* [PATCH nft 0/2] multi-statement support for set elements
@ 2020-12-17 11:33 Pablo Neira Ayuso
2020-12-17 11:33 ` [PATCH nft 1/2] src: add support for multi-statement in dynamic sets and maps Pablo Neira Ayuso
2020-12-17 11:33 ` [PATCH nft 2/2] src: add set element multi-statement support Pablo Neira Ayuso
0 siblings, 2 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2020-12-17 11:33 UTC (permalink / raw)
To: netfilter-devel
Hi,
This patchset adds multi-statement support for set elements. This
requires Linux kernel >= 5.11-rc1 (yet to be released by the time I'm
writing this). The following example shows how to define a dynamic set
that can be updated from the packet path with multi-statement support:
table x {
set y {
type ipv4_addr
flags dynamic
timeout 1h
limit rate 1/second counter
}
chain z {
type filter hook output priority 0;
add @y { ip daddr limit rate 1/second counter }
}
}
You might also want to use this new feature with sets:
table x {
set y {
type ipv4_addr
limit rate 1/second counter
}
chain y {
type filter hook output priority filter; policy accept;
ip daddr @y
}
}
then, add elements to this set:
nft add element x y { 192.168.120.234 limit rate 1/second counter }
I'll follow up with a patch to update the test infrastructure to cover
this new feature.
Pablo Neira Ayuso (2):
src: add support for multi-statement in dynamic sets and maps
src: add set element multi-statement support
include/expression.h | 2 +-
include/list.h | 7 +++
include/rule.h | 2 +-
include/statement.h | 4 +-
src/evaluate.c | 82 +++++++++++++++++++++---------
src/expression.c | 18 +++++--
src/json.c | 10 ++--
src/mnl.c | 17 +++++--
src/netlink.c | 69 +++++++++++++++++++++++--
src/netlink_delinearize.c | 74 ++++++++++++++++++++++-----
src/netlink_linearize.c | 41 ++++++++++++---
src/parser_bison.y | 104 ++++++++++++++++++++++++--------------
src/rule.c | 24 +++++++--
src/segtree.c | 6 +--
src/statement.c | 34 ++++++++++---
15 files changed, 373 insertions(+), 121 deletions(-)
--
2.20.1
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH nft 1/2] src: add support for multi-statement in dynamic sets and maps 2020-12-17 11:33 [PATCH nft 0/2] multi-statement support for set elements Pablo Neira Ayuso @ 2020-12-17 11:33 ` Pablo Neira Ayuso 2020-12-17 11:33 ` [PATCH nft 2/2] src: add set element multi-statement support Pablo Neira Ayuso 1 sibling, 0 replies; 4+ messages in thread From: Pablo Neira Ayuso @ 2020-12-17 11:33 UTC (permalink / raw) To: netfilter-devel This patch allows for two statements for dynamic set updates, e.g. nft rule x y add @y { ip daddr limit rate 1/second counter } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- include/statement.h | 4 +-- src/evaluate.c | 24 +++++++------ src/netlink.c | 1 + src/netlink_delinearize.c | 74 +++++++++++++++++++++++++++++++-------- src/netlink_linearize.c | 41 +++++++++++++++++----- src/parser_bison.y | 25 +++++++++---- src/statement.c | 34 +++++++++++++----- 7 files changed, 155 insertions(+), 48 deletions(-) diff --git a/include/statement.h b/include/statement.h index f2fc6ade7734..7637a82e4e00 100644 --- a/include/statement.h +++ b/include/statement.h @@ -201,7 +201,7 @@ uint32_t fwd_stmt_type(const char *type); struct set_stmt { struct expr *set; struct expr *key; - struct stmt *stmt; + struct list_head stmt_list; enum nft_dynset_ops op; }; @@ -213,7 +213,7 @@ struct map_stmt { struct expr *set; struct expr *key; struct expr *data; - struct stmt *stmt; + struct list_head stmt_list; enum nft_dynset_ops op; }; diff --git a/src/evaluate.c b/src/evaluate.c index e776cd018051..03f060eb465a 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3370,6 +3370,8 @@ static int stmt_evaluate_log(struct eval_ctx *ctx, struct stmt *stmt) static int stmt_evaluate_set(struct eval_ctx *ctx, struct stmt *stmt) { + struct stmt *this; + expr_set_context(&ctx->ectx, NULL, 0); if (expr_evaluate(ctx, &stmt->set.set) < 0) return -1; @@ -3389,12 +3391,12 @@ static int stmt_evaluate_set(struct eval_ctx *ctx, struct stmt *stmt) if (stmt->set.key->comment != NULL) return expr_error(ctx->msgs, stmt->set.key, "Key expression comments are not supported"); - if (stmt->set.stmt) { - if (stmt_evaluate(ctx, stmt->set.stmt) < 0) + list_for_each_entry(this, &stmt->set.stmt_list, list) { + if (stmt_evaluate(ctx, this) < 0) return -1; - if (!(stmt->set.stmt->flags & STMT_F_STATEFUL)) - return stmt_binary_error(ctx, stmt->set.stmt, stmt, - "meter statement must be stateful"); + if (!(this->flags & STMT_F_STATEFUL)) + return stmt_error(ctx, this, + "statement must be stateful"); } return 0; @@ -3402,6 +3404,8 @@ static int stmt_evaluate_set(struct eval_ctx *ctx, struct stmt *stmt) static int stmt_evaluate_map(struct eval_ctx *ctx, struct stmt *stmt) { + struct stmt *this; + expr_set_context(&ctx->ectx, NULL, 0); if (expr_evaluate(ctx, &stmt->map.set) < 0) return -1; @@ -3435,12 +3439,12 @@ static int stmt_evaluate_map(struct eval_ctx *ctx, struct stmt *stmt) return expr_error(ctx->msgs, stmt->map.data, "Data expression comments are not supported"); - if (stmt->map.stmt) { - if (stmt_evaluate(ctx, stmt->map.stmt) < 0) + list_for_each_entry(this, &stmt->map.stmt_list, list) { + if (stmt_evaluate(ctx, this) < 0) return -1; - if (!(stmt->map.stmt->flags & STMT_F_STATEFUL)) - return stmt_binary_error(ctx, stmt->map.stmt, stmt, - "meter statement must be stateful"); + if (!(this->flags & STMT_F_STATEFUL)) + return stmt_error(ctx, this, + "statement must be stateful"); } return 0; diff --git a/src/netlink.c b/src/netlink.c index 8098b9746c95..ab0290926eaf 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -1132,6 +1132,7 @@ key_end: key = bitmask_expr_to_binops(key); expr = set_elem_expr_alloc(&netlink_location, key); + if (nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_TIMEOUT)) expr->timeout = nftnl_set_elem_get_u64(nlse, NFTNL_SET_ELEM_TIMEOUT); if (nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_EXPIRATION)) diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 8b06c4c0985f..731507228411 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -1489,17 +1489,47 @@ static void netlink_parse_queue(struct netlink_parse_ctx *ctx, ctx->stmt = stmt; } +struct dynset_parse_ctx { + struct netlink_parse_ctx *nlctx; + const struct location *loc; + struct list_head stmt_list; +}; + +static int dynset_parse_expressions(struct nftnl_expr *e, void *data) +{ + struct dynset_parse_ctx *dynset_parse_ctx = data; + struct netlink_parse_ctx *ctx = dynset_parse_ctx->nlctx; + const struct location *loc = dynset_parse_ctx->loc; + struct stmt *stmt; + + if (netlink_parse_expr(e, ctx) < 0 || !ctx->stmt) { + netlink_error(ctx, loc, "Could not parse dynset stmt"); + return -1; + } + stmt = ctx->stmt; + + list_add_tail(&stmt->list, &dynset_parse_ctx->stmt_list); + + return 0; +} + static void netlink_parse_dynset(struct netlink_parse_ctx *ctx, const struct location *loc, const struct nftnl_expr *nle) { + struct dynset_parse_ctx dynset_parse_ctx = { + .nlctx = ctx, + .loc = loc, + }; struct expr *expr, *expr_data = NULL; enum nft_registers sreg, sreg_data; + struct stmt *stmt, *dstmt, *next; const struct nftnl_expr *dnle; - struct stmt *stmt, *dstmt; struct set *set; const char *name; + init_list_head(&dynset_parse_ctx.stmt_list); + name = nftnl_expr_get_str(nle, NFTNL_EXPR_DYNSET_SET_NAME); set = set_lookup(ctx->table, name); if (set == NULL) @@ -1523,16 +1553,25 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx, expr = set_elem_expr_alloc(&expr->location, expr); expr->timeout = nftnl_expr_get_u64(nle, NFTNL_EXPR_DYNSET_TIMEOUT); - dstmt = NULL; - dnle = nftnl_expr_get(nle, NFTNL_EXPR_DYNSET_EXPR, NULL); - if (dnle != NULL) { - if (netlink_parse_expr(dnle, ctx) < 0) - goto out_err; - if (ctx->stmt == NULL) { - netlink_error(ctx, loc, "Could not parse dynset stmt"); - goto out_err; + if (nftnl_expr_is_set(nle, NFTNL_EXPR_DYNSET_EXPR)) { + dstmt = NULL; + dnle = nftnl_expr_get(nle, NFTNL_EXPR_DYNSET_EXPR, NULL); + if (dnle != NULL) { + if (netlink_parse_expr(dnle, ctx) < 0) + goto out_err; + if (ctx->stmt == NULL) { + netlink_error(ctx, loc, + "Could not parse dynset stmt"); + goto out_err; + } + dstmt = ctx->stmt; + list_add_tail(&dstmt->list, + &dynset_parse_ctx.stmt_list); } - dstmt = ctx->stmt; + } else if (nftnl_expr_is_set(nle, NFTNL_EXPR_DYNSET_EXPRESSIONS)) { + if (nftnl_expr_expr_foreach(nle, dynset_parse_expressions, + &dynset_parse_ctx) < 0) + goto out_err; } if (nftnl_expr_is_set(nle, NFTNL_EXPR_DYNSET_SREG_DATA)) { @@ -1546,27 +1585,34 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx, stmt->map.set = set_ref_expr_alloc(loc, set); stmt->map.key = expr; stmt->map.data = expr_data; - stmt->map.stmt = dstmt; stmt->map.op = nftnl_expr_get_u32(nle, NFTNL_EXPR_DYNSET_OP); + list_splice_tail(&dynset_parse_ctx.stmt_list, + &stmt->map.stmt_list); } else { - if (dstmt != NULL && set->flags & NFT_SET_ANONYMOUS) { + if (!list_empty(&dynset_parse_ctx.stmt_list) && + set->flags & NFT_SET_ANONYMOUS) { stmt = meter_stmt_alloc(loc); stmt->meter.set = set_ref_expr_alloc(loc, set); stmt->meter.key = expr; - stmt->meter.stmt = dstmt; + stmt->meter.stmt = list_first_entry(&dynset_parse_ctx.stmt_list, + struct stmt, list); stmt->meter.size = set->desc.size; } else { stmt = set_stmt_alloc(loc); stmt->set.set = set_ref_expr_alloc(loc, set); stmt->set.op = nftnl_expr_get_u32(nle, NFTNL_EXPR_DYNSET_OP); stmt->set.key = expr; - stmt->set.stmt = dstmt; + list_splice_tail(&dynset_parse_ctx.stmt_list, + &stmt->set.stmt_list); } } ctx->stmt = stmt; return; out_err: + list_for_each_entry_safe(dstmt, next, &dynset_parse_ctx.stmt_list, list) + stmt_free(dstmt); + xfree(expr); } diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c index 05af8bb1b485..09d0c61cfcc0 100644 --- a/src/netlink_linearize.c +++ b/src/netlink_linearize.c @@ -1397,8 +1397,10 @@ static void netlink_gen_set_stmt(struct netlink_linearize_ctx *ctx, const struct stmt *stmt) { struct set *set = stmt->meter.set->set; - struct nftnl_expr *nle; enum nft_registers sreg_key; + struct nftnl_expr *nle; + int num_stmts = 0; + struct stmt *this; sreg_key = get_register(ctx, stmt->set.key->key); netlink_gen_expr(ctx, stmt->set.key->key, sreg_key); @@ -1414,9 +1416,20 @@ static void netlink_gen_set_stmt(struct netlink_linearize_ctx *ctx, nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_SET_ID, set->handle.set_id); nft_rule_add_expr(ctx, nle, &stmt->location); - if (stmt->set.stmt) - nftnl_expr_set(nle, NFTNL_EXPR_DYNSET_EXPR, - netlink_gen_stmt_stateful(stmt->set.stmt), 0); + list_for_each_entry(this, &stmt->set.stmt_list, list) + num_stmts++; + + if (num_stmts == 1) { + list_for_each_entry(this, &stmt->set.stmt_list, list) { + nftnl_expr_set(nle, NFTNL_EXPR_DYNSET_EXPR, + netlink_gen_stmt_stateful(this), 0); + } + } else if (num_stmts > 1) { + list_for_each_entry(this, &stmt->set.stmt_list, list) { + nftnl_expr_add_expr(nle, NFTNL_EXPR_DYNSET_EXPRESSIONS, + netlink_gen_stmt_stateful(this)); + } + } } static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx, @@ -1426,6 +1439,8 @@ static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx, enum nft_registers sreg_data; enum nft_registers sreg_key; struct nftnl_expr *nle; + int num_stmts = 0; + struct stmt *this; sreg_key = get_register(ctx, stmt->map.key); netlink_gen_expr(ctx, stmt->map.key, sreg_key); @@ -1443,12 +1458,22 @@ static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx, nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_OP, stmt->map.op); nftnl_expr_set_str(nle, NFTNL_EXPR_DYNSET_SET_NAME, set->handle.set.name); nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_SET_ID, set->handle.set_id); + nft_rule_add_expr(ctx, nle, &stmt->location); - if (stmt->map.stmt) - nftnl_expr_set(nle, NFTNL_EXPR_DYNSET_EXPR, - netlink_gen_stmt_stateful(stmt->map.stmt), 0); + list_for_each_entry(this, &stmt->map.stmt_list, list) + num_stmts++; - nft_rule_add_expr(ctx, nle, &stmt->location); + if (num_stmts == 1) { + list_for_each_entry(this, &stmt->map.stmt_list, list) { + nftnl_expr_set(nle, NFTNL_EXPR_DYNSET_EXPR, + netlink_gen_stmt_stateful(this), 0); + } + } else if (num_stmts > 1) { + list_for_each_entry(this, &stmt->map.stmt_list, list) { + nftnl_expr_add_expr(nle, NFTNL_EXPR_DYNSET_EXPRESSIONS, + netlink_gen_stmt_stateful(this)); + } + } } static void netlink_gen_meter_stmt(struct netlink_linearize_ctx *ctx, diff --git a/src/parser_bison.y b/src/parser_bison.y index 08aadaa32a86..2582ca1d3a0c 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -624,8 +624,8 @@ int nft_lex(void *, void *, void *); %type <obj> obj_block_alloc counter_block quota_block ct_helper_block ct_timeout_block ct_expect_block limit_block secmark_block synproxy_block %destructor { obj_free($$); } obj_block_alloc -%type <list> stmt_list -%destructor { stmt_list_free($$); xfree($$); } stmt_list +%type <list> stmt_list stateful_stmt_list +%destructor { stmt_list_free($$); xfree($$); } stmt_list stateful_stmt_list %type <stmt> stmt match_stmt verdict_stmt %destructor { stmt_free($$); } stmt match_stmt verdict_stmt %type <stmt> counter_stmt counter_stmt_alloc stateful_stmt @@ -2656,6 +2656,19 @@ stmt_list : stmt } ; +stateful_stmt_list : stateful_stmt + { + $$ = xmalloc(sizeof(*$$)); + init_list_head($$); + list_add_tail(&$1->list, $$); + } + | stateful_stmt_list stateful_stmt + { + $$ = $1; + list_add_tail(&$2->list, $1); + } + ; + stateful_stmt : counter_stmt | limit_stmt | quota_stmt @@ -3675,13 +3688,13 @@ set_stmt : SET set_stmt_op set_elem_expr_stmt set_ref_expr $$->set.key = $4; $$->set.set = $2; } - | set_stmt_op set_ref_expr '{' set_elem_expr_stmt stateful_stmt '}' + | set_stmt_op set_ref_expr '{' set_elem_expr_stmt stateful_stmt_list '}' { $$ = set_stmt_alloc(&@$); $$->set.op = $1; $$->set.key = $4; $$->set.set = $2; - $$->set.stmt = $5; + list_splice_tail($5, &$$->set.stmt_list); } ; @@ -3698,14 +3711,14 @@ map_stmt : set_stmt_op set_ref_expr '{' set_elem_expr_stmt COLON set_elem_expr_ $$->map.data = $6; $$->map.set = $2; } - | set_stmt_op set_ref_expr '{' set_elem_expr_stmt stateful_stmt COLON set_elem_expr_stmt '}' + | set_stmt_op set_ref_expr '{' set_elem_expr_stmt stateful_stmt_list COLON set_elem_expr_stmt '}' { $$ = map_stmt_alloc(&@$); $$->map.op = $1; $$->map.key = $4; $$->map.data = $7; - $$->map.stmt = $5; $$->map.set = $2; + list_splice_tail($5, &$$->map.stmt_list); } ; diff --git a/src/statement.c b/src/statement.c index 6fe8e9d9beb4..39020857ae9c 100644 --- a/src/statement.c +++ b/src/statement.c @@ -732,15 +732,16 @@ const char * const set_stmt_op_names[] = { static void set_stmt_print(const struct stmt *stmt, struct output_ctx *octx) { unsigned int flags = octx->flags; + struct stmt *this; nft_print(octx, "%s ", set_stmt_op_names[stmt->set.op]); expr_print(stmt->set.set, octx); nft_print(octx, " { "); expr_print(stmt->set.key, octx); - if (stmt->set.stmt) { + list_for_each_entry(this, &stmt->set.stmt_list, list) { nft_print(octx, " "); octx->flags |= NFT_CTX_OUTPUT_STATELESS; - stmt_print(stmt->set.stmt, octx); + stmt_print(this, octx); octx->flags = flags; } nft_print(octx, " }"); @@ -748,9 +749,12 @@ static void set_stmt_print(const struct stmt *stmt, struct output_ctx *octx) static void set_stmt_destroy(struct stmt *stmt) { + struct stmt *this, *next; + expr_free(stmt->set.key); expr_free(stmt->set.set); - stmt_free(stmt->set.stmt); + list_for_each_entry_safe(this, next, &stmt->set.stmt_list, list) + stmt_free(this); } static const struct stmt_ops set_stmt_ops = { @@ -763,21 +767,27 @@ static const struct stmt_ops set_stmt_ops = { struct stmt *set_stmt_alloc(const struct location *loc) { - return stmt_alloc(loc, &set_stmt_ops); + struct stmt *stmt; + + stmt = stmt_alloc(loc, &set_stmt_ops); + init_list_head(&stmt->set.stmt_list); + + return stmt; } static void map_stmt_print(const struct stmt *stmt, struct output_ctx *octx) { unsigned int flags = octx->flags; + struct stmt *this; nft_print(octx, "%s ", set_stmt_op_names[stmt->map.op]); expr_print(stmt->map.set, octx); nft_print(octx, " { "); expr_print(stmt->map.key, octx); - if (stmt->map.stmt) { + list_for_each_entry(this, &stmt->map.stmt_list, list) { nft_print(octx, " "); octx->flags |= NFT_CTX_OUTPUT_STATELESS; - stmt_print(stmt->map.stmt, octx); + stmt_print(this, octx); octx->flags = flags; } nft_print(octx, " : "); @@ -787,10 +797,13 @@ static void map_stmt_print(const struct stmt *stmt, struct output_ctx *octx) static void map_stmt_destroy(struct stmt *stmt) { + struct stmt *this, *next; + expr_free(stmt->map.key); expr_free(stmt->map.data); expr_free(stmt->map.set); - stmt_free(stmt->map.stmt); + list_for_each_entry_safe(this, next, &stmt->map.stmt_list, list) + stmt_free(this); } static const struct stmt_ops map_stmt_ops = { @@ -802,7 +815,12 @@ static const struct stmt_ops map_stmt_ops = { struct stmt *map_stmt_alloc(const struct location *loc) { - return stmt_alloc(loc, &map_stmt_ops); + struct stmt *stmt; + + stmt = stmt_alloc(loc, &map_stmt_ops); + init_list_head(&stmt->map.stmt_list); + + return stmt; } static void dup_stmt_print(const struct stmt *stmt, struct output_ctx *octx) -- 2.20.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH nft 2/2] src: add set element multi-statement support 2020-12-17 11:33 [PATCH nft 0/2] multi-statement support for set elements Pablo Neira Ayuso 2020-12-17 11:33 ` [PATCH nft 1/2] src: add support for multi-statement in dynamic sets and maps Pablo Neira Ayuso @ 2020-12-17 11:33 ` Pablo Neira Ayuso 1 sibling, 0 replies; 4+ messages in thread From: Pablo Neira Ayuso @ 2020-12-17 11:33 UTC (permalink / raw) To: netfilter-devel Extend the set element infrastructure to support for several statements. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- include/expression.h | 2 +- include/list.h | 7 ++++ include/rule.h | 2 +- src/evaluate.c | 58 +++++++++++++++++++++++-------- src/expression.c | 18 +++++++--- src/json.c | 10 ++++-- src/mnl.c | 17 +++++++-- src/netlink.c | 68 +++++++++++++++++++++++++++++++++--- src/parser_bison.y | 83 +++++++++++++++++++++++++------------------- src/rule.c | 24 ++++++++++--- src/segtree.c | 6 ++-- 11 files changed, 220 insertions(+), 75 deletions(-) diff --git a/include/expression.h b/include/expression.h index 894a68d2e822..718dac5a122d 100644 --- a/include/expression.h +++ b/include/expression.h @@ -280,7 +280,7 @@ struct expr { uint64_t timeout; uint64_t expiration; const char *comment; - struct stmt *stmt; + struct list_head stmt_list; uint32_t elem_flags; }; struct { diff --git a/include/list.h b/include/list.h index 9c4da81749de..857921e34201 100644 --- a/include/list.h +++ b/include/list.h @@ -348,6 +348,13 @@ static inline void list_splice_tail_init(struct list_head *list, #define list_first_entry(ptr, type, member) \ list_entry((ptr)->next, type, member) +/** + * list_next_entry - get the next element in list + * @pos: the type * to cursor + * @member: the name of the list_head within the struct. + */ +#define list_next_entry(pos, member) \ + list_entry((pos)->member.next, typeof(*(pos)), member) /** * list_for_each_entry - iterate over list of given type diff --git a/include/rule.h b/include/rule.h index 119fc19d79c8..330a09aa77fa 100644 --- a/include/rule.h +++ b/include/rule.h @@ -333,7 +333,7 @@ struct set { struct expr *init; struct expr *rg_cache; uint32_t policy; - struct stmt *stmt; + struct list_head stmt_list; bool root; bool automerge; bool key_typeof_valid; diff --git a/src/evaluate.c b/src/evaluate.c index 03f060eb465a..7e34f12c996f 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1340,27 +1340,57 @@ static int expr_evaluate_list(struct eval_ctx *ctx, struct expr **expr) return 0; } -static int expr_evaluate_set_elem(struct eval_ctx *ctx, struct expr **expr) +static int __expr_evaluate_set_elem(struct eval_ctx *ctx, struct expr *elem) { + int num_elem_exprs = 0, num_set_exprs = 0; struct set *set = ctx->set; - struct expr *elem = *expr; + struct stmt *stmt; - if (elem->stmt) { - if (set->stmt && set->stmt->ops != elem->stmt->ops) { - return stmt_error(ctx, elem->stmt, - "statement mismatch, element expects %s, " - "but %s has type %s", - elem->stmt->ops->name, - set_is_map(set->flags) ? "map" : "set", - set->stmt->ops->name); - } else if (!set->stmt && !(set->flags & NFT_SET_EVAL)) { - return stmt_error(ctx, elem->stmt, - "missing %s statement in %s definition", - elem->stmt->ops->name, + list_for_each_entry(stmt, &elem->stmt_list, list) + num_elem_exprs++; + list_for_each_entry(stmt, &set->stmt_list, list) + num_set_exprs++; + + if (num_elem_exprs > 0) { + if (num_elem_exprs != num_set_exprs) + return expr_error(ctx->msgs, elem, + "number of statements mismatch, set expects %d " + "but element has %d", num_set_exprs, + num_elem_exprs); + else if (!(set->flags & NFT_SET_EVAL)) + return expr_error(ctx->msgs, elem, + "missing statements in %s definition", set_is_map(set->flags) ? "map" : "set"); + } + + if (num_set_exprs > 0) { + struct stmt *set_stmt, *elem_stmt; + + set_stmt = list_first_entry(&set->stmt_list, struct stmt, list); + + list_for_each_entry(elem_stmt, &elem->stmt_list, list) { + if (set_stmt->ops != elem_stmt->ops) { + return stmt_error(ctx, elem_stmt, + "statement mismatch, element expects %s, " + "but %s has type %s", + elem_stmt->ops->name, + set_is_map(set->flags) ? "map" : "set", + set_stmt->ops->name); + } + set_stmt = list_next_entry(set_stmt, list); } } + return 0; +} + +static int expr_evaluate_set_elem(struct eval_ctx *ctx, struct expr **expr) +{ + struct expr *elem = *expr; + + if (ctx->set && __expr_evaluate_set_elem(ctx, elem) < 0) + return -1; + if (expr_evaluate(ctx, &elem->key) < 0) return -1; diff --git a/src/expression.c b/src/expression.c index 87bd4d01bb72..58d73e9509b0 100644 --- a/src/expression.c +++ b/src/expression.c @@ -1248,7 +1248,13 @@ struct expr *set_ref_expr_alloc(const struct location *loc, struct set *set) static void set_elem_expr_print(const struct expr *expr, struct output_ctx *octx) { + struct stmt *stmt; + expr_print(expr->key, octx); + list_for_each_entry(stmt, &expr->stmt_list, list) { + nft_print(octx, " "); + stmt_print(stmt, octx); + } if (expr->timeout) { nft_print(octx, " timeout "); time_print(expr->timeout, octx); @@ -1257,19 +1263,18 @@ static void set_elem_expr_print(const struct expr *expr, nft_print(octx, " expires "); time_print(expr->expiration, octx); } - if (expr->stmt) { - nft_print(octx, " "); - stmt_print(expr->stmt, octx); - } if (expr->comment) nft_print(octx, " comment \"%s\"", expr->comment); } static void set_elem_expr_destroy(struct expr *expr) { + struct stmt *stmt, *next; + xfree(expr->comment); expr_free(expr->key); - stmt_free(expr->stmt); + list_for_each_entry_safe(stmt, next, &expr->stmt_list, list) + stmt_free(stmt); } static void set_elem_expr_clone(struct expr *new, const struct expr *expr) @@ -1279,6 +1284,7 @@ static void set_elem_expr_clone(struct expr *new, const struct expr *expr) new->timeout = expr->timeout; if (expr->comment) new->comment = xstrdup(expr->comment); + init_list_head(&new->stmt_list); } static const struct expr_ops set_elem_expr_ops = { @@ -1297,6 +1303,8 @@ struct expr *set_elem_expr_alloc(const struct location *loc, struct expr *key) expr = expr_alloc(loc, EXPR_SET_ELEM, key->dtype, key->byteorder, key->len); expr->key = key; + init_list_head(&expr->stmt_list); + return expr; } diff --git a/src/json.c b/src/json.c index 0b398bf0b25d..585d35326ac0 100644 --- a/src/json.c +++ b/src/json.c @@ -583,13 +583,15 @@ json_t *set_ref_expr_json(const struct expr *expr, struct output_ctx *octx) json_t *set_elem_expr_json(const struct expr *expr, struct output_ctx *octx) { json_t *root = expr_print_json(expr->key, octx); + struct stmt *stmt; json_t *tmp; if (!root) return NULL; /* these element attributes require formal set elem syntax */ - if (expr->timeout || expr->expiration || expr->comment || expr->stmt) { + if (expr->timeout || expr->expiration || expr->comment || + !list_empty(&expr->stmt_list)) { root = json_pack("{s:o}", "val", root); if (expr->timeout) { @@ -604,11 +606,13 @@ json_t *set_elem_expr_json(const struct expr *expr, struct output_ctx *octx) tmp = json_string(expr->comment); json_object_set_new(root, "comment", tmp); } - if (expr->stmt) { - tmp = stmt_print_json(expr->stmt, octx); + list_for_each_entry(stmt, &expr->stmt_list, list) { + tmp = stmt_print_json(stmt, octx); /* XXX: detect and complain about clashes? */ json_object_update_missing(root, tmp); json_decref(tmp); + /* TODO: only one statement per element. */ + break; } return json_pack("{s:o}", "elem", root); } diff --git a/src/mnl.c b/src/mnl.c index cd12309b6ef8..84cfb2380f55 100644 --- a/src/mnl.c +++ b/src/mnl.c @@ -1046,6 +1046,8 @@ int mnl_nft_set_add(struct netlink_ctx *ctx, struct cmd *cmd, struct set *set = cmd->set; struct nftnl_set *nls; struct nlmsghdr *nlh; + struct stmt *stmt; + int num_stmts = 0; nls = nftnl_set_alloc(); if (!nls) @@ -1128,9 +1130,18 @@ int mnl_nft_set_add(struct netlink_ctx *ctx, struct cmd *cmd, nftnl_udata_buf_len(udbuf)); nftnl_udata_buf_free(udbuf); - if (set->stmt) { - nftnl_set_set_data(nls, NFTNL_SET_EXPR, - netlink_gen_stmt_stateful(set->stmt), 0); + list_for_each_entry(stmt, &set->stmt_list, list) + num_stmts++; + + if (num_stmts == 1) { + list_for_each_entry(stmt, &set->stmt_list, list) { + nftnl_set_set_data(nls, NFTNL_SET_EXPR, + netlink_gen_stmt_stateful(stmt), 0); + break; + } + } else if (num_stmts > 1) { + list_for_each_entry(stmt, &set->stmt_list, list) + nftnl_set_add_expr(nls, netlink_gen_stmt_stateful(stmt)); } netlink_dump_set(nls, ctx); diff --git a/src/netlink.c b/src/netlink.c index ab0290926eaf..1f46e169ff0b 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -104,6 +104,8 @@ static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set, struct nftnl_set_elem *nlse; struct nft_data_linearize nld; struct nftnl_udata_buf *udbuf = NULL; + int num_exprs = 0; + struct stmt *stmt; struct expr *key; nlse = nftnl_set_elem_alloc(); @@ -138,9 +140,20 @@ static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set, if (elem->expiration) nftnl_set_elem_set_u64(nlse, NFTNL_SET_ELEM_EXPIRATION, elem->expiration); - if (elem->stmt) - nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_EXPR, - netlink_gen_stmt_stateful(elem->stmt), 0); + list_for_each_entry(stmt, &elem->stmt_list, list) + num_exprs++; + + if (num_exprs == 1) { + list_for_each_entry(stmt, &elem->stmt_list, list) { + nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_EXPR, + netlink_gen_stmt_stateful(stmt), 0); + } + } else if (num_exprs > 1) { + list_for_each_entry(stmt, &elem->stmt_list, list) { + nftnl_set_elem_add_expr(nlse, + netlink_gen_stmt_stateful(stmt)); + } + } if (elem->comment || expr->elem_flags) { udbuf = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN); if (!udbuf) @@ -766,6 +779,25 @@ static bool set_udata_key_valid(const struct expr *e, const struct datatype *d, return div_round_up(e->len, BITS_PER_BYTE) == len / BITS_PER_BYTE; } +struct setelem_parse_ctx { + struct set *set; + struct nft_cache *cache; + struct list_head stmt_list; +}; + +static int set_elem_parse_expressions(struct nftnl_expr *e, void *data) +{ + struct setelem_parse_ctx *setelem_parse_ctx = data; + struct nft_cache *cache = setelem_parse_ctx->cache; + struct set *set = setelem_parse_ctx->set; + struct stmt *stmt; + + stmt = netlink_parse_set_expr(set, cache, e); + list_add_tail(&stmt->list, &setelem_parse_ctx->stmt_list); + + return 0; +} + struct set *netlink_delinearize_set(struct netlink_ctx *ctx, const struct nftnl_set *nls) { @@ -774,6 +806,9 @@ struct set *netlink_delinearize_set(struct netlink_ctx *ctx, enum byteorder databyteorder = BYTEORDER_INVALID; const struct datatype *keytype, *datatype = NULL; struct expr *typeof_expr_key, *typeof_expr_data; + struct setelem_parse_ctx set_parse_ctx = { + .cache = &ctx->nft->cache, + }; const char *udata, *comment = NULL; uint32_t flags, key, objtype = 0; const struct datatype *dtype; @@ -783,6 +818,8 @@ struct set *netlink_delinearize_set(struct netlink_ctx *ctx, uint32_t ulen; uint32_t klen; + init_list_head(&set_parse_ctx.stmt_list); + typeof_expr_key = NULL; typeof_expr_data = NULL; @@ -847,12 +884,20 @@ struct set *netlink_delinearize_set(struct netlink_ctx *ctx, if (comment) set->comment = comment; + set_parse_ctx.set = set; + if (nftnl_set_is_set(nls, NFTNL_SET_EXPR)) { const struct nftnl_expr *nle; + struct stmt *stmt; nle = nftnl_set_get(nls, NFTNL_SET_EXPR); - set->stmt = netlink_parse_set_expr(set, &ctx->nft->cache, nle); + stmt = netlink_parse_set_expr(set, &ctx->nft->cache, nle); + list_add_tail(&stmt->list, &set_parse_ctx.stmt_list); + } else if (nftnl_set_is_set(nls, NFTNL_SET_EXPRESSIONS)) { + nftnl_set_expr_foreach(nls, set_elem_parse_expressions, + &set_parse_ctx); } + list_splice_tail(&set_parse_ctx.stmt_list, &set->stmt_list); if (datatype) { dtype = set_datatype_alloc(datatype, databyteorder); @@ -1107,10 +1152,16 @@ static void set_elem_parse_udata(struct nftnl_set_elem *nlse, int netlink_delinearize_setelem(struct nftnl_set_elem *nlse, struct set *set, struct nft_cache *cache) { + struct setelem_parse_ctx setelem_parse_ctx = { + .set = set, + .cache = cache, + }; struct nft_data_delinearize nld; struct expr *expr, *key, *data; uint32_t flags = 0; + init_list_head(&setelem_parse_ctx.stmt_list); + nld.value = nftnl_set_elem_get(nlse, NFTNL_SET_ELEM_KEY, &nld.len); if (nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_FLAGS)) @@ -1141,10 +1192,17 @@ key_end: set_elem_parse_udata(nlse, expr); if (nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_EXPR)) { const struct nftnl_expr *nle; + struct stmt *stmt; nle = nftnl_set_elem_get(nlse, NFTNL_SET_ELEM_EXPR, NULL); - expr->stmt = netlink_parse_set_expr(set, cache, nle); + stmt = netlink_parse_set_expr(set, cache, nle); + list_add_tail(&stmt->list, &setelem_parse_ctx.stmt_list); + } else if (nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_EXPRESSIONS)) { + nftnl_set_elem_expr_foreach(nlse, set_elem_parse_expressions, + &setelem_parse_ctx); } + list_splice_tail(&setelem_parse_ctx.stmt_list, &expr->stmt_list); + if (flags & NFT_SET_ELEM_INTERVAL_END) { expr->flags |= EXPR_F_INTERVAL_END; if (mpz_cmp_ui(set->key->value, 0) == 0) diff --git a/src/parser_bison.y b/src/parser_bison.y index 2582ca1d3a0c..ba64dc00bee8 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -624,10 +624,10 @@ int nft_lex(void *, void *, void *); %type <obj> obj_block_alloc counter_block quota_block ct_helper_block ct_timeout_block ct_expect_block limit_block secmark_block synproxy_block %destructor { obj_free($$); } obj_block_alloc -%type <list> stmt_list stateful_stmt_list -%destructor { stmt_list_free($$); xfree($$); } stmt_list stateful_stmt_list -%type <stmt> stmt match_stmt verdict_stmt -%destructor { stmt_free($$); } stmt match_stmt verdict_stmt +%type <list> stmt_list stateful_stmt_list set_elem_stmt_list +%destructor { stmt_list_free($$); xfree($$); } stmt_list stateful_stmt_list set_elem_stmt_list +%type <stmt> stmt match_stmt verdict_stmt set_elem_stmt +%destructor { stmt_free($$); } stmt match_stmt verdict_stmt set_elem_stmt %type <stmt> counter_stmt counter_stmt_alloc stateful_stmt %destructor { stmt_free($$); } counter_stmt counter_stmt_alloc stateful_stmt %type <stmt> payload_stmt @@ -1797,9 +1797,9 @@ set_block : /* empty */ { $$ = $<set>-1; } $1->gc_int = $3; $$ = $1; } - | set_block COUNTER stmt_separator + | set_block stateful_stmt_list stmt_separator { - $1->stmt = counter_stmt_alloc(&@$); + list_splice_tail($2, &$1->stmt_list); $$ = $1; } | set_block ELEMENTS '=' set_block_expr @@ -4050,7 +4050,12 @@ set_elem_expr : set_elem_expr_alloc | set_elem_expr_alloc set_elem_expr_options ; -set_elem_expr_alloc : set_lhs_expr +set_elem_expr_alloc : set_lhs_expr set_elem_stmt_list + { + $$ = set_elem_expr_alloc(&@1, $1); + list_splice_tail($2, &$$->stmt_list); + } + | set_lhs_expr { $$ = set_elem_expr_alloc(&@1, $1); } @@ -4088,44 +4093,42 @@ set_elem_expr_options : set_elem_expr_option | set_elem_expr_options set_elem_expr_option ; -set_elem_expr_option : TIMEOUT time_spec +set_elem_stmt_list : set_elem_stmt { - $<expr>0->timeout = $2; + $$ = xmalloc(sizeof(*$$)); + init_list_head($$); + list_add_tail(&$1->list, $$); } - | EXPIRES time_spec + | set_elem_stmt_list set_elem_stmt { - $<expr>0->expiration = $2; + $$ = $1; + list_add_tail(&$2->list, $1); } - | COUNTER + ; + +set_elem_stmt : COUNTER { - $<expr>0->stmt = counter_stmt_alloc(&@$); + $$ = counter_stmt_alloc(&@$); } | COUNTER PACKETS NUM BYTES NUM { - struct stmt *stmt; - - stmt = counter_stmt_alloc(&@$); - stmt->counter.packets = $3; - stmt->counter.bytes = $5; - $<expr>0->stmt = stmt; + $$ = counter_stmt_alloc(&@$); + $$->counter.packets = $3; + $$->counter.bytes = $5; } | LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts { - struct stmt *stmt; - - stmt = limit_stmt_alloc(&@$); - stmt->limit.rate = $4; - stmt->limit.unit = $6; - stmt->limit.burst = $7; - stmt->limit.type = NFT_LIMIT_PKTS; - stmt->limit.flags = $3; - $<expr>0->stmt = stmt; + $$ = limit_stmt_alloc(&@$); + $$->limit.rate = $4; + $$->limit.unit = $6; + $$->limit.burst = $7; + $$->limit.type = NFT_LIMIT_PKTS; + $$->limit.flags = $3; } | LIMIT RATE limit_mode NUM STRING limit_burst_bytes { struct error_record *erec; uint64_t rate, unit; - struct stmt *stmt; erec = rate_parse(&@$, $5, &rate, &unit); xfree($5); @@ -4134,13 +4137,23 @@ set_elem_expr_option : TIMEOUT time_spec YYERROR; } - stmt = limit_stmt_alloc(&@$); - stmt->limit.rate = rate * $4; - stmt->limit.unit = unit; - stmt->limit.burst = $6; - stmt->limit.type = NFT_LIMIT_PKT_BYTES; - stmt->limit.flags = $3; + $$ = limit_stmt_alloc(&@$); + $$->limit.rate = rate * $4; + $$->limit.unit = unit; + $$->limit.burst = $6; + $$->limit.type = NFT_LIMIT_PKT_BYTES; + $$->limit.flags = $3; } + ; + +set_elem_expr_option : TIMEOUT time_spec + { + $<expr>0->timeout = $2; + } + | EXPIRES time_spec + { + $<expr>0->expiration = $2; + } | comment_spec { if (already_set($<expr>0->comment, &@1, state)) { diff --git a/src/rule.c b/src/rule.c index dddfdf5182b0..e4bb6bae276a 100644 --- a/src/rule.c +++ b/src/rule.c @@ -338,6 +338,9 @@ struct set *set_alloc(const struct location *loc) set->handle.set_id = ++set_id; if (loc != NULL) set->location = *loc; + + init_list_head(&set->stmt_list); + return set; } @@ -357,6 +360,7 @@ struct set *set_clone(const struct set *set) new_set->policy = set->policy; new_set->automerge = set->automerge; new_set->desc = set->desc; + init_list_head(&new_set->stmt_list); return new_set; } @@ -369,6 +373,8 @@ struct set *set_get(struct set *set) void set_free(struct set *set) { + struct stmt *stmt, *next; + if (--set->refcnt > 0) return; if (set->init != NULL) @@ -376,7 +382,8 @@ void set_free(struct set *set) if (set->comment) xfree(set->comment); handle_free(&set->handle); - stmt_free(set->stmt); + list_for_each_entry_safe(stmt, next, &set->stmt_list, list) + stmt_free(stmt); expr_free(set->key); expr_free(set->data); xfree(set); @@ -500,6 +507,7 @@ static void set_print_declaration(const struct set *set, struct output_ctx *octx) { const char *delim = ""; + struct stmt *stmt; const char *type; uint32_t flags; @@ -570,14 +578,22 @@ static void set_print_declaration(const struct set *set, nft_print(octx, "%s", opts->stmt_separator); } - if (set->stmt) { + if (!list_empty(&set->stmt_list)) nft_print(octx, "%s%s", opts->tab, opts->tab); + + if (!list_empty(&set->stmt_list)) { octx->flags |= NFT_CTX_OUTPUT_STATELESS; - stmt_print(set->stmt, octx); + list_for_each_entry(stmt, &set->stmt_list, list) { + stmt_print(stmt, octx); + if (!list_is_last(&stmt->list, &set->stmt_list)) + nft_print(octx, " "); + } octx->flags &= ~NFT_CTX_OUTPUT_STATELESS; - nft_print(octx, "%s", opts->stmt_separator); } + if (!list_empty(&set->stmt_list)) + nft_print(octx, "%s", opts->stmt_separator); + if (set->automerge) nft_print(octx, "%s%sauto-merge%s", opts->tab, opts->tab, opts->stmt_separator); diff --git a/src/segtree.c b/src/segtree.c index ba455a6a8137..6988d07b24fb 100644 --- a/src/segtree.c +++ b/src/segtree.c @@ -935,10 +935,8 @@ static void interval_expr_copy(struct expr *dst, struct expr *src) dst->timeout = src->timeout; if (src->expiration) dst->expiration = src->expiration; - if (src->stmt) { - dst->stmt = src->stmt; - src->stmt = NULL; - } + + list_splice_init(&src->stmt_list, &dst->stmt_list); } void interval_map_decompose(struct expr *set) -- 2.20.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH nft 1/2,v2] src: add support for multi-statement in dynamic sets and maps
@ 2020-12-17 16:43 Pablo Neira Ayuso
2020-12-17 16:43 ` [PATCH nft 2/2] src: add set element multi-statement support Pablo Neira Ayuso
0 siblings, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2020-12-17 16:43 UTC (permalink / raw)
To: netfilter-devel
This patch allows for two statements for dynamic set updates, e.g.
