summaryrefslogtreecommitdiffstats
path: root/include/rule.h
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2018-01-22 11:17:10 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2018-01-22 11:47:58 +0100
commit30f667920601d01107398cbb85da45fdb1237212 (patch)
tree007eb0687d716a6cb2a33be255e283fdd483d4af /include/rule.h
parentb4c7117ef552d0d71bde1db4a047b4c005699951 (diff)
src: add 'auto-merge' option to sets
After discussions with Karel here: https://bugzilla.netfilter.org/show_bug.cgi?id=1184 And later on with Phil Sutter, we decided to disable the automatic merge feature in sets with intervals. This feature is problematic because it introduces an inconsistency between what we add and what we later on get. This is going to get worse with the upcoming timeout support for intervals. Therefore, we turned off this by default. However, Jeff Kletsky and folks like this feature, so let's restore this behaviour on demand with this new 'auto-merge' statement, that you can place on the set definition, eg. # nft list ruleset table ip x { ... set y { type ipv4_addr flags interval auto-merge } } # nft add element x z { 1.1.1.1-2.2.2.2, 1.1.1.2 } Regarding implementation details: Given this feature only makes sense from userspace, let's store this in the set user data area, so nft knows it has to do automatic merge of adjacent/overlapping elements as per user request. # nft add set x z { type ipv4_addr\; auto-merge\; } Error: auto-merge only works with interval sets add set x z { type ipv4_addr; auto-merge; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1216 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/rule.h')
-rw-r--r--include/rule.h3
1 files changed, 3 insertions, 0 deletions
diff --git a/include/rule.h b/include/rule.h
index 4e5a349a..d9c172dd 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -220,6 +220,7 @@ extern struct rule *rule_lookup(const struct chain *chain, uint64_t handle);
* @init: initializer
* @rg_cache: cached range element (left)
* @policy: set mechanism policy
+ * @automerge: merge adjacents and overlapping elements, if possible
* @desc: set mechanism desc
*/
struct set {
@@ -237,6 +238,7 @@ struct set {
struct expr *init;
struct expr *rg_cache;
uint32_t policy;
+ bool automerge;
struct {
uint32_t size;
} desc;
@@ -528,6 +530,7 @@ enum udata_type {
enum udata_set_type {
UDATA_SET_KEYBYTEORDER,
UDATA_SET_DATABYTEORDER,
+ UDATA_SET_MERGE_ELEMENTS,
__UDATA_SET_MAX,
};
#define UDATA_SET_MAX (__UDATA_SET_MAX - 1)