@@ -275,8 +275,9 @@ struct rule {
struct location location;
struct list_head stmts;
unsigned int num_stmts;
- const char *comment;
unsigned int refcnt;
+ const char *comment;
+ uint64_t cookie;
};
extern struct rule *rule_alloc(const struct location *loc,
@@ -2816,6 +2816,10 @@ static int parse_rule_udata_cb(const struct nftnl_udata *attr, void *data)
if (value[len - 1] != '\0')
return -1;
break;
+ case NFTNL_UDATA_RULE_COOKIE:
+ if (len != sizeof(uint64_t))
+ return -1;
+ break;
default:
return 0;
}
@@ -2823,24 +2827,28 @@ static int parse_rule_udata_cb(const struct nftnl_udata *attr, void *data)
return 0;
}
-static char *nftnl_rule_get_comment(const struct nftnl_rule *nlr)
+static int nftnl_rule_get_userdata(const struct nftnl_rule *nlr, struct rule *rule)
{
const struct nftnl_udata *tb[NFTNL_UDATA_RULE_MAX + 1] = {};
const void *data;
uint32_t len;
if (!nftnl_rule_is_set(nlr, NFTNL_RULE_USERDATA))
- return NULL;
+ return 0;
data = nftnl_rule_get_data(nlr, NFTNL_RULE_USERDATA, &len);
if (nftnl_udata_parse(data, len, parse_rule_udata_cb, tb) < 0)
- return NULL;
+ return -1;
- if (!tb[NFTNL_UDATA_RULE_COMMENT])
- return NULL;
+ if (tb[NFTNL_UDATA_RULE_COMMENT]) {
+ rule->comment =
+ xstrdup(nftnl_udata_get(tb[NFTNL_UDATA_RULE_COMMENT]));
+ }
+ if (tb[NFTNL_UDATA_RULE_COOKIE])
+ rule->cookie = nftnl_udata_get_u64(tb[NFTNL_UDATA_RULE_COOKIE]);
- return xstrdup(nftnl_udata_get(tb[NFTNL_UDATA_RULE_COMMENT]));
+ return 0;
}
struct rule *netlink_delinearize_rule(struct netlink_ctx *ctx,
@@ -2866,7 +2874,7 @@ struct rule *netlink_delinearize_rule(struct netlink_ctx *ctx,
pctx->table = table_lookup(&h, &ctx->nft->cache);
assert(pctx->table != NULL);
- pctx->rule->comment = nftnl_rule_get_comment(nlr);
+ nftnl_rule_get_userdata(nlr, pctx->rule);
nftnl_expr_foreach(nlr, netlink_parse_rule_expr, pctx);
@@ -1516,6 +1516,7 @@ static void netlink_gen_stmt(struct netlink_linearize_ctx *ctx,
void netlink_linearize_rule(struct netlink_ctx *ctx, struct nftnl_rule *nlr,
const struct rule *rule)
{
+ struct nftnl_udata_buf *udata = NULL;
struct netlink_linearize_ctx lctx;
const struct stmt *stmt;
@@ -1526,20 +1527,27 @@ void netlink_linearize_rule(struct netlink_ctx *ctx, struct nftnl_rule *nlr,
list_for_each_entry(stmt, &rule->stmts, list)
netlink_gen_stmt(&lctx, stmt);
- if (rule->comment) {
- struct nftnl_udata_buf *udata;
-
+ if (rule->comment || rule->cookie) {
udata = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN);
if (!udata)
memory_allocation_error();
+ }
+ if (rule->comment) {
if (!nftnl_udata_put_strz(udata, NFTNL_UDATA_RULE_COMMENT,
rule->comment))
memory_allocation_error();
+ }
+ if (rule->cookie) {
+ if (!nftnl_udata_put_u64(udata, NFTNL_UDATA_RULE_COOKIE,
+ rule->cookie))
+ memory_allocation_error();
+ }
+
+ if (udata) {
nftnl_rule_set_data(nlr, NFTNL_RULE_USERDATA,
nftnl_udata_buf_data(udata),
nftnl_udata_buf_len(udata));
-
nftnl_udata_buf_free(udata);
}
@@ -543,6 +543,7 @@ int nft_lex(void *, void *, void *);
%token POSITION "position"
%token INDEX "index"
%token COMMENT "comment"
+%token COOKIE "cookie"
%token XML "xml"
%token JSON "json"
@@ -568,7 +569,7 @@ int nft_lex(void *, void *, void *);
%type <string> identifier type_identifier string comment_spec
%destructor { xfree($$); } identifier type_identifier string comment_spec
-%type <val> time_spec quota_used
+%type <val> time_spec quota_used cookie_spec
%type <expr> data_type_expr data_type_atom_expr
%destructor { expr_free($$); } data_type_expr data_type_atom_expr
@@ -2482,6 +2483,12 @@ comment_spec : COMMENT string
}
;
+cookie_spec : COOKIE NUM
+ {
+ $$ = $2;
+ }
+ ;
+
ruleset_spec : /* empty */
{
memset(&$$, 0, sizeof($$));
@@ -2502,6 +2509,15 @@ rule : rule_alloc
{
$$->comment = $2;
}
+ | rule_alloc cookie_spec
+ {
+ $$->cookie = $2;
+ }
+ | rule_alloc cookie_spec comment_spec
+ {
+ $$->cookie = $2;
+ $$->comment = $3;
+ }
;
rule_alloc : stmt_list
@@ -664,6 +664,8 @@ void rule_print(const struct rule *rule, struct output_ctx *octx)
nft_print(octx, " ");
}
+ if (rule->cookie)
+ nft_print(octx, " cookie %"PRIu64"", rule->cookie);
if (rule->comment)
nft_print(octx, " comment \"%s\"", rule->comment);
@@ -300,6 +300,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"position" { return POSITION; }
"index" { return INDEX; }
"comment" { return COMMENT; }
+"cookie" { return COOKIE; }
"constant" { return CONSTANT; }
"interval" { return INTERVAL; }
This patch allows users to specify a unsigned 64-bit cookie for rules. The userspace application assigns the cookie number for tracking the rule. The cookie needs to be non-zero. This cookie value is only relevant to userspace since this resides in the user data area. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- Phil, you suggested a cookie to track rules, here it is. A few notes: - This patch is missing json support. - No need for kernel update since the cookie is stored in the user data area. include/rule.h | 3 ++- src/netlink_delinearize.c | 22 +++++++++++++++------- src/netlink_linearize.c | 16 ++++++++++++---- src/parser_bison.y | 18 +++++++++++++++++- src/rule.c | 2 ++ src/scanner.l | 1 + 6 files changed, 49 insertions(+), 13 deletions(-)