From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Eric Leblond <eric@regit.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [nftables PATCH] Add support for insertion inside rule list
Date: Fri, 19 Jul 2013 14:28:33 +0200 [thread overview]
Message-ID: <20130719122833.GA30497@localhost> (raw)
In-Reply-To: <1373124837-6857-1-git-send-email-eric@regit.org>
[-- Attachment #1: Type: text/plain, Size: 1292 bytes --]
Hi Eric,
On Sat, Jul 06, 2013 at 05:33:57PM +0200, Eric Leblond wrote:
> This patch adds support for "insert before" and "add after"
> rule operation.
> The rule handle syntax has an new optional after/before field
> which take a handle as argument.
> Here is two examples:
> nft add rule filter output after 5 ip daddr 1.2.3.1 drop
> nft insert rule filter output before 5 ip daddr 1.2.3.1 drop
While testing this new feature, I noticed that the parser was
accepting this:
nft add rule filter output after 5 ip daddr 1.2.3.1 drop
nft insert rule filter output after 5 ip daddr 1.2.3.1 drop
Note that 'add' and 'insert' become semantically equivalent, which
seems inconsistent to me.
While fixing it using the 'before' and 'after', I noticed that 'add'
and 'insert' already tell us where to put the new rule, so 'after' and
'before' were repeating again what we want to do. I have reworked this
patch to change this initial syntax:
nft add rule filter output position 5 ip daddr 1.2.3.1 drop
nft insert rule filter output position 5 ip daddr 1.2.3.1 drop
We can support the after and before, but that would imply some extra
evaluation after the parsing that would make the patch bigger. So I
prefered to go the simpler solution.
Please, find the new patch attached. Thanks.
[-- Attachment #2: 0001-src-Add-support-for-insertion-inside-rule-list.patch --]
[-- Type: text/x-diff, Size: 5049 bytes --]
>From f8afcae4af949c1f8c71fc4dbbffdbddbedb7adf Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Sat, 6 Jul 2013 17:33:57 +0200
Subject: [PATCH] src: Add support for insertion inside rule list
This patch adds support to insert and to add rule using a rule
handle as reference. The rule handle syntax has an new optional
position field which take a handle as argument.
Two examples:
nft add rule filter output position 5 ip daddr 1.2.3.1 drop
nft insert rule filter output position 5 ip daddr 1.2.3.1 drop
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/rule.h | 2 ++
src/mnl.c | 2 +-
src/netlink.c | 2 ++
src/netlink_delinearize.c | 2 ++
src/parser.y | 17 +++++++++++++++--
src/rule.c | 2 ++
src/scanner.l | 2 ++
7 files changed, 26 insertions(+), 3 deletions(-)
diff --git a/include/rule.h b/include/rule.h
index e0debe3..2577cff 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -13,6 +13,7 @@
* @chain: chain name (chains and rules only)
* @set: set name (sets only)
* @handle: rule handle (rules only)
+ * @position: rule position (rules only)
*/
struct handle {
uint32_t family;
@@ -20,6 +21,7 @@ struct handle {
const char *chain;
const char *set;
uint64_t handle;
+ uint64_t position;
};
extern void handle_merge(struct handle *dst, const struct handle *src);
diff --git a/src/mnl.c b/src/mnl.c
index a58f7ea..928d692 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -61,7 +61,7 @@ int mnl_nft_rule_add(struct mnl_socket *nf_sock, struct nft_rule *nlr,
nlh = nft_table_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE,
nft_rule_attr_get_u32(nlr, NFT_RULE_ATTR_FAMILY),
- NLM_F_APPEND|NLM_F_ACK|NLM_F_CREATE, seq);
+ flags|NLM_F_ACK|NLM_F_CREATE, seq);
nft_rule_nlmsg_build_payload(nlh, nlr);
return mnl_talk(nf_sock, nlh, nlh->nlmsg_len, NULL, NULL);
diff --git a/src/netlink.c b/src/netlink.c
index 2a7bdb5..5129cac 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -105,6 +105,8 @@ struct nft_rule *alloc_nft_rule(const struct handle *h)
nft_rule_attr_set_str(nlr, NFT_RULE_ATTR_CHAIN, h->chain);
if (h->handle)
nft_rule_attr_set_u64(nlr, NFT_RULE_ATTR_HANDLE, h->handle);
+ if (h->position)
+ nft_rule_attr_set_u64(nlr, NFT_RULE_ATTR_POSITION, h->position);
return nlr;
}
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 9348913..f92e83f 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -796,6 +796,8 @@ struct rule *netlink_delinearize_rule(struct netlink_ctx *ctx,
h.table = xstrdup(nft_rule_attr_get_str(nlr, NFT_RULE_ATTR_TABLE));
h.chain = xstrdup(nft_rule_attr_get_str(nlr, NFT_RULE_ATTR_CHAIN));
h.handle = nft_rule_attr_get_u64(nlr, NFT_RULE_ATTR_HANDLE);
+ if (nft_rule_attr_is_set(nlr, NFT_RULE_ATTR_POSITION))
+ h.position = nft_rule_attr_get_u64(nlr, NFT_RULE_ATTR_POSITION);
