[PATCH 08/10] setelem: add timeout support for set elements

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: pablo@netfilter.org
Cc: netfilter-devel@vger.kernel.org
Subject: [PATCH 08/10] setelem: add timeout support for set elements
Date: Sun, 12 Apr 2015 13:16:16 +0100	[thread overview]
Message-ID: <1428840978-27226-9-git-send-email-kaber@trash.net> (raw)
In-Reply-To: <1428840978-27226-1-git-send-email-kaber@trash.net>

Support specifying per element timeout values and displaying the expiration
time.

If an element should not use the default timeout value of the set, an
element specific value can be specified as follows:

# nft add element filter test { 192.168.0.1, 192.168.0.2 timeout 10m}

For listing of elements that use the default timeout value, just the
expiration time is shown, otherwise the element specific timeout value
is also displayed:

set test {
	type ipv4_addr
	timeout 1h
	elements = { 192.168.0.2 timeout 10m expires 9m59s, 192.168.0.1 expires 59m59s}
}

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 include/expression.h                |  2 ++
 include/linux/netfilter/nf_tables.h |  4 ++++
 src/expression.c                    |  8 ++++++++
 src/netlink.c                       |  7 +++++++
 src/parser_bison.y                  | 14 ++++++++++++++
 5 files changed, 35 insertions(+)

diff --git a/include/expression.h b/include/expression.h
index d481f28..6f23b6d 100644
--- a/include/expression.h
+++ b/include/expression.h
@@ -234,6 +234,8 @@ struct expr {
 		struct {
 			/* EXPR_SET_ELEM */
 			struct expr		*key;
+			uint64_t		timeout;
+			uint64_t		expiration;
 		};
 		struct {
 			/* EXPR_UNARY */
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 8671505..6894ba3 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -289,12 +289,16 @@ enum nft_set_elem_flags {
  * @NFTA_SET_ELEM_KEY: key value (NLA_NESTED: nft_data)
  * @NFTA_SET_ELEM_DATA: data value of mapping (NLA_NESTED: nft_data_attributes)
  * @NFTA_SET_ELEM_FLAGS: bitmask of nft_set_elem_flags (NLA_U32)
+ * @NFTA_SET_ELEM_TIMEOUT: timeout value (NLA_U64)
+ * @NFTA_SET_ELEM_EXPIRATION: expiration time (NLA_U64)
  */
 enum nft_set_elem_attributes {
 	NFTA_SET_ELEM_UNSPEC,
 	NFTA_SET_ELEM_KEY,
 	NFTA_SET_ELEM_DATA,
 	NFTA_SET_ELEM_FLAGS,
+	NFTA_SET_ELEM_TIMEOUT,
+	NFTA_SET_ELEM_EXPIRATION,
 	__NFTA_SET_ELEM_MAX
 };
 #define NFTA_SET_ELEM_MAX	(__NFTA_SET_ELEM_MAX - 1)
diff --git a/src/expression.c b/src/expression.c
index 6789396..2037c60 100644
--- a/src/expression.c
+++ b/src/expression.c
@@ -889,6 +889,14 @@ struct expr *set_ref_expr_alloc(const struct location *loc, struct set *set)
 static void set_elem_expr_print(const struct expr *expr)
 {
 	expr_print(expr->key);
+	if (expr->timeout) {
+		printf(" timeout ");
+		time_print(expr->timeout / 1000);
+	}
+	if (expr->expiration) {
+		printf(" expires ");
+		time_print(expr->expiration / 1000);
+	}
 }
 
 static void set_elem_expr_destroy(struct expr *expr)
diff --git a/src/netlink.c b/src/netlink.c
index 337d8a1..4de4f47 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -225,6 +225,9 @@ static struct nft_set_elem *alloc_nft_setelem(const struct expr *expr)
 
 	netlink_gen_data(key, &nld);
 	nft_set_elem_attr_set(nlse, NFT_SET_ELEM_ATTR_KEY, &nld.value, nld.len);
+	if (elem->timeout)
+		nft_set_elem_attr_set_u64(nlse, NFT_SET_ELEM_ATTR_TIMEOUT,
+					  elem->timeout);
 
 	if (data != NULL) {
 		netlink_gen_data(data, &nld);
@@ -1125,6 +1128,10 @@ static int netlink_delinearize_setelem(struct nft_set_elem *nlse,
 		key = bitmask_expr_to_binops(key);
 
 	expr = set_elem_expr_alloc(&netlink_location, key);
+	if (nft_set_elem_attr_is_set(nlse, NFT_SET_ELEM_ATTR_TIMEOUT))
+		expr->timeout	 = nft_set_elem_attr_get_u64(nlse, NFT_SET_ELEM_ATTR_TIMEOUT);
+	if (nft_set_elem_attr_is_set(nlse, NFT_SET_ELEM_ATTR_EXPIRATION))
+		expr->expiration = nft_set_elem_attr_get_u64(nlse, NFT_SET_ELEM_ATTR_EXPIRATION);
 
 	if (flags & NFT_SET_ELEM_INTERVAL_END) {
 		expr->flags |= EXPR_F_INTERVAL_END;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 8083187..736704a 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1779,6 +1779,7 @@ set_list_member_expr	:	opt_newline	set_expr	opt_newline
 			;
 
 set_elem_expr		:	set_elem_expr_alloc
+			|	set_elem_expr_alloc		set_elem_options
 			;
 
 set_elem_expr_alloc	:	set_lhs_expr
@@ -1787,6 +1788,19 @@ set_elem_expr_alloc	:	set_lhs_expr
 			}
 			;
 
+set_elem_options	:	set_elem_option
+			{
+				$<expr>$	= $<expr>0;
+			}
+			|	set_elem_options	set_elem_option
+			;
+
+set_elem_option		:	TIMEOUT			time_spec
+			{
+				$<expr>0->timeout = $2 * 1000;
+			}
+			;
+
 set_lhs_expr		:	concat_expr
 			|	multiton_expr
 			;
-- 
2.1.0

next prev parent reply	other threads:[~2015-04-12 12:16 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-04-12 12:16 [PATCH 00/10] nftables: set timeouts and dynamic updates Patrick McHardy
2015-04-12 12:16 ` [PATCH 01/10] datatype: fix parsing of time type Patrick McHardy
2015-04-12 12:16 ` [PATCH 02/10] datatype: less strict time parsing Patrick McHardy
2015-04-12 12:16 ` [PATCH 03/10] datatype: seperate time parsing/printing from time_type Patrick McHardy
2015-04-12 12:16 ` [PATCH 04/10] parser: add a time_spec rule Patrick McHardy
2015-04-12 12:16 ` [PATCH 05/10] parser: fix inconsistencies in set expression rules Patrick McHardy
2015-04-12 12:16 ` [PATCH 06/10] expr: add set_elem_expr as container for set element attributes Patrick McHardy
2015-04-12 12:16 ` [PATCH 07/10] set: add timeout support for sets Patrick McHardy
2015-04-12 12:16 ` Patrick McHardy [this message]
2015-04-12 12:16 ` [PATCH 09/10] setelem: add support for attaching comments to set elements Patrick McHardy
2015-04-12 12:16 ` [PATCH 10/10] nftables: add set statement Patrick McHardy

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d481f28 dfblob:6f23b6d dfblob:8671505 dfblob:6894ba3
dfblob:6789396 dfblob:2037c60 dfblob:337d8a1 dfblob:4de4f47
dfblob:8083187 dfblob:736704a )
 OR (
bs:"[PATCH 08/10] setelem: add timeout support for set elements" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1428840978-27226-9-git-send-email-kaber@trash.net \
    --to=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).