* [PATCH nft 1/3] src: rename CMD_OBJ_SETELEM to CMD_OBJ_ELEMENTS
@ 2020-05-08 12:44 Pablo Neira Ayuso
2020-05-08 12:44 ` [PATCH nft 2/3] libnftables: call nft_cmd_expand() only with CMD_ADD Pablo Neira Ayuso
2020-05-08 12:44 ` [PATCH nft 3/3] src: add CMD_OBJ_SETELEMS Pablo Neira Ayuso
0 siblings, 2 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2020-05-08 12:44 UTC (permalink / raw)
To: netfilter-devel; +Cc: fw
The CMD_OBJ_ELEMENTS provides an expression that contains the list of
set elements. This leaves room to introduce CMD_OBJ_SETELEMS in a follow
up patch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/rule.h | 4 ++--
src/cache.c | 6 +++---
src/evaluate.c | 6 +++---
src/parser_bison.y | 8 ++++----
src/parser_json.c | 2 +-
src/rule.c | 8 ++++----
6 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/include/rule.h b/include/rule.h
index 1a4ec3d8bc37..f0f7ee33a3ae 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -558,7 +558,7 @@ enum cmd_ops {
* enum cmd_obj - command objects
*
* @CMD_OBJ_INVALID: invalid
- * @CMD_OBJ_SETELEM: set element(s)
+ * @CMD_OBJ_ELEMENTS: set element(s)
* @CMD_OBJ_SET: set
* @CMD_OBJ_SETS: multiple sets
* @CMD_OBJ_RULE: rule
@@ -586,7 +586,7 @@ enum cmd_ops {
*/
enum cmd_obj {
CMD_OBJ_INVALID,
- CMD_OBJ_SETELEM,
+ CMD_OBJ_ELEMENTS,
CMD_OBJ_SET,
CMD_OBJ_SETS,
CMD_OBJ_RULE,
diff --git a/src/cache.c b/src/cache.c
index 05f0d68edf03..a45111a7920e 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -25,7 +25,7 @@ static unsigned int evaluate_cache_add(struct cmd *cmd, unsigned int flags)
case CMD_OBJ_FLOWTABLE:
flags |= NFT_CACHE_TABLE;
break;
- case CMD_OBJ_SETELEM:
+ case CMD_OBJ_ELEMENTS:
flags |= NFT_CACHE_TABLE |
NFT_CACHE_CHAIN |
NFT_CACHE_SET |
@@ -53,7 +53,7 @@ static unsigned int evaluate_cache_add(struct cmd *cmd, unsigned int flags)
static unsigned int evaluate_cache_del(struct cmd *cmd, unsigned int flags)
{
switch (cmd->obj) {
- case CMD_OBJ_SETELEM:
+ case CMD_OBJ_ELEMENTS:
flags |= NFT_CACHE_SETELEM;
break;
default:
@@ -66,7 +66,7 @@ static unsigned int evaluate_cache_del(struct cmd *cmd, unsigned int flags)
static unsigned int evaluate_cache_get(struct cmd *cmd, unsigned int flags)
{
switch (cmd->obj) {
- case CMD_OBJ_SETELEM:
+ case CMD_OBJ_ELEMENTS:
flags |= NFT_CACHE_TABLE |
NFT_CACHE_SET |
NFT_CACHE_SETELEM;
diff --git a/src/evaluate.c b/src/evaluate.c
index de5f60ec1f4d..4f69dfcbbc76 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3976,7 +3976,7 @@ static int table_evaluate(struct eval_ctx *ctx, struct table *table)
static int cmd_evaluate_add(struct eval_ctx *ctx, struct cmd *cmd)
{
switch (cmd->obj) {
- case CMD_OBJ_SETELEM:
+ case CMD_OBJ_ELEMENTS:
return setelem_evaluate(ctx, &cmd->expr);
case CMD_OBJ_SET:
handle_merge(&cmd->set->handle, &cmd->handle);
