ctx pointer to stmt_reject_postprocess() Instead of a copy of the context variable. Signed-off-by: Pablo Neira Ayuso --- src/netlink_delinearize.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'src') diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index b041579f..26a8c855 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -1082,18 +1082,18 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, } } -static void stmt_reject_postprocess(struct rule_pp_ctx rctx, struct stmt *stmt) +static void stmt_reject_postprocess(struct rule_pp_ctx *rctx, struct stmt *stmt) { const struct proto_desc *desc, *base; int protocol; - switch (rctx.pctx.family) { + switch (rctx->pctx.family) { case NFPROTO_IPV4: - stmt->reject.family = rctx.pctx.family; + stmt->reject.family = rctx->pctx.family; stmt->reject.expr->dtype = &icmp_code_type; break; case NFPROTO_IPV6: - stmt->reject.family = rctx.pctx.family; + stmt->reject.family = rctx->pctx.family; stmt->reject.expr->dtype = &icmpv6_code_type; break; case NFPROTO_INET: @@ -1101,8 +1101,8 @@ static void stmt_reject_postprocess(struct rule_pp_ctx rctx, struct stmt *stmt) stmt->reject.expr->dtype = &icmpx_code_type; break; } - base = rctx.pctx.protocol[PROTO_BASE_LL_HDR].desc; - desc = rctx.pctx.protocol[PROTO_BASE_NETWORK_HDR].desc; + base = rctx->pctx.protocol[PROTO_BASE_LL_HDR].desc; + desc = rctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc; protocol = proto_find_num(base, desc); switch (protocol) { case NFPROTO_IPV4: @@ -1119,8 +1119,8 @@ static void stmt_reject_postprocess(struct rule_pp_ctx rctx, struct stmt *stmt) stmt->reject.expr->dtype = &icmpx_code_type; break; } - base = rctx.pctx.protocol[PROTO_BASE_LL_HDR].desc; - desc = rctx.pctx.protocol[PROTO_BASE_NETWORK_HDR].desc; + base = rctx->pctx.protocol[PROTO_BASE_LL_HDR].desc; + desc = rctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc; protocol = proto_find_num(base, desc); switch (protocol) { case __constant_htons(ETH_P_IP): @@ -1173,7 +1173,7 @@ static void rule_parse_postprocess(struct netlink_parse_ctx *ctx, struct rule *r &stmt->redir.proto); break; case STMT_REJECT: - stmt_reject_postprocess(rctx, stmt); + stmt_reject_postprocess(&rctx, stmt); break; case STMT_SET: expr_postprocess(&rctx, stmt, &stmt->set.key); -- cgit v1.2.3 From 3550b3e3ebeb8f2532e8915f7581bbe4bcd7eabd Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 2 Jun 2015 16:45:23 +0200 Subject: netlink_delinearize: keep pointer to current statement from rule_pp_ctx This patch is required by the range postprocess routine that comes in follow up patches. Signed-off-by: Pablo Neira Ayuso --- src/netlink_delinearize.c | 71 ++++++++++++++++++++++++----------------------- 1 file changed, 37 insertions(+), 34 deletions(-) (limited to 'src') diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 26a8c855..71c32c5f 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -780,6 +780,7 @@ struct rule_pp_ctx { struct proto_ctx pctx; enum proto_bases pbase; struct stmt *pdep; + struct stmt *stmt; }; /* @@ -829,7 +830,7 @@ static void integer_type_postprocess(struct expr *expr) } static void payload_match_postprocess(struct rule_pp_ctx *ctx, - struct stmt *stmt, struct expr *expr) + struct expr *expr) { struct expr *left = expr->left, *right = expr->right, *tmp; struct list_head list = LIST_HEAD_INIT(list); @@ -851,8 +852,8 @@ static void payload_match_postprocess(struct rule_pp_ctx *ctx, if (expr->op == OP_EQ) left->ops->pctx_update(&ctx->pctx, nexpr); - nstmt = expr_stmt_alloc(&stmt->location, nexpr); - list_add_tail(&nstmt->list, &stmt->list); + nstmt = expr_stmt_alloc(&ctx->stmt->location, nexpr); + list_add_tail(&nstmt->list, &ctx->stmt->list); /* Remember the first payload protocol expression to * kill it later on if made redundant by a higher layer @@ -865,8 +866,9 @@ static void payload_match_postprocess(struct rule_pp_ctx *ctx, else payload_dependency_kill(ctx, nexpr->left); } - list_del(&stmt->list); - stmt_free(stmt); + list_del(&ctx->stmt->list); + stmt_free(ctx->stmt); + ctx->stmt = NULL; break; default: payload_expr_complete(left, &ctx->pctx); @@ -878,7 +880,6 @@ static void payload_match_postprocess(struct rule_pp_ctx *ctx, } static void meta_match_postprocess(struct rule_pp_ctx *ctx, - struct stmt *stmt, const struct expr *expr) { struct expr *left = expr->left; @@ -889,7 +890,8 @@ static void meta_match_postprocess(struct rule_pp_ctx *ctx, if (ctx->pbase == PROTO_BASE_INVALID && left->flags & EXPR_F_PROTOCOL) - payload_dependency_store(ctx, stmt, left->meta.base); + payload_dependency_store(ctx, ctx->stmt, + left->meta.base); break; case OP_LOOKUP: expr_set_type(expr->right, expr->left->dtype, @@ -973,8 +975,7 @@ static void relational_binop_postprocess(struct expr *expr) } } -static void expr_postprocess(struct rule_pp_ctx *ctx, - struct stmt *stmt, struct expr **exprp) +static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp) { struct expr *expr = *exprp, *i; @@ -982,29 +983,29 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, switch (expr->ops->type) { case EXPR_MAP: - expr_postprocess(ctx, stmt, &expr->map); - expr_postprocess(ctx, stmt, &expr->mappings); + expr_postprocess(ctx, &expr->map); + expr_postprocess(ctx, &expr->mappings); break; case EXPR_MAPPING: - expr_postprocess(ctx, stmt, &expr->left); - expr_postprocess(ctx, stmt, &expr->right); + expr_postprocess(ctx, &expr->left); + expr_postprocess(ctx, &expr->right); break; case EXPR_SET: list_for_each_entry(i, &expr->expressions, list) - expr_postprocess(ctx, stmt, &i); + expr_postprocess(ctx, &i); break; case EXPR_UNARY: - expr_postprocess(ctx, stmt, &expr->arg); + expr_postprocess(ctx, &expr->arg); expr_set_type(expr->arg, expr->arg->dtype, !expr->arg->byteorder); *exprp = expr_get(expr->arg); expr_free(expr); break; case EXPR_BINOP: - expr_postprocess(ctx, stmt, &expr->left); + expr_postprocess(ctx, &expr->left); expr_set_type(expr->right, expr->left->dtype, expr->left->byteorder); - expr_postprocess(ctx, stmt, &expr->right); + expr_postprocess(ctx, &expr->right); expr_set_type(expr, expr->left->dtype, expr->left->byteorder); @@ -1012,19 +1013,19 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, case EXPR_RELATIONAL: switch (expr->left->ops->type) { case EXPR_PAYLOAD: - payload_match_postprocess(ctx, stmt, expr); + payload_match_postprocess(ctx, expr); return; default: - expr_postprocess(ctx, stmt, &expr->left); + expr_postprocess(ctx, &expr->left); break; } expr_set_type(expr->right, expr->left->dtype, expr->left->byteorder); - expr_postprocess(ctx, stmt, &expr->right); + expr_postprocess(ctx, &expr->right); switch (expr->left->ops->type) { case EXPR_META: - meta_match_postprocess(ctx, stmt, expr); + meta_match_postprocess(ctx, expr); break; case EXPR_BINOP: relational_binop_postprocess(expr); @@ -1065,11 +1066,11 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, break; case EXPR_RANGE: - expr_postprocess(ctx, stmt, &expr->left); - expr_postprocess(ctx, stmt, &expr->right); + expr_postprocess(ctx, &expr->left); + expr_postprocess(ctx, &expr->right); break; case EXPR_SET_ELEM: - expr_postprocess(ctx, stmt, &expr->key); + expr_postprocess(ctx, &expr->key); break; case EXPR_SET_REF: case EXPR_EXTHDR: @@ -1082,9 +1083,10 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, } } -static void stmt_reject_postprocess(struct rule_pp_ctx *rctx, struct stmt *stmt) +static void stmt_reject_postprocess(struct rule_pp_ctx *rctx) { const struct proto_desc *desc, *base; + struct stmt *stmt = rctx->stmt; int protocol; switch (rctx->pctx.family) { @@ -1149,34 +1151,35 @@ static void rule_parse_postprocess(struct netlink_parse_ctx *ctx, struct rule *r proto_ctx_init(&rctx.pctx, rule->handle.family); list_for_each_entry_safe(stmt, next, &rule->stmts, list) { + rctx.stmt = stmt; + switch (stmt->ops->type) { case STMT_EXPRESSION: - expr_postprocess(&rctx, stmt, &stmt->expr); + expr_postprocess(&rctx, &stmt->expr); break; case STMT_META: if (stmt->meta.expr != NULL) - expr_postprocess(&rctx, stmt, &stmt->meta.expr); + expr_postprocess(&rctx, &stmt->meta.expr); break; case STMT_CT: if (stmt->ct.expr != NULL) - expr_postprocess(&rctx, stmt, &stmt->ct.expr); + expr_postprocess(&rctx, &stmt->ct.expr); break; case STMT_NAT: if (stmt->nat.addr != NULL) - expr_postprocess(&rctx, stmt, &stmt->nat.addr); + expr_postprocess(&rctx, &stmt->nat.addr); if (stmt->nat.proto != NULL) - expr_postprocess(&rctx, stmt, &stmt->nat.proto); + expr_postprocess(&rctx, &stmt->nat.proto); break; case STMT_REDIR: if (stmt->redir.proto != NULL) - expr_postprocess(&rctx, stmt, - &stmt->redir.proto); + expr_postprocess(&rctx, &stmt->redir.proto); break; case STMT_REJECT: - stmt_reject_postprocess(&rctx, stmt); + stmt_reject_postprocess(&rctx); break; case STMT_SET: - expr_postprocess(&rctx, stmt, &stmt->set.key); + expr_postprocess(&rctx, &stmt->set.key); break; default: break; -- cgit v1.2.3 From 9a03828e41695f4694a0b7f711bb01bba3b0a39e Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sat, 30 May 2015 21:57:57 +0200 Subject: netlink_delinearize: add payload_match_expand() This function encapsulates the payload expansion logic. This change in required by the follow up patch to consolidate range printing. Signed-off-by: Pablo Neira Ayuso --- src/netlink_delinearize.c | 69 +++++++++++++++++++++++++---------------------- 1 file changed, 37 insertions(+), 32 deletions(-) (limited to 'src') diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 71c32c5f..7b4d6958 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -829,49 +829,54 @@ static void integer_type_postprocess(struct expr *expr) } } -static void payload_match_postprocess(struct rule_pp_ctx *ctx, - struct expr *expr) +static void payload_match_expand(struct rule_pp_ctx *ctx, struct expr *expr) { struct expr *left = expr->left, *right = expr->right, *tmp; struct list_head list = LIST_HEAD_INIT(list); struct stmt *nstmt; struct expr *nexpr; + payload_expr_expand(&list, left, &ctx->pctx); + list_for_each_entry(left, &list, list) { + tmp = constant_expr_splice(right, left->len); + expr_set_type(tmp, left->dtype, left->byteorder); + if (tmp->byteorder == BYTEORDER_HOST_ENDIAN) + mpz_switch_byteorder(tmp->value, tmp->len / BITS_PER_BYTE); + + nexpr = relational_expr_alloc(&expr->location, expr->op, + left, tmp); + if (expr->op == OP_EQ) + left->ops->pctx_update(&ctx->pctx, nexpr); + + nstmt = expr_stmt_alloc(&ctx->stmt->location, nexpr); + list_add_tail(&nstmt->list, &ctx->stmt->list); + + /* Remember the first payload protocol expression to + * kill it later on if made redundant by a higher layer + * payload expression. + */ + if (ctx->pbase == PROTO_BASE_INVALID && + left->flags & EXPR_F_PROTOCOL) + payload_dependency_store(ctx, nstmt, + left->payload.base); + else + payload_dependency_kill(ctx, nexpr->left); + } + list_del(&ctx->stmt->list); + stmt_free(ctx->stmt); + ctx->stmt = NULL; +} + +static void payload_match_postprocess(struct rule_pp_ctx *ctx, + struct expr *expr) +{ switch (expr->op) { case OP_EQ: case OP_NEQ: - payload_expr_expand(&list, left, &ctx->pctx); - list_for_each_entry(left, &list, list) { - tmp = constant_expr_splice(right, left->len); - expr_set_type(tmp, left->dtype, left->byteorder); - if (tmp->byteorder == BYTEORDER_HOST_ENDIAN) - mpz_switch_byteorder(tmp->value, tmp->len / BITS_PER_BYTE); - - nexpr = relational_expr_alloc(&expr->location, expr->op, - left, tmp); - if (expr->op == OP_EQ) - left->ops->pctx_update(&ctx->pctx, nexpr); - - nstmt = expr_stmt_alloc(&ctx->stmt->location, nexpr); - list_add_tail(&nstmt->list, &ctx->stmt->list); - - /* Remember the first payload protocol expression to - * kill it later on if made redundant by a higher layer - * payload expression. - */ - if (ctx->pbase == PROTO_BASE_INVALID && - left->flags & EXPR_F_PROTOCOL) - payload_dependency_store(ctx, nstmt, - left->payload.base); - else - payload_dependency_kill(ctx, nexpr->left); - } - list_del(&ctx->stmt->list); - stmt_free(ctx->stmt); - ctx->stmt = NULL; + payload_match_expand(ctx, expr); break; default: - payload_expr_complete(left, &ctx->pctx); + payload_expr_complete(expr->left, &ctx->pctx); expr_set_type(expr->right, expr->left->dtype, expr->left->byteorder); payload_dependency_kill(ctx, expr->left); -- cgit