[nftables] meta: Add support for `time`

Message ID	20190308172944.GA21564@nebula
State	Changes Requested
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> Date: Fri, 8 Mar 2019 22:59:44 +0530 From: Karuna Grewal <karunagrewal98@gmail.com> To: fw@strlen.de Cc: netfilter-devel@vger.kernel.org Subject: [PATCH nftables] meta: Add support for `time` Message-ID: <20190308172944.GA21564@nebula> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Description: meta `time` patch Content-Disposition: inline User-Agent: Mutt/1.9.4 (2018-02-28) Precedence: bulk
Series	[nftables] meta: Add support for `time` \| expand [nftables] meta: Add support for `time`

Message ID

20190308172944.GA21564@nebula

State

Changes Requested

Delegated to:

Pablo Neira

Headers

Date: Fri, 8 Mar 2019 22:59:44 +0530
From: Karuna Grewal <karunagrewal98@gmail.com>
To: fw@strlen.de
Cc: netfilter-devel@vger.kernel.org
Subject: [PATCH nftables] meta: Add support for `time`
Message-ID: <20190308172944.GA21564@nebula>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Description: meta `time` patch
Content-Disposition: inline
User-Agent: Mutt/1.9.4 (2018-02-28)
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Series

[nftables] meta: Add support for `time` | expand

Commit Message

Karuna Grewal March 8, 2019, 5:29 p.m. UTC

meta `time` can be used to match the timestamp of a packet.

Signed-off-by: Karuna Grewal <karunagrewal98@gmail.com>
---
 include/linux/netfilter/nf_tables.h | 2 ++
 src/meta.c                          | 3 +++
 src/parser_bison.y                  | 1 +
 src/scanner.l                       | 1 +
 4 files changed, 7 insertions(+)

Comments

Pablo Neira Ayuso March 8, 2019, 5:40 p.m. UTC | #1

On Fri, Mar 08, 2019 at 10:59:44PM +0530, Karuna Grewal wrote:
> meta `time` can be used to match the timestamp of a packet.

Please, add tests for this to tests/py too.

Thanks.

>  include/linux/netfilter/nf_tables.h | 2 ++
>  src/meta.c                          | 3 +++
>  src/parser_bison.y                  | 1 +
>  src/scanner.l                       | 1 +
>  4 files changed, 7 insertions(+)
> 
> diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
> index 37036be0..a20fc966 100644
> --- a/include/linux/netfilter/nf_tables.h
> +++ b/include/linux/netfilter/nf_tables.h
> @@ -791,6 +791,7 @@ enum nft_exthdr_attributes {
>   * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
>   * @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind)
>   * @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind)
> + * @NFT_META_TSTAMP_NS: packet arrival time (skb->tstamp)
>   */
>  enum nft_meta_keys {
>  	NFT_META_LEN,
> @@ -821,6 +822,7 @@ enum nft_meta_keys {
>  	NFT_META_SECPATH,
>  	NFT_META_IIFKIND,
>  	NFT_META_OIFKIND,
> +	NFT_META_TSTAMP_NS,
>  };
>  
>  /**
> diff --git a/src/meta.c b/src/meta.c
> index 7e44a2a3..1b35e508 100644
> --- a/src/meta.c
> +++ b/src/meta.c
> @@ -450,6 +450,9 @@ const struct meta_template meta_templates[] = {
>  	[NFT_META_OIFKIND]	= META_TEMPLATE("oifkind",   &ifname_type,
>  						IFNAMSIZ * BITS_PER_BYTE,
>  						BYTEORDER_HOST_ENDIAN),
> +	[NFT_META_TSTAMP_NS] = META_TEMPLATE("timestamp", &time_type,
> +						8 * BITS_PER_BYTE,
> +						BYTEORDER_HOST_ENDIAN),
>  };
>  
>  static bool meta_key_is_unqualified(enum nft_meta_keys key)
> diff --git a/src/parser_bison.y b/src/parser_bison.y
> index b20be3a8..58914486 100644
> --- a/src/parser_bison.y
> +++ b/src/parser_bison.y
> @@ -3874,6 +3874,7 @@ meta_key_unqualified	:	MARK		{ $$ = NFT_META_MARK; }
>  			|       OIFGROUP	{ $$ = NFT_META_OIFGROUP; }
>  			|       CGROUP		{ $$ = NFT_META_CGROUP; }
>  			|       IPSEC		{ $$ = NFT_META_SECPATH; }
> +			|	TIMESTAMP	{ $$ = NFT_META_TSTAMP_NS; }
>  			;
>  
>  meta_stmt		:	META	meta_key	SET	stmt_expr
> diff --git a/src/scanner.l b/src/scanner.l
> index 6f83aa11..bfb8c558 100644
> --- a/src/scanner.l
> +++ b/src/scanner.l
> @@ -507,6 +507,7 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
>  "iifgroup"		{ return IIFGROUP; }
>  "oifgroup"		{ return OIFGROUP; }
>  "cgroup"		{ return CGROUP; }
> +"time"			{ return TIMESTAMP; }
>  
>  "classid"		{ return CLASSID; }
>  "nexthop"		{ return NEXTHOP; }
> -- 
> 2.17.1
>

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 37036be0..a20fc966 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -791,6 +791,7 @@  enum nft_exthdr_attributes {
  * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
  * @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind)
  * @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind)
+ * @NFT_META_TSTAMP_NS: packet arrival time (skb->tstamp)
  */
 enum nft_meta_keys {
 	NFT_META_LEN,
@@ -821,6 +822,7 @@  enum nft_meta_keys {
 	NFT_META_SECPATH,
 	NFT_META_IIFKIND,
 	NFT_META_OIFKIND,
+	NFT_META_TSTAMP_NS,
 };
 
 /**
diff --git a/src/meta.c b/src/meta.c
index 7e44a2a3..1b35e508 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -450,6 +450,9 @@  const struct meta_template meta_templates[] = {
 	[NFT_META_OIFKIND]	= META_TEMPLATE("oifkind",   &ifname_type,
 						IFNAMSIZ * BITS_PER_BYTE,
 						BYTEORDER_HOST_ENDIAN),
+	[NFT_META_TSTAMP_NS] = META_TEMPLATE("timestamp", &time_type,
+						8 * BITS_PER_BYTE,
+						BYTEORDER_HOST_ENDIAN),
 };
 
 static bool meta_key_is_unqualified(enum nft_meta_keys key)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index b20be3a8..58914486 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -3874,6 +3874,7 @@  meta_key_unqualified	:	MARK		{ $$ = NFT_META_MARK; }
 			|       OIFGROUP	{ $$ = NFT_META_OIFGROUP; }
 			|       CGROUP		{ $$ = NFT_META_CGROUP; }
 			|       IPSEC		{ $$ = NFT_META_SECPATH; }
+			|	TIMESTAMP	{ $$ = NFT_META_TSTAMP_NS; }
 			;
 
 meta_stmt		:	META	meta_key	SET	stmt_expr
diff --git a/src/scanner.l b/src/scanner.l
index 6f83aa11..bfb8c558 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -507,6 +507,7 @@  addrstring	({macaddr}|{ip4addr}|{ip6addr})
 "iifgroup"		{ return IIFGROUP; }
 "oifgroup"		{ return OIFGROUP; }
 "cgroup"		{ return CGROUP; }
+"time"			{ return TIMESTAMP; }
 
 "classid"		{ return CLASSID; }
 "nexthop"		{ return NEXTHOP; }

[nftables] meta: Add support for `time`

Commit Message

Comments

Patch