@@ -4008,7 +4008,7 @@ static int cmd_evaluate_add(struct eval_ctx *ctx, struct cmd *cmd)
static int cmd_evaluate_delete(struct eval_ctx *ctx, struct cmd *cmd)
{
switch (cmd->obj) {
- case CMD_OBJ_SETELEM:
+ case CMD_OBJ_ELEMENTS:
return setelem_evaluate(ctx, &cmd->expr);
case CMD_OBJ_SET:
case CMD_OBJ_RULE:
@@ -4035,7 +4035,7 @@ static int cmd_evaluate_get(struct eval_ctx *ctx, struct cmd *cmd)
struct set *set;
switch (cmd->obj) {
- case CMD_OBJ_SETELEM:
+ case CMD_OBJ_ELEMENTS:
table = table_lookup(&cmd->handle, &ctx->nft->cache);
if (table == NULL)
return table_not_found(ctx);
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 39d3eac83b16..8e937ca305d1 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -980,7 +980,7 @@ add_cmd : TABLE table_spec
}
| ELEMENT set_spec set_block_expr
{
- $$ = cmd_alloc(CMD_ADD, CMD_OBJ_SETELEM, &$2, &@$, $3);
+ $$ = cmd_alloc(CMD_ADD, CMD_OBJ_ELEMENTS, &$2, &@$, $3);
}
| FLOWTABLE flowtable_spec flowtable_block_alloc
'{' flowtable_block '}'
@@ -1077,7 +1077,7 @@ create_cmd : TABLE table_spec
}
| ELEMENT set_spec set_block_expr
{
- $$ = cmd_alloc(CMD_CREATE, CMD_OBJ_SETELEM, &$2, &@$, $3);
+ $$ = cmd_alloc(CMD_CREATE, CMD_OBJ_ELEMENTS, &$2, &@$, $3);
}
| FLOWTABLE flowtable_spec flowtable_block_alloc
'{' flowtable_block '}'
@@ -1169,7 +1169,7 @@ delete_cmd : TABLE table_spec
}
| ELEMENT set_spec set_block_expr
{
- $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_SETELEM, &$2, &@$, $3);
+ $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_ELEMENTS, &$2, &@$, $3);
}
| FLOWTABLE flowtable_spec
{
@@ -1227,7 +1227,7 @@ delete_cmd : TABLE table_spec
get_cmd : ELEMENT set_spec set_block_expr
{
- $$ = cmd_alloc(CMD_GET, CMD_OBJ_SETELEM, &$2, &@$, $3);
+ $$ = cmd_alloc(CMD_GET, CMD_OBJ_ELEMENTS, &$2, &@$, $3);
}
;
diff --git a/src/parser_json.c b/src/parser_json.c
index 4468407b0ecd..c22b9c51be89 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -3293,7 +3293,7 @@ static struct cmd *json_parse_cmd_add(struct json_ctx *ctx,
{ "rule", CMD_OBJ_RULE, json_parse_cmd_add_rule },
{ "set", CMD_OBJ_SET, json_parse_cmd_add_set },
{ "map", CMD_OBJ_SET, json_parse_cmd_add_set },
- { "element", CMD_OBJ_SETELEM, json_parse_cmd_add_element },
+ { "element", CMD_OBJ_ELEMENTS, json_parse_cmd_add_element },
{ "flowtable", CMD_OBJ_FLOWTABLE, json_parse_cmd_add_flowtable },
{ "counter", CMD_OBJ_COUNTER, json_parse_cmd_add_object },
{ "quota", CMD_OBJ_QUOTA, json_parse_cmd_add_object },
diff --git a/src/rule.c b/src/rule.c
index c58aa359259e..227b9f30b91d 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -1521,7 +1521,7 @@ void cmd_free(struct cmd *cmd)
handle_free(&cmd->handle);
if (cmd->data != NULL) {
switch (cmd->obj) {
- case CMD_OBJ_SETELEM:
+ case CMD_OBJ_ELEMENTS:
expr_free(cmd->expr);