nft rule x y add @y { ip daddr limit rate 1/second counter }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: fix memleaks.
fix crashes reported by tests/shell.
include/statement.h | 4 +--
src/evaluate.c | 24 +++++++------
src/netlink.c | 1 +
src/netlink_delinearize.c | 74 +++++++++++++++++++++++++++++++--------
src/netlink_linearize.c | 41 +++++++++++++++++-----
src/parser_bison.y | 27 ++++++++++----
src/statement.c | 34 +++++++++++++-----
7 files changed, 157 insertions(+), 48 deletions(-)
diff --git a/include/statement.h b/include/statement.h
index f2fc6ade7734..7637a82e4e00 100644
--- a/include/statement.h
+++ b/include/statement.h
@@ -201,7 +201,7 @@ uint32_t fwd_stmt_type(const char *type);
struct set_stmt {
struct expr *set;
struct expr *key;
- struct stmt *stmt;
+ struct list_head stmt_list;
enum nft_dynset_ops op;
};
@@ -213,7 +213,7 @@ struct map_stmt {
struct expr *set;
struct expr *key;
struct expr *data;
- struct stmt *stmt;
+ struct list_head stmt_list;
enum nft_dynset_ops op;
};
diff --git a/src/evaluate.c b/src/evaluate.c
index e776cd018051..03f060eb465a 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3370,6 +3370,8 @@ static int stmt_evaluate_log(struct eval_ctx *ctx, struct stmt *stmt)
static int stmt_evaluate_set(struct eval_ctx *ctx, struct stmt *stmt)
{
+ struct stmt *this;
+
expr_set_context(&ctx->ectx, NULL, 0);
if (expr_evaluate(ctx, &stmt->set.set) < 0)
return -1;
@@ -3389,12 +3391,12 @@ static int stmt_evaluate_set(struct eval_ctx *ctx, struct stmt *stmt)
if (stmt->set.key->comment != NULL)
return expr_error(ctx->msgs, stmt->set.key,
"Key expression comments are not supported");
- if (stmt->set.stmt) {
- if (stmt_evaluate(ctx, stmt->set.stmt) < 0)
+ list_for_each_entry(this, &stmt->set.stmt_list, list) {
+ if (stmt_evaluate(ctx, this) < 0)
return -1;
- if (!(stmt->set.stmt->flags & STMT_F_STATEFUL))
- return stmt_binary_error(ctx, stmt->set.stmt, stmt,
- "meter statement must be stateful");
+ if (!(this->flags & STMT_F_STATEFUL))
+ return stmt_error(ctx, this,
+ "statement must be stateful");
}
return 0;
@@ -3402,6 +3404,8 @@ static int stmt_evaluate_set(struct eval_ctx *ctx, struct stmt *stmt)
static int stmt_evaluate_map(struct eval_ctx *ctx, struct stmt *stmt)
{
+ struct stmt *this;
+
expr_set_context(&ctx->ectx, NULL, 0);
if (expr_evaluate(ctx, &stmt->map.set) < 0)
return -1;
@@ -3435,12 +3439,12 @@ static int stmt_evaluate_map(struct eval_ctx *ctx, struct stmt *stmt)
return expr_error(ctx->msgs, stmt->map.data,
"Data expression comments are not supported");
- if (stmt->map.stmt) {
- if (stmt_evaluate(ctx, stmt->map.stmt) < 0)
+ list_for_each_entry(this, &stmt->map.stmt_list, list) {
+ if (stmt_evaluate(ctx, this) < 0)
return -1;
- if (!(stmt->map.stmt->flags & STMT_F_STATEFUL))
- return stmt_binary_error(ctx, stmt->map.stmt, stmt,
- "meter statement must be stateful");
+ if (!(this->flags & STMT_F_STATEFUL))
+ return stmt_error(ctx, this,
+ "statement must be stateful");
}
return 0;
diff --git a/src/netlink.c b/src/netlink.c
index 8098b9746c95..ab0290926eaf 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1132,6 +1132,7 @@ key_end:
key = bitmask_expr_to_binops(key);
expr = set_elem_expr_alloc(&netlink_location, key);
+
if (nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_TIMEOUT))
expr->timeout = nftnl_set_elem_get_u64(nlse, NFTNL_SET_ELEM_TIMEOUT);
if (nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_EXPIRATION))
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 8b06c4c0985f..731507228411 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -1489,17 +1489,47 @@ static void netlink_parse_queue(struct netlink_parse_ctx *ctx,
ctx->stmt = stmt;
}
+struct dynset_parse_ctx {
+ struct netlink_parse_ctx *nlctx;
+ const struct location *loc;
+ struct list_head stmt_list;
+};
+
+static int dynset_parse_expressions(struct nftnl_expr *e, void *data)
+{
+ struct dynset_parse_ctx *dynset_parse_ctx = data;
+ struct netlink_parse_ctx *ctx = dynset_parse_ctx->nlctx;
+ const struct location *loc = dynset_parse_ctx->loc;
+ struct stmt *stmt;
+
+ if (netlink_parse_expr(e, ctx) < 0 || !ctx->stmt) {
+ netlink_error(ctx, loc, "Could not parse dynset stmt");
+ return -1;
+ }
+ stmt = ctx->stmt;
+
+ list_add_tail(&stmt->list, &dynset_parse_ctx->stmt_list);
+
+ return 0;
+}
+
static void netlink_parse_dynset(struct netlink_parse_ctx *ctx,
const struct location *loc,
const struct nftnl_expr *nle)
{
+ struct dynset_parse_ctx dynset_parse_ctx = {
+ .nlctx = ctx,
+ .loc = loc,
+ };
struct expr *expr, *expr_data = NULL;
enum nft_registers sreg, sreg_data;
+ struct stmt *stmt, *dstmt, *next;
const struct nftnl_expr *dnle;
- struct stmt *stmt, *dstmt;
struct set *set;
const char *name;
+ init_list_head(&dynset_parse_ctx.stmt_list);
+
name = nftnl_expr_get_str(nle, NFTNL_EXPR_DYNSET_SET_NAME);
set = set_lookup(ctx->table, name);
if (set == NULL)
@@ -1523,16 +1553,25 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx,
expr = set_elem_expr_alloc(&expr->location, expr);
expr->timeout = nftnl_expr_get_u64(nle, NFTNL_EXPR_DYNSET_TIMEOUT);
- dstmt = NULL;
- dnle = nftnl_expr_get(nle, NFTNL_EXPR_DYNSET_EXPR, NULL);
- if (dnle != NULL) {
- if (netlink_parse_expr(dnle, ctx) < 0)
- goto out_err;
- if (ctx->stmt == NULL) {
- netlink_error(ctx, loc, "Could not parse dynset stmt");
- goto out_err;
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_DYNSET_EXPR)) {
+ dstmt = NULL;
+ dnle = nftnl_expr_get(nle, NFTNL_EXPR_DYNSET_EXPR, NULL);
+ if (dnle != NULL) {
+ if (netlink_parse_expr(dnle, ctx) < 0)
+ goto out_err;
+ if (ctx->stmt == NULL) {
+ netlink_error(ctx, loc,
+ "Could not parse dynset stmt");
+ goto out_err;
+ }
+ dstmt = ctx->stmt;
+ list_add_tail(&dstmt->list,
+ &dynset_parse_ctx.stmt_list);
}
- dstmt = ctx->stmt;
+ } else if (nftnl_expr_is_set(nle, NFTNL_EXPR_DYNSET_EXPRESSIONS)) {
+ if (nftnl_expr_expr_foreach(nle, dynset_parse_expressions,
+ &dynset_parse_ctx) < 0)
+ goto out_err;
}
if (nftnl_expr_is_set(nle, NFTNL_EXPR_DYNSET_SREG_DATA)) {
@@ -1546,27 +1585,34 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx,
stmt->map.set = set_ref_expr_alloc(loc, set);
stmt->map.key = expr;
stmt->map.data = expr_data;
- stmt->map.stmt = dstmt;
stmt->map.op = nftnl_expr_get_u32(nle, NFTNL_EXPR_DYNSET_OP);
+ list_splice_tail(&dynset_parse_ctx.stmt_list,
+ &stmt->map.stmt_list);
} else {
- if (dstmt != NULL && set->flags & NFT_SET_ANONYMOUS) {
+ if (!list_empty(&dynset_parse_ctx.stmt_list) &&
+ set->flags & NFT_SET_ANONYMOUS) {
stmt = meter_stmt_alloc(loc);
stmt->meter.set = set_ref_expr_alloc(loc, set);
stmt->meter.key = expr;
- stmt->meter.stmt = dstmt;
+ stmt->meter.stmt = list_first_entry(&dynset_parse_ctx.stmt_list,
+ struct stmt, list);
stmt->meter.size = set->desc.size;
} else {
stmt = set_stmt_alloc(loc);
stmt->set.set = set_ref_expr_alloc(loc, set);
stmt->set.op = nftnl_expr_get_u32(nle, NFTNL_EXPR_DYNSET_OP);
stmt->set.key = expr;
- stmt->set.stmt = dstmt;
+ list_splice_tail(&dynset_parse_ctx.stmt_list,
+ &stmt->set.stmt_list);
}
}
ctx->stmt = stmt;
return;
out_err:
+ list_for_each_entry_safe(dstmt, next, &dynset_parse_ctx.stmt_list, list)
+ stmt_free(dstmt);
+
xfree(expr);
}
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 05af8bb1b485..09d0c61cfcc0 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -1397,8 +1397,10 @@ static void netlink_gen_set_stmt(struct netlink_linearize_ctx *ctx,
const struct stmt *stmt)
{
struct set *set = stmt->meter.set->set;
- struct nftnl_expr *nle;
enum nft_registers sreg_key;
+ struct nftnl_expr *nle;
+ int num_stmts = 0;
+ struct stmt *this;
sreg_key = get_register(ctx, stmt->set.key->key);
netlink_gen_expr(ctx, stmt->set.key->key, sreg_key);
@@ -1414,9 +1416,20 @@ static void netlink_gen_set_stmt(struct netlink_linearize_ctx *ctx,
nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_SET_ID, set->handle.set_id);
nft_rule_add_expr(ctx, nle, &stmt->location);
- if (stmt->set.stmt)
- nftnl_expr_set(nle, NFTNL_EXPR_DYNSET_EXPR,
- netlink_gen_stmt_stateful(stmt->set.stmt), 0);
+ list_for_each_entry(this, &stmt->set.stmt_list, list)
+ num_stmts++;
+
+ if (num_stmts == 1) {
+ list_for_each_entry(this, &stmt->set.stmt_list, list) {
+ nftnl_expr_set(nle, NFTNL_EXPR_DYNSET_EXPR,
+ netlink_gen_stmt_stateful(this), 0);
+ }
+ } else if (num_stmts > 1) {
+ list_for_each_entry(this, &stmt->set.stmt_list, list) {
+ nftnl_expr_add_expr(nle, NFTNL_EXPR_DYNSET_EXPRESSIONS,
+ netlink_gen_stmt_stateful(this));
+ }
+ }
}
static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx,
@@ -1426,6 +1439,8 @@ static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx,
