From 3ed5e31f4a323d7f054b6120d05134195dc681f0 Mon Sep 17 00:00:00 2001
From: Patrick McHardy <kaber@trash.net>
Date: Wed, 27 Apr 2016 12:29:50 +0100
Subject: src: add flow statement

The flow statement allows to instantiate per flow statements for user
defined flows. This can so far be used for per flow accounting or limiting,
similar to what the iptables hashlimit provides. Flows can be aged using
the timeout option.

Examples:

 # nft filter input flow ip saddr . tcp dport limit rate 10/second
 # nft filter input flow table acct iif . ip saddr timeout 60s counter

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/expression.h |  1 +
 include/netlink.h    |  3 +++
 include/rule.h       |  1 +
 include/statement.h  | 12 ++++++++++++
 4 files changed, 17 insertions(+)

(limited to 'include')

diff --git a/include/expression.h b/include/expression.h
index fc184106..6e5e835e 100644
--- a/include/expression.h
+++ b/include/expression.h
@@ -237,6 +237,7 @@ struct expr {
 			uint64_t		timeout;
 			uint64_t		expiration;
 			const char		*comment;
+			struct stmt		*stmt;
 		};
 		struct {
 			/* EXPR_UNARY */
diff --git a/include/netlink.h b/include/netlink.h
index 9ec5409b..9f465601 100644
--- a/include/netlink.h
+++ b/include/netlink.h
@@ -142,6 +142,9 @@ extern int netlink_list_sets(struct netlink_ctx *ctx, const struct handle *h,
 extern int netlink_get_set(struct netlink_ctx *ctx, const struct handle *h,
 			   const struct location *loc);
 
+extern struct stmt *netlink_parse_set_expr(const struct set *set,
+					   const struct nftnl_expr *nle);
+
 extern int netlink_add_setelems(struct netlink_ctx *ctx, const struct handle *h,
 				const struct expr *expr);
 extern int netlink_delete_setelems(struct netlink_ctx *ctx, const struct handle *h,
diff --git a/include/rule.h b/include/rule.h
index 09b3ff70..bfe398d6 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -206,6 +206,7 @@ enum set_flags {
 	SET_F_INTERVAL		= 0x4,
 	SET_F_MAP		= 0x8,
 	SET_F_TIMEOUT		= 0x10,
+	SET_F_EVAL		= 0x20,
 };
 
 /**
diff --git a/include/statement.h b/include/statement.h
index a6a86f94..e9313ca7 100644
--- a/include/statement.h
+++ b/include/statement.h
@@ -138,12 +138,22 @@ struct set_stmt {
 
 extern struct stmt *set_stmt_alloc(const struct location *loc);
 
+struct flow_stmt {
+	struct expr		*set;
+	struct expr		*key;
+	struct stmt		*stmt;
+	const char		*table;
+};
+
+extern struct stmt *flow_stmt_alloc(const struct location *loc);
+
 /**
  * enum stmt_types - statement types
  *
  * @STMT_INVALID:	uninitialised
  * @STMT_EXPRESSION:	expression statement (relational)
  * @STMT_VERDICT:	verdict statement
+ * @STMT_FLOW:		flow statement
  * @STMT_COUNTER:	counters
  * @STMT_PAYLOAD:	payload statement
  * @STMT_META:		meta statement
@@ -163,6 +173,7 @@ enum stmt_types {
 	STMT_INVALID,
 	STMT_EXPRESSION,
 	STMT_VERDICT,
+	STMT_FLOW,
 	STMT_COUNTER,
 	STMT_PAYLOAD,
 	STMT_META,
@@ -217,6 +228,7 @@ struct stmt {
 
 	union {
 		struct expr		*expr;
+		struct flow_stmt	flow;
 		struct counter_stmt	counter;
 		struct payload_stmt	payload;
 		struct meta_stmt	meta;
-- 
cgit v1.2.3