break;
case CMD_OBJ_SET:
@@ -1645,7 +1645,7 @@ static int do_command_add(struct netlink_ctx *ctx, struct cmd *cmd, bool excl)
return mnl_nft_rule_add(ctx, cmd, flags | NLM_F_APPEND);
case CMD_OBJ_SET:
return do_add_set(ctx, cmd, flags);
- case CMD_OBJ_SETELEM:
+ case CMD_OBJ_ELEMENTS:
return do_add_setelems(ctx, cmd, flags);
case CMD_OBJ_COUNTER:
case CMD_OBJ_QUOTA:
@@ -1724,7 +1724,7 @@ static int do_command_delete(struct netlink_ctx *ctx, struct cmd *cmd)
return mnl_nft_rule_del(ctx, cmd);
case CMD_OBJ_SET:
return mnl_nft_set_del(ctx, cmd);
- case CMD_OBJ_SETELEM:
+ case CMD_OBJ_ELEMENTS:
return do_delete_setelems(ctx, cmd);
case CMD_OBJ_COUNTER:
return mnl_nft_obj_del(ctx, cmd, NFT_OBJECT_COUNTER);
@@ -2588,7 +2588,7 @@ static int do_command_get(struct netlink_ctx *ctx, struct cmd *cmd)
table = table_lookup(&cmd->handle, &ctx->nft->cache);
switch (cmd->obj) {
- case CMD_OBJ_SETELEM:
+ case CMD_OBJ_ELEMENTS:
return do_get_setelems(ctx, cmd, table);
default:
BUG("invalid command object type %u\n", cmd->obj);
--
2.20.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH nft 2/3] libnftables: call nft_cmd_expand() only with CMD_ADD
2020-05-08 12:44 [PATCH nft 1/3] src: rename CMD_OBJ_SETELEM to CMD_OBJ_ELEMENTS Pablo Neira Ayuso
@ 2020-05-08 12:44 ` Pablo Neira Ayuso
2020-05-08 12:44 ` [PATCH nft 3/3] src: add CMD_OBJ_SETELEMS Pablo Neira Ayuso
1 sibling, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2020-05-08 12:44 UTC (permalink / raw)
To: netfilter-devel; +Cc: fw
Restrict the expansion logic to the CMD_ADD command which is where this
is only required.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/libnftables.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/libnftables.c b/src/libnftables.c
index 32da0a29ee21..668e3fc43031 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -419,8 +419,12 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs,
if (nft->state->nerrs)
return -1;
- list_for_each_entry(cmd, cmds, list)
+ list_for_each_entry(cmd, cmds, list) {
+ if (cmd->op != CMD_ADD)
+ continue;
+
nft_cmd_expand(cmd);
+ }
return 0;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH nft 3/3] src: add CMD_OBJ_SETELEMS
2020-05-08 12:44 [PATCH nft 1/3] src: rename CMD_OBJ_SETELEM to CMD_OBJ_ELEMENTS Pablo Neira Ayuso
2020-05-08 12:44 ` [PATCH nft 2/3] libnftables: call nft_cmd_expand() only with CMD_ADD Pablo Neira Ayuso
@ 2020-05-08 12:44 ` Pablo Neira Ayuso
1 sibling, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2020-05-08 12:44 UTC (permalink / raw)
To: netfilter-devel; +Cc: fw
This new command type results from expanding the set definition in two
commands: One to add the set and another to add the elements. This
results in 1:1 mapping between the command object to the netlink API.
