| Message ID | 1446834863-18610-5-git-send-email-kaber@trash.net |
|---|---|
| State | RFC |
| Delegated to: | Pablo Neira |
| Headers | show |
On Fri, Nov 06, 2015 at 06:34:21PM +0000, Patrick McHardy wrote: > static void set_elem_expr_destroy(struct expr *expr) > diff --git a/src/netlink.c b/src/netlink.c > index ad86084..3bef5f4 100644 > --- a/src/netlink.c > +++ b/src/netlink.c > @@ -1472,6 +1472,8 @@ static int netlink_delinearize_setelem(struct nftnl_set_elem *nlse, > expr->comment = xmalloc(len); > memcpy((char *)expr->comment, data, len); > } > + if (nftnl_set_elem_is_set(nlse, NFT_SET_ELEM_ATTR_EXPR)) > + expr->stmt = netlink_parse_set_expr(set, (void *)nftnl_set_elem_get(nlse, NFT_SET_ELEM_ATTR_EXPR, NULL)); Minor nit I just noticed: please use NFTNL_SET_ELEM_EXPR here instead, the old constant definitions will go after a couple of libnftnl releases, they have been left there just to make the transition a bit less traumatic. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 11.11, Pablo Neira Ayuso wrote: > On Fri, Nov 06, 2015 at 06:34:21PM +0000, Patrick McHardy wrote: > > static void set_elem_expr_destroy(struct expr *expr) > > diff --git a/src/netlink.c b/src/netlink.c > > index ad86084..3bef5f4 100644 > > --- a/src/netlink.c > > +++ b/src/netlink.c > > @@ -1472,6 +1472,8 @@ static int netlink_delinearize_setelem(struct nftnl_set_elem *nlse, > > expr->comment = xmalloc(len); > > memcpy((char *)expr->comment, data, len); > > } > > + if (nftnl_set_elem_is_set(nlse, NFT_SET_ELEM_ATTR_EXPR)) > > + expr->stmt = netlink_parse_set_expr(set, (void *)nftnl_set_elem_get(nlse, NFT_SET_ELEM_ATTR_EXPR, NULL)); > > > Minor nit I just noticed: please use NFTNL_SET_ELEM_EXPR here instead, > the old constant definitions will go after a couple of libnftnl > releases, they have been left there just to make the transition a bit > less traumatic. Sure, fixed it. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/include/expression.h b/include/expression.h index 010cb95..e7f11eb 100644 --- a/include/expression.h +++ b/include/expression.h @@ -237,6 +237,7 @@ struct expr { uint64_t timeout; uint64_t expiration; const char *comment; + struct stmt *stmt; }; struct { /* EXPR_UNARY */ diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 5ebe3d8..38ad174 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -321,6 +321,7 @@ enum nft_set_elem_flags { * @NFTA_SET_ELEM_TIMEOUT: timeout value (NLA_U64) * @NFTA_SET_ELEM_EXPIRATION: expiration time (NLA_U64) * @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY) + * @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes) */ enum nft_set_elem_attributes { NFTA_SET_ELEM_UNSPEC, @@ -330,6 +331,7 @@ enum nft_set_elem_attributes { NFTA_SET_ELEM_TIMEOUT, NFTA_SET_ELEM_EXPIRATION, NFTA_SET_ELEM_USERDATA, + NFTA_SET_ELEM_EXPR, __NFTA_SET_ELEM_MAX }; #define NFTA_SET_ELEM_MAX (__NFTA_SET_ELEM_MAX - 1) diff --git a/include/netlink.h b/include/netlink.h index c1def09..018a573 100644 --- a/include/netlink.h +++ b/include/netlink.h @@ -149,6 +149,9 @@ extern int netlink_delete_setelems(struct netlink_ctx *ctx, const struct handle extern int netlink_get_setelems(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc, struct set *set); +extern struct stmt *netlink_parse_set_expr(struct set *set, + struct nftnl_expr *nle); + extern void netlink_dump_table(struct nftnl_table *nlt); extern void netlink_dump_chain(struct nftnl_chain *nlc); extern void netlink_dump_rule(struct nftnl_rule *nlr); diff --git a/src/expression.c b/src/expression.c index ab195e5..2c1ea6a 100644 --- a/src/expression.c +++ b/src/expression.c @@ -16,6 +16,7 @@ #include <limits.h> #include <expression.h> +#include <statement.h> #include <datatype.h> #include <rule.h> #include <gmputil.h> @@ -899,6 +900,11 @@ static void set_elem_expr_print(const struct expr *expr) } if (expr->comment) printf(" comment \"%s\"", expr->comment); + + if (expr->stmt) { + printf(" : "); + stmt_print(expr->stmt); + } } static void set_elem_expr_destroy(struct expr *expr) diff --git a/src/netlink.c b/src/netlink.c index ad86084..3bef5f4 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -1472,6 +1472,8 @@ static int netlink_delinearize_setelem(struct nftnl_set_elem *nlse, expr->comment = xmalloc(len); memcpy((char *)expr->comment, data, len); } + if (nftnl_set_elem_is_set(nlse, NFT_SET_ELEM_ATTR_EXPR)) + expr->stmt = netlink_parse_set_expr(set, (void *)nftnl_set_elem_get(nlse, NFT_SET_ELEM_ATTR_EXPR, NULL)); if (flags & NFT_SET_ELEM_INTERVAL_END) { expr->flags |= EXPR_F_INTERVAL_END; diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 97ac3ec..adeaccb 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -924,6 +924,18 @@ static int netlink_parse_rule_expr(struct nftnl_expr *nle, void *arg) return 0; } +struct stmt *netlink_parse_set_expr(struct set *set, struct nftnl_expr *nle) +{ + struct netlink_parse_ctx ctx, *pctx = &ctx; + + pctx->table = table_lookup(&set->handle); + assert(pctx->table != NULL); + + if (netlink_parse_expr(nle, pctx) < 0) + return NULL; + return pctx->stmt; +} + struct rule_pp_ctx { struct proto_ctx pctx; enum proto_bases pbase;
Add support to parse and print expressions attached to set elements. This is required for the flow statement, where expressions are dynamically instantiated and attached to set elements. Signed-off-by: Patrick McHardy <kaber@trash.net> --- include/expression.h | 1 + include/linux/netfilter/nf_tables.h | 2 ++ include/netlink.h | 3 +++ src/expression.c | 6 ++++++ src/netlink.c | 2 ++ src/netlink_delinearize.c | 12 ++++++++++++ 6 files changed, 26 insertions(+)