v1.2.3 From 09565a4b1ed4863d44c4509a93c50f44efd12771 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sat, 30 May 2015 20:01:43 +0200 Subject: netlink_delinearize: consolidate range printing This patch adds a routine to the postprocess stage to check if the previous expression statement and the current actually represent a range, so we can provide a more compact listing, eg. # nft -nn list table test table ip test { chain test { tcp dport 22 tcp dport 22-23 tcp dport != 22-23 ct mark != 0x00000016-0x00000017 ct mark 0x00000016-0x00000017 mark 0x00000016-0x00000017 mark != 0x00000016-0x00000017 } } To do so, the context state stores a pointer to the current statement. This pointer needs to be invalidated in case the current statement is replaced. Signed-off-by: Pablo Neira Ayuso --- src/netlink_delinearize.c | 82 ++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 78 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 7b4d6958..b1ce9113 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -873,8 +873,11 @@ static void payload_match_postprocess(struct rule_pp_ctx *ctx, switch (expr->op) { case OP_EQ: case OP_NEQ: - payload_match_expand(ctx, expr); - break; + if (expr->right->ops->type == EXPR_VALUE) { + payload_match_expand(ctx, expr); + break; + } + /* Fall through */ default: payload_expr_complete(expr->left, &ctx->pctx); expr_set_type(expr->right, expr->left->dtype, @@ -1147,10 +1150,80 @@ static void stmt_reject_postprocess(struct rule_pp_ctx *rctx) } } +static bool expr_may_merge_range(struct expr *expr, struct expr *prev, + enum ops *op) +{ + struct expr *left, *prev_left; + + if (prev->ops->type == EXPR_RELATIONAL && + expr->ops->type == EXPR_RELATIONAL) { + /* ct and meta needs an unary to swap byteorder, in this case + * we have to explore the inner branch in this tree. + */ + if (expr->left->ops->type == EXPR_UNARY) + left = expr->left->arg; + else + left = expr->left; + + if (prev->left->ops->type == EXPR_UNARY) + prev_left = prev->left->arg; + else + prev_left = prev->left; + + if (left->ops->type == prev_left->ops->type) { + if (expr->op == OP_LTE && prev->op == OP_GTE) { + *op = OP_EQ; + return true; + } else if (expr->op == OP_GT && prev->op == OP_LT) { + *op = OP_NEQ; + return true; + } + } + } + + return false; +} + +static void expr_postprocess_range(struct rule_pp_ctx *ctx, struct stmt *prev, + enum ops op) +{ + struct stmt *nstmt, *stmt = ctx->stmt; + struct expr *nexpr, *rel; + + nexpr = range_expr_alloc(&prev->location, expr_clone(prev->expr->right), + expr_clone(stmt->expr->right)); + expr_set_type(nexpr, stmt->expr->right->dtype, + stmt->expr->right->byteorder); + + rel = relational_expr_alloc(&prev->location, op, + expr_clone(stmt->expr->left), nexpr); + + nstmt = expr_stmt_alloc(&stmt->location, rel); + list_add_tail(&nstmt->list, &stmt->list); + + list_del(&prev->list); + stmt_free(prev); + + list_del(&stmt->list); + stmt_free(stmt); + ctx->stmt = nstmt; +} + +static void stmt_expr_postprocess(struct rule_pp_ctx *ctx, struct stmt *prev) +{ + enum ops op; + + if (prev && ctx->stmt->ops->type == prev->ops->type && + expr_may_merge_range(ctx->stmt->expr, prev->expr, &op)) + expr_postprocess_range(ctx, prev, op); + + expr_postprocess(ctx, &ctx->stmt->expr); +} + static void rule_parse_postprocess(struct netlink_parse_ctx *ctx, struct rule *rule) { struct rule_pp_ctx rctx; - struct stmt *stmt, *next; + struct stmt *stmt, *next, *prev = NULL; memset(&rctx, 0, sizeof(rctx)); proto_ctx_init(&rctx.pctx, rule->handle.family); @@ -1160,7 +1233,7 @@ static void rule_parse_postprocess(struct netlink_parse_ctx *ctx, struct rule *r switch (stmt->ops->type) { case STMT_EXPRESSION: - expr_postprocess(&rctx, &stmt->expr); + stmt_expr_postprocess(&rctx, prev); break; case STMT_META: if (stmt->meta.expr != NULL) @@ -1189,6 +1262,7 @@ static void rule_parse_postprocess(struct netlink_parse_ctx *ctx, struct rule *r default: break; } + prev = rctx.stmt; } } -- cgit v1.2.3