The command is then translated into a netlink message which gets a
unique sequence number. This sequence number allows to correlate the
netlink extended error reporting with the corresponding command.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/rule.h | 2 ++
src/rule.c | 23 +++++++++++++++++++----
2 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/include/rule.h b/include/rule.h
index f0f7ee33a3ae..cfb76b8a0c10 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -561,6 +561,7 @@ enum cmd_ops {
* @CMD_OBJ_ELEMENTS: set element(s)
* @CMD_OBJ_SET: set
* @CMD_OBJ_SETS: multiple sets
+ * @CMD_OBJ_SETELEMS: set elements
* @CMD_OBJ_RULE: rule
* @CMD_OBJ_CHAIN: chain
* @CMD_OBJ_CHAINS: multiple chains
@@ -588,6 +589,7 @@ enum cmd_obj {
CMD_OBJ_INVALID,
CMD_OBJ_ELEMENTS,
CMD_OBJ_SET,
+ CMD_OBJ_SETELEMS,
CMD_OBJ_SETS,
CMD_OBJ_RULE,
CMD_OBJ_CHAIN,
diff --git a/src/rule.c b/src/rule.c
index 227b9f30b91d..1f56faeb5c3c 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -1417,11 +1417,11 @@ void cmd_add_loc(struct cmd *cmd, uint16_t offset, struct location *loc)
void nft_cmd_expand(struct cmd *cmd)
{
struct list_head new_cmds;
+ struct set *set, *newset;
struct flowtable *ft;
struct table *table;
struct chain *chain;
struct rule *rule;
- struct set *set;
struct obj *obj;
struct cmd *new;
struct handle h;
@@ -1477,6 +1477,18 @@ void nft_cmd_expand(struct cmd *cmd)
}
list_splice(&new_cmds, &cmd->list);
break;
+ case CMD_OBJ_SET:
+ set = cmd->set;
+ memset(&h, 0, sizeof(h));
+ handle_merge(&h, &set->handle);
+ newset = set_clone(set);
+ newset->handle.set_id = set->handle.set_id;
+ newset->init = set->init;
+ set->init = NULL;
+ new = cmd_alloc(CMD_ADD, CMD_OBJ_SETELEMS, &h,
+ &set->location, newset);
+ list_add(&new->list, &cmd->list);
+ break;
default:
break;
}
@@ -1525,6 +1537,7 @@ void cmd_free(struct cmd *cmd)
expr_free(cmd->expr);
break;
case CMD_OBJ_SET:
+ case CMD_OBJ_SETELEMS:
set_free(cmd->set);
break;
case CMD_OBJ_RULE:
@@ -1610,7 +1623,7 @@ static int do_add_setelems(struct netlink_ctx *ctx, struct cmd *cmd,
}
static int do_add_set(struct netlink_ctx *ctx, struct cmd *cmd,
- uint32_t flags)
+ uint32_t flags, bool add)
{
struct set *set = cmd->set;
@@ -1621,7 +1634,7 @@ static int do_add_set(struct netlink_ctx *ctx, struct cmd *cmd,
&ctx->nft->output) < 0)
return -1;
}
- if (mnl_nft_set_add(ctx, cmd, flags) < 0)
+ if (add && mnl_nft_set_add(ctx, cmd, flags) < 0)
return -1;
if (set->init != NULL) {
return __do_add_setelems(ctx, set, set->init, flags);
@@ -1644,7 +1657,9 @@ static int do_command_add(struct netlink_ctx *ctx, struct cmd *cmd, bool excl)
case CMD_OBJ_RULE:
return mnl_nft_rule_add(ctx, cmd, flags | NLM_F_APPEND);
case CMD_OBJ_SET:
- return do_add_set(ctx, cmd, flags);
+ return do_add_set(ctx, cmd, flags, true);
+ case CMD_OBJ_SETELEMS:
+ return do_add_set(ctx, cmd, flags, false);
case CMD_OBJ_ELEMENTS:
return do_add_setelems(ctx, cmd, flags);
case CMD_OBJ_COUNTER:
--
2.20.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-05-08 13:17 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-08 12:44 [PATCH nft 1/3] src: rename CMD_OBJ_SETELEM to CMD_OBJ_ELEMENTS Pablo Neira Ayuso
2020-05-08 12:44 ` [PATCH nft 2/3] libnftables: call nft_cmd_expand() only with CMD_ADD Pablo Neira Ayuso
2020-05-08 12:44 ` [PATCH nft 3/3] src: add CMD_OBJ_SETELEMS Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).