enum nft_registers sreg_data;
enum nft_registers sreg_key;
struct nftnl_expr *nle;
+ int num_stmts = 0;
+ struct stmt *this;
sreg_key = get_register(ctx, stmt->map.key);
netlink_gen_expr(ctx, stmt->map.key, sreg_key);
@@ -1443,12 +1458,22 @@ static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx,
nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_OP, stmt->map.op);
nftnl_expr_set_str(nle, NFTNL_EXPR_DYNSET_SET_NAME, set->handle.set.name);
nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_SET_ID, set->handle.set_id);
+ nft_rule_add_expr(ctx, nle, &stmt->location);
- if (stmt->map.stmt)
- nftnl_expr_set(nle, NFTNL_EXPR_DYNSET_EXPR,
- netlink_gen_stmt_stateful(stmt->map.stmt), 0);
+ list_for_each_entry(this, &stmt->map.stmt_list, list)
+ num_stmts++;
- nft_rule_add_expr(ctx, nle, &stmt->location);
+ if (num_stmts == 1) {
+ list_for_each_entry(this, &stmt->map.stmt_list, list) {
+ nftnl_expr_set(nle, NFTNL_EXPR_DYNSET_EXPR,
+ netlink_gen_stmt_stateful(this), 0);
+ }
+ } else if (num_stmts > 1) {
+ list_for_each_entry(this, &stmt->map.stmt_list, list) {
+ nftnl_expr_add_expr(nle, NFTNL_EXPR_DYNSET_EXPRESSIONS,
+ netlink_gen_stmt_stateful(this));
+ }
+ }
}
static void netlink_gen_meter_stmt(struct netlink_linearize_ctx *ctx,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 08aadaa32a86..673ce4ad4080 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -624,8 +624,8 @@ int nft_lex(void *, void *, void *);
%type <obj> obj_block_alloc counter_block quota_block ct_helper_block ct_timeout_block ct_expect_block limit_block secmark_block synproxy_block
%destructor { obj_free($$); } obj_block_alloc
-%type <list> stmt_list
-%destructor { stmt_list_free($$); xfree($$); } stmt_list
+%type <list> stmt_list stateful_stmt_list
+%destructor { stmt_list_free($$); xfree($$); } stmt_list stateful_stmt_list
%type <stmt> stmt match_stmt verdict_stmt
%destructor { stmt_free($$); } stmt match_stmt verdict_stmt
%type <stmt> counter_stmt counter_stmt_alloc stateful_stmt
@@ -2656,6 +2656,19 @@ stmt_list : stmt
}
;
+stateful_stmt_list : stateful_stmt
+ {
+ $$ = xmalloc(sizeof(*$$));
+ init_list_head($$);
+ list_add_tail(&$1->list, $$);
+ }
+ | stateful_stmt_list stateful_stmt
+ {
+ $$ = $1;
+ list_add_tail(&$2->list, $1);
+ }
+ ;
+
stateful_stmt : counter_stmt
| limit_stmt
| quota_stmt
@@ -3675,13 +3688,14 @@ set_stmt : SET set_stmt_op set_elem_expr_stmt set_ref_expr
$$->set.key = $4;
$$->set.set = $2;
}
- | set_stmt_op set_ref_expr '{' set_elem_expr_stmt stateful_stmt '}'
+ | set_stmt_op set_ref_expr '{' set_elem_expr_stmt stateful_stmt_list '}'
{
$$ = set_stmt_alloc(&@$);
$$->set.op = $1;
$$->set.key = $4;
$$->set.set = $2;
- $$->set.stmt = $5;
+ list_splice_tail($5, &$$->set.stmt_list);
+ free($5);
}
;
@@ -3698,14 +3712,15 @@ map_stmt : set_stmt_op set_ref_expr '{' set_elem_expr_stmt COLON set_elem_expr_
$$->map.data = $6;
$$->map.set = $2;
}
- | set_stmt_op set_ref_expr '{' set_elem_expr_stmt stateful_stmt COLON set_elem_expr_stmt '}'
+ | set_stmt_op set_ref_expr '{' set_elem_expr_stmt stateful_stmt_list COLON set_elem_expr_stmt '}'
{
$$ = map_stmt_alloc(&@$);
$$->map.op = $1;
$$->map.key = $4;
$$->map.data = $7;
- $$->map.stmt = $5;
$$->map.set = $2;
+ list_splice_tail($5, &$$->map.stmt_list);
+ free($5);
}
;
diff --git a/src/statement.c b/src/statement.c
index 6fe8e9d9beb4..39020857ae9c 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -732,15 +732,16 @@ const char * const set_stmt_op_names[] = {
static void set_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
{
unsigned int flags = octx->flags;
+ struct stmt *this;
nft_print(octx, "%s ", set_stmt_op_names[stmt->set.op]);
expr_print(stmt->set.set, octx);
nft_print(octx, " { ");
expr_print(stmt->set.key, octx);
- if (stmt->set.stmt) {
+ list_for_each_entry(this, &stmt->set.stmt_list, list) {
nft_print(octx, " ");
octx->flags |= NFT_CTX_OUTPUT_STATELESS;
- stmt_print(stmt->set.stmt, octx);
+ stmt_print(this, octx);
octx->flags = flags;
}
nft_print(octx, " }");
@@ -748,9 +749,12 @@ static void set_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
static void set_stmt_destroy(struct stmt *stmt)
{
+ struct stmt *this, *next;
+
expr_free(stmt->set.key);
expr_free(stmt->set.set);
- stmt_free(stmt->set.stmt);
+ list_for_each_entry_safe(this, next, &stmt->set.stmt_list, list)
+ stmt_free(this);
}
static const struct stmt_ops set_stmt_ops = {
@@ -763,21 +767,27 @@ static const struct stmt_ops set_stmt_ops = {
struct stmt *set_stmt_alloc(const struct location *loc)
{
- return stmt_alloc(loc, &set_stmt_ops);
+ struct stmt *stmt;
+
+ stmt = stmt_alloc(loc, &set_stmt_ops);
+ init_list_head(&stmt->set.stmt_list);
+
+ return stmt;
}
static void map_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
{
unsigned int flags = octx->flags;
+ struct stmt *this;
nft_print(octx, "%s ", set_stmt_op_names[stmt->map.op]);
expr_print(stmt->map.set, octx);
nft_print(octx, " { ");
expr_print(stmt->map.key, octx);
- if (stmt->map.stmt) {
+ list_for_each_entry(this, &stmt->map.stmt_list, list) {
nft_print(octx, " ");
octx->flags |= NFT_CTX_OUTPUT_STATELESS;
- stmt_print(stmt->map.stmt, octx);
+ stmt_print(this, octx);
octx->flags = flags;
}
nft_print(octx, " : ");
@@ -787,10 +797,13 @@ static void map_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
static void map_stmt_destroy(struct stmt *stmt)
{
+ struct stmt *this, *next;
+
expr_free(stmt->map.key);
expr_free(stmt->map.data);
expr_free(stmt->map.set);
- stmt_free(stmt->map.stmt);
+ list_for_each_entry_safe(this, next, &stmt->map.stmt_list, list)
+ stmt_free(this);
}
static const struct stmt_ops map_stmt_ops = {
@@ -802,7 +815,12 @@ static const struct stmt_ops map_stmt_ops = {
struct stmt *map_stmt_alloc(const struct location *loc)
{
- return stmt_alloc(loc, &map_stmt_ops);
+ struct stmt *stmt;
+
+ stmt = stmt_alloc(loc, &map_stmt_ops);
+ init_list_head(&stmt->map.stmt_list);
+
+ return stmt;
}
static void dup_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH nft 2/2] src: add set element multi-statement support 2020-12-17 16:43 [PATCH nft 1/2,v2] src: add support for multi-statement in dynamic sets and maps Pablo Neira Ayuso @ 2020-12-17 16:43 ` Pablo Neira Ayuso 0 siblings, 0 replies; 4+ messages in thread From: Pablo Neira Ayuso @ 2020-12-17 16:43 UTC (permalink / raw) To: netfilter-devel Extend the set element infrastructure to support for several statements. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- v2: fix memleaks. fix crashes reported by tests/shell. include/expression.h | 2 +- include/list.h | 7 ++++ include/rule.h | 2 +- src/evaluate.c | 58 ++++++++++++++++++++++-------- src/expression.c | 18 +++++++--- src/json.c | 10 ++++-- src/mnl.c | 17 +++++++-- src/netlink.c | 66 +++++++++++++++++++++++++++++++--- src/parser_bison.y | 84 ++++++++++++++++++++++++++------------------ src/rule.c | 24 ++++++++++--- src/segtree.c | 6 ++-- 11 files changed, 219 insertions(+), 75 deletions(-) diff --git a/include/expression.h b/include/expression.h index 894a68d2e822..718dac5a122d 100644 --- a/include/expression.h +++ b/include/expression.h @@ -280,7 +280,7 @@ struct expr { uint64_t timeout; uint64_t expiration; const char *comment; - struct stmt *stmt; + struct list_head stmt_list; uint32_t elem_flags; }; struct { diff --git a/include/list.h b/include/list.h index 9c4da81749de..857921e34201 100644 --- a/include/list.h +++ b/include/list.h @@ -348,6 +348,13 @@ static inline void list_splice_tail_init(struct list_head *list, #define list_first_entry(ptr, type, member) \ list_entry((ptr)->next, type, member) +/** + * list_next_entry - get the next element in list + * @pos: the type * to cursor + * @member: the name of the list_head within the struct. + */ +#define list_next_entry(pos, member) \ + list_entry((pos)->member.next, typeof(*(pos)), member) /** * list_for_each_entry - iterate over list of given type diff --git a/include/rule.h b/include/rule.h index 119fc19d79c8..330a09aa77fa 100644 --- a/include/rule.h +++ b/include/rule.h @@ -333,7 +333,7 @@ struct set { struct expr *init; struct expr *rg_cache; uint32_t policy; - struct stmt *stmt; + struct list_head stmt_list; bool root; bool automerge; bool key_typeof_valid; diff --git a/src/evaluate.c b/src/evaluate.c index 03f060eb465a..7e34f12c996f 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1340,27 +1340,57 @@ static int expr_evaluate_list(struct eval_ctx *ctx, struct expr **expr) return 0; } -static int expr_evaluate_set_elem(struct eval_ctx *ctx, struct expr **expr) +static int __expr_evaluate_set_elem(struct eval_ctx *ctx, struct expr *elem) { + int num_elem_exprs = 0, num_set_exprs = 0; struct set *set = ctx->set; - struct expr *elem = *expr; + struct stmt *stmt; - if (elem->stmt) { - if (set->stmt && set->stmt->ops != elem->stmt->ops) { - return stmt_error(ctx, elem->stmt, - "statement mismatch, element expects %s, " - "but %s has type %s", - elem->stmt->ops->name, - set_is_map(set->flags) ? "map" : "set", - set->stmt->ops->name); - } else if (!set->stmt && !