pctx->rule = rule_alloc(&internal_location, &h);
pctx->table = table_lookup(&h);
diff --git a/src/parser.y b/src/parser.y
index 2923b59..91981e9 100644
--- a/src/parser.y
+++ b/src/parser.y
@@ -326,6 +326,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
%token SNAT "snat"
%token DNAT "dnat"
+%token POSITION "position"
+
%type <string> identifier string
%destructor { xfree($$); } identifier string
@@ -339,7 +341,7 @@ static void location_update(struct location *loc, struct location *rhs, int n)
%destructor { handle_free(&$$); } table_spec tables_spec chain_spec chain_identifier ruleid_spec
%type <handle> set_spec set_identifier
%destructor { handle_free(&$$); } set_spec set_identifier
-%type <val> handle_spec family_spec
+%type <val> handle_spec family_spec position_spec
%type <table> table_block_alloc table_block
%destructor { table_free($$); } table_block_alloc
@@ -842,10 +844,21 @@ handle_spec : /* empty */
}
;
-ruleid_spec : chain_spec handle_spec
+position_spec : /* empty */
+ {
+ $$ = 0;
+ }
+ | POSITION NUM
+ {
+ $$ = $2;
+ }
+ ;
+
+ruleid_spec : chain_spec handle_spec position_spec
{
$$ = $1;
$$.handle = $2;
+ $$.position = $3;
}
;
diff --git a/src/rule.c b/src/rule.c
index 5a894cc..8368624 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -41,6 +41,8 @@ void handle_merge(struct handle *dst, const struct handle *src)
dst->set = xstrdup(src->set);
if (dst->handle == 0)
dst->handle = src->handle;
+ if (dst->position == 0)
+ dst->position = src->position;
}
struct set *set_alloc(const struct location *loc)
diff --git a/src/scanner.l b/src/scanner.l
index fe7b86c..7946e94 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -249,6 +249,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"flush" { return FLUSH; }
"rename" { return RENAME; }
+"position" { return POSITION; }
+
"counter" { return COUNTER; }
"packets" { return PACKETS; }
"bytes" { return BYTES; }
--
1.7.10.4
next prev parent reply other threads:[~2013-07-19 12:28 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-19 8:03 [RFC PATCH 0/1] add insert after to nf_tables Eric Leblond
2013-06-19 8:03 ` [PATCH] netfilter: nf_tables: add insert operation Eric Leblond
2013-06-19 8:04 ` [libnftables PATCH] examples: add insert rule example Eric Leblond
2013-06-19 9:47 ` [RFC PATCH 0/1] add insert after to nf_tables Tomasz Bursztyka
2013-06-20 9:42 ` Pablo Neira Ayuso
2013-06-20 9:52 ` Tomasz Bursztyka
2013-06-20 10:10 ` Pablo Neira Ayuso
2013-06-20 10:36 ` Tomasz Bursztyka
2013-06-20 10:46 ` Patrick McHardy
2013-06-20 10:59 ` Tomasz Bursztyka
2013-06-20 12:17 ` Eric Leblond
2013-06-28 21:05 ` [RFC PATCHv2] netfilter: nf_tables: add insert operation Eric Leblond
2013-06-29 10:24 ` Pablo Neira Ayuso
2013-07-06 15:31 ` [PATCHv3 nftables insert operation] Eric Leblond
2013-07-06 15:31 ` [PATCH] netfilter: nf_tables: add insert operation Eric Leblond
2013-07-07 21:56 ` Pablo Neira Ayuso
2013-07-08 22:56 ` [PATCHv4 nftables insert operation 0/1] Eric Leblond
2013-07-08 22:56 ` [PATCHv4] netfilter: nf_tables: add insert operation Eric Leblond
2013-07-15 10:48 ` Pablo Neira Ayuso
2013-07-15 17:27 ` Eric Leblond
2013-07-15 23:57 ` Pablo Neira Ayuso
2013-07-16 7:35 ` Eric Leblond
2013-07-16 10:00 ` Pablo Neira Ayuso
2013-07-16 10:07 ` Eric Leblond
2013-07-19 7:45 ` [PATCHv5] " Eric Leblond
2013-07-19 12:49 ` Pablo Neira Ayuso
2013-07-08 23:00 ` [nftables PATCH] rule: honor flag argument during rule creation Eric Leblond
2013-07-06 15:33 ` [libnftables PATCH 1/4] rule: add support for position attribute Eric Leblond
2013-07-06 15:33 ` [libnftables PATCH 2/4] examples: add insert rule example Eric Leblond
2013-07-19 12:31 ` Pablo Neira Ayuso
2013-07-06 15:33 ` [libnftables PATCH 3/4] rule: display position in default printf Eric Leblond
2013-07-19 12:32 ` Pablo Neira Ayuso
2013-07-06 15:33 ` [libnftables PATCH 4/4] rule: change type of function to use const Eric Leblond
2013-07-19 12:32 ` Pablo Neira Ayuso
2013-07-19 12:31 ` [libnftables PATCH 1/4] rule: add support for position attribute Pablo Neira Ayuso
2013-07-06 15:33 ` [nftables PATCH] Add support for insertion inside rule list Eric Leblond
2013-07-19 12:28 ` Pablo Neira Ayuso [this message]
2013-07-19 14:31 ` Eric Leblond
2013-07-19 15:50 ` Pablo Neira Ayuso
2013-07-01 7:01 ` [RFC PATCHv2] netfilter: nf_tables: add insert operation Tomasz Bursztyka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130719122833.GA30497@localhost \
--to=pablo@netfilter.org \
--cc=eric@regit.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.