summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2015-03-19 13:34:18 +0000
committerPatrick McHardy <kaber@trash.net>2015-04-12 19:59:27 +0100
commit7b5248972d9f2122c7b3683ca205d3165e7a9255 (patch)
tree619a70e2ddf2d56eae85040f4217705239726e67
parent38a077f7af8a2151b565e3cb324901b48afd299e (diff)
setelem: add timeout support for set elements
Support specifying per element timeout values and displaying the expiration time. If an element should not use the default timeout value of the set, an element specific value can be specified as follows: # nft add element filter test { 192.168.0.1, 192.168.0.2 timeout 10m} For listing of elements that use the default timeout value, just the expiration time is shown, otherwise the element specific timeout value is also displayed: set test { type ipv4_addr timeout 1h elements = { 192.168.0.2 timeout 10m expires 9m59s, 192.168.0.1 expires 59m59s} } Signed-off-by: Patrick McHardy <kaber@trash.net>
-rw-r--r--include/expression.h2
-rw-r--r--include/linux/netfilter/nf_tables.h4
-rw-r--r--src/expression.c8
-rw-r--r--src/netlink.c7
-rw-r--r--src/parser_bison.y14
5 files changed, 35 insertions, 0 deletions
diff --git a/include/expression.h b/include/expression.h
index d481f288..6f23b6dd 100644
--- a/include/expression.h
+++ b/include/expression.h
@@ -234,6 +234,8 @@ struct expr {
struct {
/* EXPR_SET_ELEM */
struct expr *key;
+ uint64_t timeout;
+ uint64_t expiration;
};
struct {
/* EXPR_UNARY */
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 8671505e..6894ba33 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -289,12 +289,16 @@ enum nft_set_elem_flags {
* @NFTA_SET_ELEM_KEY: key value (NLA_NESTED: nft_data)
* @NFTA_SET_ELEM_DATA: data value of mapping (NLA_NESTED: nft_data_attributes)
* @NFTA_SET_ELEM_FLAGS: bitmask of nft_set_elem_flags (NLA_U32)
+ * @NFTA_SET_ELEM_TIMEOUT: timeout value (NLA_U64)
+ * @NFTA_SET_ELEM_EXPIRATION: expiration time (NLA_U64)
*/
enum nft_set_elem_attributes {
NFTA_SET_ELEM_UNSPEC,
NFTA_SET_ELEM_KEY,
NFTA_SET_ELEM_DATA,
NFTA_SET_ELEM_FLAGS,
+ NFTA_SET_ELEM_TIMEOUT,
+ NFTA_SET_ELEM_EXPIRATION,
__NFTA_SET_ELEM_MAX
};
#define NFTA_SET_ELEM_MAX (__NFTA_SET_ELEM_MAX - 1)
diff --git a/src/expression.c b/src/expression.c
index 67893968..2037c607 100644
--- a/src/expression.c
+++ b/src/expression.c
@@ -889,6 +889,14 @@ struct expr *set_ref_expr_alloc(const struct location *loc, struct set *set)
static void set_elem_expr_print(const struct expr *expr)
{
expr_print(expr->key);
+ if (expr->timeout) {
+ printf(" timeout ");
+ time_print(expr->timeout / 1000);
+ }
+ if (expr->expiration) {
+ printf(" expires ");
+ time_print(expr->expiration / 1000);
+ }
}
static void set_elem_expr_destroy(struct expr *expr)
diff --git a/src/netlink.c b/src/netlink.c
index e1d6421f..7d675d7f 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -225,6 +225,9 @@ static struct nft_set_elem *alloc_nft_setelem(const struct expr *expr)
netlink_gen_data(key, &nld);
nft_set_elem_attr_set(nlse, NFT_SET_ELEM_ATTR_KEY, &nld.value, nld.len);
+ if (elem->timeout)
+ nft_set_elem_attr_set_u64(nlse, NFT_SET_ELEM_ATTR_TIMEOUT,
+ elem->timeout);
if (data != NULL) {
netlink_gen_data(data, &nld);
@@ -1404,6 +1407,10 @@ static int netlink_delinearize_setelem(struct nft_set_elem *nlse,
key = bitmask_expr_to_binops(key);
expr = set_elem_expr_alloc(&netlink_location, key);
+ if (nft_set_elem_attr_is_set(nlse, NFT_SET_ELEM_ATTR_TIMEOUT))
+ expr->timeout = nft_set_elem_attr_get_u64(nlse, NFT_SET_ELEM_ATTR_TIMEOUT);
+ if (nft_set_elem_attr_is_set(nlse, NFT_SET_ELEM_ATTR_EXPIRATION))
+ expr->expiration = nft_set_elem_attr_get_u64(nlse, NFT_SET_ELEM_ATTR_EXPIRATION);
if (flags & NFT_SET_ELEM_INTERVAL_END) {
expr->flags |= EXPR_F_INTERVAL_END;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 80831878..736704a5 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1779,6 +1779,7 @@ set_list_member_expr : opt_newline set_expr opt_newline
;
set_elem_expr : set_elem_expr_alloc
+ | set_elem_expr_alloc set_elem_options
;
set_elem_expr_alloc : set_lhs_expr
@@ -1787,6 +1788,19 @@ set_elem_expr_alloc : set_lhs_expr
}
;
+set_elem_options : set_elem_option
+ {
+ $<expr>$ = $<expr>0;
+ }
+ | set_elem_options set_elem_option
+ ;
+
+set_elem_option : TIMEOUT time_spec
+ {
+ $<expr>0->timeout = $2 * 1000;
+ }
+ ;
+
set_lhs_expr : concat_expr
| multiton_expr
;