(set->flags & NFT_SET_EVAL)) { - return stmt_error(ctx, elem->stmt, - "missing %s statement in %s definition", - elem->stmt->ops->name, + list_for_each_entry(stmt, &elem->stmt_list, list) + num_elem_exprs++; + list_for_each_entry(stmt, &set->stmt_list, list) + num_set_exprs++; + + if (num_elem_exprs > 0) { + if (num_elem_exprs != num_set_exprs) + return expr_error(ctx->msgs, elem, + "number of statements mismatch, set expects %d " + "but element has %d", num_set_exprs, + num_elem_exprs); + else if (!(set->flags & NFT_SET_EVAL)) + return expr_error(ctx->msgs, elem, + "missing statements in %s definition", set_is_map(set->flags) ? "map" : "set"); + } + + if (num_set_exprs > 0) { + struct stmt *set_stmt, *elem_stmt; + + set_stmt = list_first_entry(&set->stmt_list, struct stmt, list); + + list_for_each_entry(elem_stmt, &elem->stmt_list, list) { + if (set_stmt->ops != elem_stmt->ops) { + return stmt_error(ctx, elem_stmt, + "statement mismatch, element expects %s, " + "but %s has type %s", + elem_stmt->ops->name, + set_is_map(set->flags) ? "map" : "set", + set_stmt->ops->name); + } + set_stmt = list_next_entry(set_stmt, list); } } + return 0; +} + +static int expr_evaluate_set_elem(struct eval_ctx *ctx, struct expr **expr) +{ + struct expr *elem = *expr; + + if (ctx->set && __expr_evaluate_set_elem(ctx, elem) < 0) + return -1; + if (expr_evaluate(ctx, &elem->key) < 0) return -1; diff --git a/src/expression.c b/src/expression.c index 87bd4d01bb72..58d73e9509b0 100644 --- a/src/expression.c +++ b/src/expression.c @@ -1248,7 +1248,13 @@ struct expr *set_ref_expr_alloc(const struct location *loc, struct set *set) static void set_elem_expr_print(const struct expr *expr, struct output_ctx *octx) { + struct stmt *stmt; + expr_print(expr->key, octx); + list_for_each_entry(stmt, &expr->stmt_list, list) { + nft_print(octx, " "); + stmt_print(stmt, octx); + } if (expr->timeout) { nft_print(octx, " timeout "); time_print(expr->timeout, octx); @@ -1257,19 +1263,18 @@ static void set_elem_expr_print(const struct expr *expr, nft_print(octx, " expires "); time_print(expr->expiration, octx); } - if (expr->stmt) { - nft_print(octx, " "); - stmt_print(expr->stmt, octx); - } if (expr->comment) nft_print(octx, " comment \"%s\"", expr->comment); } static void set_elem_expr_destroy(struct expr *expr) { + struct stmt *stmt, *next; + xfree(expr->comment); expr_free(expr->key); - stmt_free(expr->stmt); + list_for_each_entry_safe(stmt, next, &expr->stmt_list, list) + stmt_free(stmt); } static void set_elem_expr_clone(struct expr *new, const struct expr *expr) @@ -1279,6 +1284,7 @@ static void set_elem_expr_clone(struct expr *new, const struct expr *expr) new->timeout = expr->timeout; if (expr->comment) new->comment = xstrdup(expr->comment); + init_list_head(&new->stmt_list); } static const struct expr_ops set_elem_expr_ops = { @@ -1297,6 +1303,8 @@ struct expr *set_elem_expr_alloc(const struct location *loc, struct expr *key) expr = expr_alloc(loc, EXPR_SET_ELEM, key->dtype, key->byteorder, key->len); expr->key = key; + init_list_head(&expr->stmt_list); + return expr; } diff --git a/src/json.c b/src/json.c index 0b398bf0b25d..585d35326ac0 100644 --- a/src/json.c +++ b/src/json.c @@ -583,13 +583,15 @@ json_t *set_ref_expr_json(const struct expr *expr, struct output_ctx *octx) json_t *set_elem_expr_json(const struct expr *expr, struct output_ctx *octx) { json_t *root = expr_print_json(expr->key, octx); + struct stmt *stmt; json_t *tmp; if (!root) return NULL; /* these element attributes require formal set elem syntax */ - if (expr->timeout || expr->expiration || expr->comment || expr->stmt) { + if (expr->timeout || expr->expiration || expr->comment || + !list_empty(&expr->stmt_list)) { root = json_pack("{s:o}", "val", root); if (expr->timeout) { @@ -604,11 +606,13 @@ json_t *set_elem_expr_json(const struct expr *expr, struct output_ctx *octx) tmp = json_string(expr->comment); json_object_set_new(root, "comment", tmp); } - if (expr->stmt) { - tmp = stmt_print_json(expr->stmt, octx); + list_for_each_entry(stmt, &expr->stmt_list, list) { + tmp = stmt_print_json(stmt, octx); /* XXX: detect and complain about clashes? */ json_object_update_missing(root, tmp); json_decref(tmp); + /* TODO: only one statement per element. */ + break; } return json_pack("{s:o}", "elem", root); } diff --git a/src/mnl.c b/src/mnl.c index cd12309b6ef8..84cfb2380f55 100644 --- a/src/mnl.c +++ b/src/mnl.c @@ -1046,6 +1046,8 @@ int mnl_nft_set_add(struct netlink_ctx *ctx, struct cmd *cmd, struct set *set = cmd->set; struct nftnl_set *nls; struct nlmsghdr *nlh; + struct stmt *stmt; + int num_stmts = 0; nls = nftnl_set_alloc(); if (!nls) @@ -1128,9 +1130,18 @@ int mnl_nft_set_add(struct netlink_ctx *ctx, struct cmd *cmd, nftnl_udata_buf_len(udbuf)); nftnl_udata_buf_free(udbuf); - if (set->stmt) { - nftnl_set_set_data(nls, NFTNL_SET_EXPR, - netlink_gen_stmt_stateful(set->stmt), 0); + list_for_each_entry(stmt, &set->stmt_list, list) + num_stmts++; + + if (num_stmts == 1) { + list_for_each_entry(stmt, &set->stmt_list, list) { + nftnl_set_set_data(nls, NFTNL_SET_EXPR, + netlink_gen_stmt_stateful(stmt), 0); + break; + } + } else if (num_stmts > 1) { + list_for_each_entry(stmt, &set->stmt_list, list) + nftnl_set_add_expr(nls, netlink_gen_stmt_stateful(stmt)); } netlink_dump_set(nls, ctx); diff --git a/src/netlink.c b/src/netlink.c index ab0290926eaf..ec2dad29ace1 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -104,6 +104,8 @@ static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set, struct nftnl_set_elem *nlse; struct nft_data_linearize nld; struct nftnl_udata_buf *udbuf = NULL; + int num_exprs = 0; + struct stmt *stmt; struct expr *key; nlse = nftnl_set_elem_alloc(); @@ -138,9 +140,20 @@ static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set, if (elem->expiration) nftnl_set_elem_set_u64(nlse, NFTNL_SET_ELEM_EXPIRATION, elem->expiration); - if (elem->stmt) - nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_EXPR, - netlink_gen_stmt_stateful(elem->stmt), 0); + list_for_each_entry(stmt, &elem->stmt_list, list) + num_exprs++; + + if (num_exprs == 1) { + list_for_each_entry(stmt, &elem->stmt_list, list) { + nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_EXPR, + netlink_gen_stmt_stateful(stmt), 0); + } + } else if (num_exprs > 1) { + list_for_each_entry(stmt, &elem->stmt_list, list) { + nftnl_set_elem_add_expr(nlse, + netlink_gen_stmt_stateful(stmt)); + } + } if (elem->comment || expr->elem_flags) { udbuf = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN); if (!udbuf) @@ -766,6 +779,25 @@ static bool set_udata_key_valid(const struct expr *e, const struct datatype *d, return div_round_up(e->len, BITS_PER_BYTE) == len / BITS_PER_BYTE; } +struct setelem_parse_ctx { + struct set *set; + struct nft_cache *cache; + struct list_head stmt_list; +}; + +static int set_elem_parse_expressions(struct nftnl_expr *e, void *data) +{ + struct setelem_parse_ctx *setelem_parse_ctx = data; + struct nft_cache *cache = setelem_parse_ctx->cache; + struct set *set = setelem_parse_ctx->set; + struct stmt *stmt; + + stmt = netlink_parse_set_expr(set, cache, e); + list_add_tail(&stmt->list, &setelem_parse_ctx->stmt_list); + + return 0; +} + struct set *netlink_delinearize_set(struct netlink_ctx *ctx, const struct nftnl_set *nls) { @@ -774,6 +806,7 @@ struct set *netlink_delinearize_set(struct netlink_ctx *ctx, enum byteorder databyteorder = BYTEORDER_INVALID; const struct datatype *keytype, *datatype = NULL; struct expr *typeof_expr_key, *typeof_expr_data; + struct setelem_parse_ctx set_parse_ctx; const char *udata, *comment = NULL; uint32_t flags, key, objtype = 0; const struct datatype *dtype; @@ -847,12 +880,22 @@ struct set *netlink_delinearize_set(struct netlink_ctx *ctx, if (comment) set->comment = comment; + init_list_head(&set_parse_ctx.stmt_list); + if (nftnl_set_is_set(nls, NFTNL_SET_EXPR)) { const struct nftnl_expr *nle; + struct stmt *stmt; nle = nftnl_set_get(nls, NFTNL_SET_EXPR); - set->stmt = netlink_parse_set_expr(set, &ctx->nft->cache, nle); + stmt = netlink_parse_set_expr(set, &ctx->nft->cache, nle); + list_add_tail(&stmt->list, &set_parse_ctx.stmt_list); + } else if (nftnl_set_is_set(nls, NFTNL_SET_EXPRESSIONS)) { + set_parse_ctx.cache = &ctx->nft->cache; + set_parse_ctx.set = set; + nftnl_set_expr_foreach(nls, set_elem_parse_expressions, + &set_parse_ctx); } + list_splice_tail(&set_parse_ctx.stmt_list, &set->stmt_list); if (datatype) { dtype = set_datatype_alloc(datatype, databyteorder); @@ -1107,10 +1150,16 @@ static void set_elem_parse_udata(struct nftnl_set_elem *nlse, int netlink_delinearize_setelem(struct nftnl_set_elem *nlse, struct set *set, struct nft_cache *cache) { + struct setelem_parse_ctx setelem_parse_ctx = { + .set = set, + .cache = cache, + }; struct nft_data_delinearize nld; struct expr *expr, *key, *data; uint32_t flags = 0; + init_list_head(&setelem_parse_ctx.stmt_list); + nld.value = nftnl_set_elem_get(nlse, NFTNL_SET_ELEM_KEY, &nld.len); if (nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_FLAGS)) @@ -1141,10 +1190,17 @@ key_end: set_elem_parse_udata(nlse, expr); if (nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_EXPR)) { const struct nftnl_expr *nle; + struct stmt *stmt; nle = nftnl_set_elem_get(nlse, NFTNL_SET_ELEM_EXPR, NULL); - expr->stmt = netlink_parse_set_expr(set, cache, nle); + stmt = netlink_parse_set_expr(set, cache, nle); + list_add_tail(&stmt->list, &setelem_parse_ctx.stmt_list); + } else if (nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_EXPRESSIONS)) { + nftnl_set_elem_expr_foreach(nlse, set_elem_parse_expressions, + &setelem_parse_ctx); } + list_splice_tail(&setelem_parse_ctx.stmt_list, &expr->stmt_list); + if (flags & NFT_SET_ELEM_INTERVAL_END) { expr->flags |= EXPR_F_INTERVAL_END; if (mpz_cmp_ui(set->key->value, 0) == 0) diff --git a/src/parser_bison.y b/src/parser_bison.y index 673ce4ad4080..58a5a4752002 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -624,10 +624,10 @@ int nft_lex(void *, void *, void *); %type <obj> obj_block_alloc counter_block quota_block ct_helper_block ct_timeout_block ct_expect_block limit_block secmark_block synproxy_block %destructor { obj_free($$); } obj_block_alloc -%type <list> stmt_list stateful_stmt_list -%destructor { stmt_list_free($$); xfree($$); } stmt_list stateful_stmt_list -%type <stmt> stmt match_stmt verdict_stmt -%destructor { stmt_free($$); } stmt match_stmt verdict_stmt +%type <list> stmt_list stateful_stmt_list set_elem_stmt_list +%destructor { stmt_list_free($$); xfree($$); } stmt_list stateful_stmt_list set_elem_stmt_list +%type <stmt> stmt match_stmt verdict_stmt set_elem_stmt +%destructor { stmt_free($$); } stmt match_stmt verdict_stmt set_elem_stmt %type <stmt> counter_stmt counter_stmt_alloc stateful_stmt %destructor { stmt_free($$); } counter_stmt counter_stmt_alloc stateful_stmt %type <stmt> payload_stmt @@ -1797,10 +1797,11 @@ set_block : /* empty */ { $$ = $<set>-1; } $1->gc_int = $3; $$ = $1; } - | set_block COUNTER stmt_separator + | set_block stateful_stmt_list stmt_separator { - $1->stmt = counter_stmt_alloc(&@$); + list_splice_tail($2, &$1->stmt_list); $$ = $1; + free($2); } | set_block ELEMENTS '=' set_block_expr { @@ -4052,7 +4053,12 @@ set_elem_expr : set_elem_expr_alloc | set_elem_expr_alloc set_elem_expr_options ; -set_elem_expr_alloc : set_lhs_expr +set_elem_expr_alloc : set_lhs_expr set_elem_stmt_list + { + $$ = set_elem_expr_alloc(&@1, $1); + list_splice_tail($2, &$$->stmt_list); + } + | set_lhs_expr { $$ = set_elem_expr_alloc(&@1, $1); } @@ -4090,44 +4096,42 @@ set_elem_expr_options : set_elem_expr_option | set_elem_expr_options set_elem_expr_option ; -set_elem_expr_option : TIMEOUT time_spec +set_elem_stmt_list : set_elem_stmt { - $<expr>0->timeout = $2; + $$ = xmalloc(sizeof(*$$)); + init_list_head($$); + list_add_tail(&$1->list, $$); } - | EXPIRES time_spec + | set_elem_stmt_list set_elem_stmt { - $<expr>0->expiration = $2; + $$ = $1; + list_add_tail(&$2->list, $1); } - | COUNTER + ; + +set_elem_stmt : COUNTER { - $<expr>0->stmt = counter_stmt_alloc(&@$); + $$ = counter_stmt_alloc(&@$); } | COUNTER PACKETS NUM BYTES NUM { - struct stmt *stmt; - - stmt = counter_stmt_alloc(&@$); - stmt->counter.packets = $3; - stmt->counter.bytes = $5; - $<expr>0->stmt = stmt; + $$ = counter_stmt_alloc(&@$); + $$->counter.packets = $3; + $$->counter.bytes = $5; } | LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts { - struct stmt *stmt; - - stmt = limit_stmt_alloc(&@$); - stmt->limit.rate = $4; - stmt->limit.unit = $6; - stmt->limit.burst = $7; - stmt->limit.type = NFT_LIMIT_PKTS; - stmt->limit.flags = $3; - $<expr>0->stmt = stmt; + $$ = limit_stmt_alloc(&@$); + $$->limit.rate = $4; + $$->limit.unit = $6; + $$->limit.burst = $7; + $$->limit.type = NFT_LIMIT_PKTS; + $$->limit.flags = $3; } | LIMIT RATE limit_mode NUM STRING limit_burst_bytes { struct error_record *erec; uint64_t rate, unit; - struct stmt *stmt; erec = rate_parse(&@$, $5, &rate, &unit); xfree($5); @@ -4136,13 +4140,23 @@ set_elem_expr_option : TIMEOUT time_spec YYERROR; } - stmt = limit_stmt_alloc(&@$); - stmt->limit.rate = rate * $4; - stmt->limit.unit = unit; - stmt->limit.burst = $6; - stmt->limit.type = NFT_LIMIT_PKT_BYTES; - stmt->limit.flags = $3; + $$ = limit_stmt_alloc(&@$); + $$->limit.rate = rate * $4; + $$->limit.unit = unit; + $$->limit.burst = $6; + $$->limit.type = NFT_LIMIT_PKT_BYTES; + $$->limit.flags = $3; } + ; + +set_elem_expr_option : TIMEOUT time_spec + { + $<expr>0->timeout = $2; + } + | EXPIRES time_spec + { + $<expr>0->expiration = $2; + } | comment_spec { if (already_set($<expr>0->comment, &@1, state)) { diff --git a/src/rule.c b/src/rule.c index dddfdf5182b0..e4bb6bae276a 100644 --- a/src/rule.c +++ b/src/rule.c @@ -338,6 +338,9 @@ struct set *set_alloc(const struct location *loc) set->handle.set_id = ++set_id; if (loc != NULL) set->location = *loc; + + init_list_head(&set->stmt_list); + return set; } @@ -357,6 +360,7 @@ struct set *set_clone(const struct set *set) new_set->policy = set->policy; new_set->automerge = set->automerge; new_set->desc = set->desc; + init_list_head(&new_set->stmt_list); return new_set; } @@ -369,6 +373,8 @@ struct set *set_get(struct set *set) void set_free(struct set *set) { + struct stmt *stmt, *next; + if (--set->refcnt > 0) return; if (set->init != NULL) @@ -376,7 +382,8 @@ void set_free(struct set *set) if (set->comment) xfree(set->comment); handle_free(&set->handle); - stmt_free(set->stmt); + list_for_each_entry_safe(stmt, next, &set->stmt_list, list) + stmt_free(stmt); expr_free(set->key); expr_free(set->data); xfree(set); @@ -500,6 +507,7 @@ static void set_print_declaration(const struct set *set, struct output_ctx *octx) { const char *delim = ""; + struct stmt *stmt; const char *type; uint32_t flags; @@ -570,14 +578,22 @@ static void set_print_declaration(const struct set *set, nft_print(octx, "%s", opts->stmt_separator); } - if (set->stmt) { + if (!list_empty(&set->stmt_list)) nft_print(octx, "%s%s", opts->tab, opts->tab); + + if (!list_empty(&set->stmt_list)) { octx->flags |= NFT_CTX_OUTPUT_STATELESS; - stmt_print(set->stmt, octx); + list_for_each_entry(stmt, &set->stmt_list, list) { + stmt_print(stmt, octx); + if (!list_is_last(&stmt->list, &set->stmt_list)) + nft_print(octx, " "); + } octx->flags &= ~NFT_CTX_OUTPUT_STATELESS; - nft_print(octx, "%s", opts->stmt_separator); } + if (!list_empty(&set->stmt_list)) + nft_print(octx, "%s", opts->stmt_separator); + if (set->automerge) nft_print(octx, "%s%sauto-merge%s", opts->tab, opts->tab, opts->stmt_separator); diff --git a/src/segtree.c b/src/segtree.c index ba455a6a8137..6988d07b24fb 100644 --- a/src/segtree.c +++ b/src/segtree.c @@ -935,10 +935,8 @@ static void interval_expr_copy(struct expr *dst, struct expr *src) dst->timeout = src->timeout; if (src->expiration) dst->expiration = src->expiration; - if (src->stmt) { - dst->stmt = src->stmt; - src->stmt = NULL; - } + + list_splice_init(&src->stmt_list, &dst->stmt_list); } void interval_map_decompose(struct expr *set) -- 2.20.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-12-17 16:44 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-12-17 11:33 [PATCH nft 0/2] multi-statement support for set elements Pablo Neira Ayuso 2020-12-17 11:33 ` [PATCH nft 1/2] src: add support for multi-statement in dynamic sets and maps Pablo Neira Ayuso 2020-12-17 11:33 ` [PATCH nft 2/2] src: add set element multi-statement support Pablo Neira Ayuso -- strict thread matches above, loose matches on Subject: below -- 2020-12-17 16:43 [PATCH nft 1/2,v2] src: add support for multi-statement in dynamic sets and maps Pablo Neira Ayuso 2020-12-17 16:43 ` [PATCH nft 2/2] src: add set element multi-statement support Pablo Neira Ayuso
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).