diff options
-rw-r--r-- | include/expression.h | 2 | ||||
-rw-r--r-- | include/linux/netfilter/nf_tables.h | 4 | ||||
-rw-r--r-- | src/expression.c | 8 | ||||
-rw-r--r-- | src/netlink.c | 7 | ||||
-rw-r--r-- | src/parser_bison.y | 14 |
5 files changed, 35 insertions, 0 deletions
diff --git a/include/expression.h b/include/expression.h index d481f288..6f23b6dd 100644 --- a/include/expression.h +++ b/include/expression.h @@ -234,6 +234,8 @@ struct expr { struct { /* EXPR_SET_ELEM */ struct expr *key; + uint64_t timeout; + uint64_t expiration; }; struct { /* EXPR_UNARY */ diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 8671505e..6894ba33 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -289,12 +289,16 @@ enum nft_set_elem_flags { * @NFTA_SET_ELEM_KEY: key value (NLA_NESTED: nft_data) * @NFTA_SET_ELEM_DATA: data value of mapping (NLA_NESTED: nft_data_attributes) * @NFTA_SET_ELEM_FLAGS: bitmask of nft_set_elem_flags (NLA_U32) + * @NFTA_SET_ELEM_TIMEOUT: timeout value (NLA_U64) + * @NFTA_SET_ELEM_EXPIRATION: expiration time (NLA_U64) */ enum nft_set_elem_attributes { NFTA_SET_ELEM_UNSPEC, NFTA_SET_ELEM_KEY, NFTA_SET_ELEM_DATA, NFTA_SET_ELEM_FLAGS, + NFTA_SET_ELEM_TIMEOUT, + NFTA_SET_ELEM_EXPIRATION, __NFTA_SET_ELEM_MAX }; #define NFTA_SET_ELEM_MAX (__NFTA_SET_ELEM_MAX - 1) diff --git a/src/expression.c b/src/expression.c index 67893968..2037c607 100644 --- a/src/expression.c +++ b/src/expression.c @@ -889,6 +889,14 @@ struct expr *set_ref_expr_alloc(const struct location *loc, struct set *set) static void set_elem_expr_print(const struct expr *expr) { expr_print(expr->key); + if (expr->timeout) { + printf(" timeout "); + time_print(expr->timeout / 1000); + } + if (expr->expiration) { + printf(" expires "); + time_print(expr->expiration / 1000); + } } static void set_elem_expr_destroy(struct expr *expr) diff --git a/src/netlink.c b/src/netlink.c index e1d6421f..7d675d7f 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -225,6 +225,9 @@ static struct nft_set_elem *alloc_nft_setelem(const struct expr *expr) netlink_gen_data(key, &nld); nft_set_elem_attr_set(nlse, NFT_SET_ELEM_ATTR_KEY, &nld.value, nld.len); + if (elem->timeout) + nft_set_elem_attr_set_u64(nlse, NFT_SET_ELEM_ATTR_TIMEOUT, + elem->timeout); if (data != NULL) { netlink_gen_data(data, &nld); @@ -1404,6 +1407,10 @@ static int netlink_delinearize_setelem(struct nft_set_elem *nlse, key = bitmask_expr_to_binops(key); expr = set_elem_expr_alloc(&netlink_location, key); + if (nft_set_elem_attr_is_set(nlse, NFT_SET_ELEM_ATTR_TIMEOUT)) + expr->timeout = nft_set_elem_attr_get_u64(nlse, NFT_SET_ELEM_ATTR_TIMEOUT); + if (nft_set_elem_attr_is_set(nlse, NFT_SET_ELEM_ATTR_EXPIRATION)) + expr->expiration = nft_set_elem_attr_get_u64(nlse, NFT_SET_ELEM_ATTR_EXPIRATION); if (flags & NFT_SET_ELEM_INTERVAL_END) { expr->flags |= EXPR_F_INTERVAL_END; diff --git a/src/parser_bison.y b/src/parser_bison.y index 80831878..736704a5 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -1779,6 +1779,7 @@ set_list_member_expr : opt_newline set_expr opt_newline ; set_elem_expr : set_elem_expr_alloc + | set_elem_expr_alloc set_elem_options ; set_elem_expr_alloc : set_lhs_expr @@ -1787,6 +1788,19 @@ set_elem_expr_alloc : set_lhs_expr } ; +set_elem_options : set_elem_option + { + $<expr>$ = $<expr>0; + } + | set_elem_options set_elem_option + ; + +set_elem_option : TIMEOUT time_spec + { + $<expr>0->timeout = $2 * 1000; + } + ; + set_lhs_expr : concat_expr | multiton_expr ; |