summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/expression.h2
-rw-r--r--include/linux/netfilter/nf_tables.h4
-rw-r--r--src/expression.c8
-rw-r--r--src/netlink.c7
-rw-r--r--src/parser_bison.y14
5 files changed, 35 insertions, 0 deletions
diff --git a/include/expression.h b/include/expression.h
index d481f288..6f23b6dd 100644
--- a/include/expression.h
+++ b/include/expression.h
@@ -234,6 +234,8 @@ struct expr {
struct {
/* EXPR_SET_ELEM */
struct expr *key;
+ uint64_t timeout;
+ uint64_t expiration;
};
struct {
/* EXPR_UNARY */
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 8671505e..6894ba33 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -289,12 +289,16 @@ enum nft_set_elem_flags {
* @NFTA_SET_ELEM_KEY: key value (NLA_NESTED: nft_data)
* @NFTA_SET_ELEM_DATA: data value of mapping (NLA_NESTED: nft_data_attributes)
* @NFTA_SET_ELEM_FLAGS: bitmask of nft_set_elem_flags (NLA_U32)
+ * @NFTA_SET_ELEM_TIMEOUT: timeout value (NLA_U64)
+ * @NFTA_SET_ELEM_EXPIRATION: expiration time (NLA_U64)
*/
enum nft_set_elem_attributes {
NFTA_SET_ELEM_UNSPEC,
NFTA_SET_ELEM_KEY,
NFTA_SET_ELEM_DATA,
NFTA_SET_ELEM_FLAGS,
+ NFTA_SET_ELEM_TIMEOUT,
+ NFTA_SET_ELEM_EXPIRATION,
__NFTA_SET_ELEM_MAX
};
#define NFTA_SET_ELEM_MAX (__NFTA_SET_ELEM_MAX - 1)
diff --git a/src/expression.c b/src/expression.c
index 67893968..2037c607 100644
--- a/src/expression.c
+++ b/src/expression.c
@@ -889,6 +889,14 @@ struct expr *set_ref_expr_alloc(const struct location *loc, struct set *set)
static void set_elem_expr_print(const struct expr *expr)
{
expr_print(expr->key);
+ if (expr->timeout) {
+ printf(" timeout ");
+ time_print(expr->timeout / 1000);
+ }
+ if (expr->expiration) {
+ printf(" expires ");
+ time_print(expr->expiration / 1000);
+ }
}
static void set_elem_expr_destroy(struct expr *expr)
diff --git a/src/netlink.c b/src/netlink.c
index e1d6421f..7d675d7f 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -225,6 +225,9 @@ static struct nft_set_elem *alloc_nft_setelem(const struct expr *expr)
netlink_gen_data(key, &nld);
nft_set_elem_attr_set(nlse, NFT_SET_ELEM_ATTR_KEY, &nld.value, nld.len);
+ if (elem->timeout)
+ nft_set_elem_attr_set_u64(nlse, NFT_SET_ELEM_ATTR_TIMEOUT,
+ elem->timeout);
if (data != NULL) {
netlink_gen_data(data, &nld);
@@ -1404,6 +1407,10 @@ static int netlink_delinearize_setelem(struct nft_set_elem *nlse,
key = bitmask_expr_to_binops(key);
expr = set_elem_expr_alloc(&netlink_location, key);
+ if (nft_set_elem_attr_is_set(nlse, NFT_SET_ELEM_ATTR_TIMEOUT))
+ expr->timeout = nft_set_elem_attr_get_u64(nlse, NFT_SET_ELEM_ATTR_TIMEOUT);
+ if (nft_set_elem_attr_is_set(nlse, NFT_SET_ELEM_ATTR_EXPIRATION))
+ expr->expiration = nft_set_elem_attr_get_u64(nlse, NFT_SET_ELEM_ATTR_EXPIRATION);
if (flags & NFT_SET_ELEM_INTERVAL_END) {
expr->flags |= EXPR_F_INTERVAL_END;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 80831878..736704a5 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1779,6 +1779,7 @@ set_list_member_expr : opt_newline set_expr opt_newline
;
set_elem_expr : set_elem_expr_alloc
+ | set_elem_expr_alloc set_elem_options
;
set_elem_expr_alloc : set_lhs_expr
@@ -1787,6 +1788,19 @@ set_elem_expr_alloc : set_lhs_expr
}
;
+set_elem_options : set_elem_option
+ {
+ $<expr>$ = $<expr>0;
+ }
+ | set_elem_options set_elem_option
+ ;
+
+set_elem_option : TIMEOUT time_spec
+ {
+ $<expr>0->timeout = $2 * 1000;
+ }
+ ;
+
set_lhs_expr : concat_expr
| multiton_expr
;