* [PATCH libnftnl 1/3] expr: add dup expression support
@ 2015-08-17 2:24 Pablo Neira Ayuso
2015-08-17 2:24 ` [PATCH libnftnl 2/3] expr: limit: add burst attribute Pablo Neira Ayuso
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2015-08-17 2:24 UTC (permalink / raw)
To: netfilter-devel; +Cc: kaber, fw
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/libnftnl/expr.h | 5 +
include/linux/netfilter/nf_tables.h | 14 +++
src/Makefile.am | 1 +
src/expr/dup.c | 220 +++++++++++++++++++++++++++++++++++
src/expr_ops.c | 2 +
tests/Makefile.am | 4 +
tests/nft-expr_dup-test.c | 94 +++++++++++++++
7 files changed, 340 insertions(+)
create mode 100644 src/expr/dup.c
create mode 100644 tests/nft-expr_dup-test.c
diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
index 59ae2d7..91875ff 100644
--- a/include/libnftnl/expr.h
+++ b/include/libnftnl/expr.h
@@ -173,6 +173,11 @@ enum {
NFT_EXPR_REDIR_FLAGS,
};
+enum {
+ NFT_EXPR_DUP_SREG_ADDR = NFT_RULE_EXPR_ATTR_BASE,
+ NFT_EXPR_DUP_SREG_DEV,
+};
+
#ifdef __cplusplus
} /* extern "C" */
#endif
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index a99e6a9..cf4a1ce 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -936,6 +936,20 @@ enum nft_redir_attributes {
#define NFTA_REDIR_MAX (__NFTA_REDIR_MAX - 1)
/**
+ * enum nft_tee_attributes - nf_tables tee expression netlink attributes
+ *
+ * @NFTA_DUP_SREG_ADDR: source register of destination (NLA_U32: nft_registers)
+ * @NFTA_DUP_SREG_DEV: output interface name (NLA_U32: nft_register)
+ */
+enum nft_tee_attributes {
+ NFTA_DUP_UNSPEC,
+ NFTA_DUP_SREG_ADDR,
+ NFTA_DUP_SREG_DEV,
+ __NFTA_DUP_MAX
+};
+#define NFTA_DUP_MAX (__NFTA_DUP_MAX - 1)
+
+/**
* enum nft_gen_attributes - nf_tables ruleset generation attributes
*
* @NFTA_GEN_ID: Ruleset generation ID (NLA_U32)
diff --git a/src/Makefile.am b/src/Makefile.am
index dd87240..107cae5 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -26,6 +26,7 @@ libnftnl_la_SOURCES = utils.c \
expr/counter.c \
expr/ct.c \
expr/data_reg.c \
+ expr/dup.c \
expr/exthdr.c \
expr/limit.c \
expr/log.c \
diff --git a/src/expr/dup.c b/src/expr/dup.c
new file mode 100644
index 0000000..3617fe3
--- /dev/null
+++ b/src/expr/dup.c
@@ -0,0 +1,220 @@
+/*
+ * (C) 2015 Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published
+ * by the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+#include <arpa/inet.h>
+#include <errno.h>
+#include "internal.h"
+#include <libmnl/libmnl.h>
+#include <linux/netfilter/nf_tables.h>
+#include <libnftnl/expr.h>
+#include <libnftnl/rule.h>
+#include "expr_ops.h"
+#include "data_reg.h"
+#include <buffer.h>
+
+struct nft_expr_dup {
+ enum nft_registers sreg_addr;
+ enum nft_registers sreg_dev;
+};
+
+static int nft_rule_expr_dup_set(struct nft_rule_expr *e, uint16_t type,
+ const void *data, uint32_t data_len)
+{
+ struct nft_expr_dup *dup = nft_expr_data(e);
+
+ switch (type) {
+ case NFT_EXPR_DUP_SREG_ADDR:
+ dup->sreg_addr = *((uint32_t *)data);
+ break;
+ case NFT_EXPR_DUP_SREG_DEV:
+ dup->sreg_dev= *((uint32_t *)data);
+ break;
+ default:
+ return -1;
+ }
+ return 0;
+}
+
+static const void *nft_rule_expr_dup_get(const struct nft_rule_expr *e,
+ uint16_t type, uint32_t *data_len)
+{
+ struct nft_expr_dup *dup = nft_expr_data(e);
+
+ switch (type) {
+ case NFT_EXPR_DUP_SREG_ADDR:
+ *data_len = sizeof(dup->sreg_addr);
+ return &dup->sreg_addr;
+ case NFT_EXPR_DUP_SREG_DEV:
+ *data_len = sizeof(dup->sreg_dev);
+ return &dup->sreg_dev;
+ }
+ return NULL;
+}
+
+static int nft_rule_expr_dup_cb(const struct nlattr *attr, void *data)
+{
+ const struct nlattr **tb = data;
+ int type = mnl_attr_get_type(attr);
+
+ if (mnl_attr_type_valid(attr, NFTA_DUP_MAX) < 0)
+ return MNL_CB_OK;
+
+ switch (type) {
+ case NFTA_DUP_SREG_ADDR:
+ case NFTA_DUP_SREG_DEV:
+ if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
+ abi_breakage();
+ break;
+ }
+
+ tb[type] = attr;
+ return MNL_CB_OK;
+}
+
+static void nft_rule_expr_dup_build(struct nlmsghdr *nlh,
+ struct nft_rule_expr *e)
+{
+ struct nft_expr_dup *dup = nft_expr_data(e);
+
+ if (e->flags & (1 << NFT_EXPR_DUP_SREG_ADDR))
+ mnl_attr_put_u32(nlh, NFTA_DUP_SREG_ADDR, htonl(dup->sreg_addr));
+ if (e->flags & (1 << NFT_EXPR_DUP_SREG_DEV))
+ mnl_attr_put_u32(nlh, NFTA_DUP_SREG_DEV, htonl(dup->sreg_dev));
+}
+
+static int nft_rule_expr_dup_parse(struct nft_rule_expr *e, struct nlattr *attr)
+{
+ struct nft_expr_dup *dup = nft_expr_data(e);
+ struct nlattr *tb[NFTA_DUP_MAX + 1] = {};
+ int ret = 0;
+
+ if (mnl_attr_parse_nested(attr, nft_rule_expr_dup_cb, tb) < 0)
+ return -1;
+
+ if (tb[NFTA_DUP_SREG_ADDR]) {
+ dup->sreg_addr = ntohl(mnl_attr_get_u32(tb[NFTA_DUP_SREG_ADDR]));
+ e->flags |= (1 << NFT_EXPR_DUP_SREG_ADDR);
+ }
+ if (tb[NFTA_DUP_SREG_DEV]) {
+ dup->sreg_dev = ntohl(mnl_attr_get_u32(tb[NFTA_DUP_SREG_DEV]));
+ e->flags |= (1 << NFT_EXPR_DUP_SREG_DEV);
+ }
+
+ return ret;
+}
+
+static int nft_rule_expr_dup_json_parse(struct nft_rule_expr *e, json_t *root,
+ struct nft_parse_err *err)
+{
+#ifdef JSON_PARSING
+ struct nft_expr_dup *dup = nft_expr_data(e);
+ uint32_t sreg_addr, sreg_dev;
+ int datareg_type;
+
+ ret = nft_jansson_parse_val(root, "sreg_addr", NFT_TYPE_U32, &sreg_addr, err);
+ if (ret >= 0)
+ nft_rule_expr_set_u32(e, NFT_EXPR_DUP_SREG_DEV, sreg_addr);
+ ret = nft_jansson_parse_val(root, "sreg_dev", NFT_TYPE_U32, &sreg_dev, err);
+ if (ret >= 0)
+ nft_rule_expr_set_u32(e, NFT_EXPR_DUP_SREG_DEV, sreg_dev);
+
+
+ return 0;
+#else
+ errno = EOPNOTSUPP;
+ return -1;
+#endif
+}
+
+static int nft_rule_expr_dup_xml_parse(struct nft_rule_expr *e,
+ mxml_node_t *tree,
+ struct nft_parse_err *err)
+{
+#ifdef XML_PARSING
+ struct nft_expr_dup *dup = nft_expr_data(e);
+ uint32_t sreg_addr, sreg_dev;
+
+ if (nft_mxml_reg_parse(tree, "sreg_addr", &sreg_addr, MXML_DESCEND_FIRST,
+ NFT_XML_OPT, err) == 0)
+ nft_rule_expr_set_u32(e, NFT_EXPR_DUP_SREG_ADDR, sreg_addr);
+ if (nft_mxml_reg_parse(tree, "sreg_dev", &sreg_dev, MXML_DESCEND_FIRST,
+ NFT_XML_OPT, err) == 0)
+ nft_rule_expr_set_u32(e, NFT_EXPR_DUP_SREG_DEV, sreg_dev);
+
+ return 0;
+#else
+ errno = EOPNOTSUPP;
+ return -1;
+#endif
+}
+
+static int nft_rule_expr_dup_export(char *buf, size_t size,
+ struct nft_rule_expr *e, int type)
+{
+ struct nft_expr_dup *dup = nft_expr_data(e);
+ NFT_BUF_INIT(b, buf, size);
+
+ if (e->flags & (1 << NFT_EXPR_DUP_SREG_ADDR))
+ nft_buf_u32(&b, type, dup->sreg_addr, "sreg_addr");
+ if (e->flags & (1 << NFT_EXPR_DUP_SREG_DEV))
+ nft_buf_u32(&b, type, dup->sreg_addr, "sreg_dev");
+
+ return nft_buf_done(&b);
+}
+
+static int nft_rule_expr_dup_snprintf_default(char *buf, size_t len,
+ struct nft_rule_expr *e,
+ uint32_t flags)
+{
+ int size = len, offset = 0, ret;
+ struct nft_expr_dup *dup = nft_expr_data(e);
+
+ if (e->flags & (1 << NFT_EXPR_DUP_SREG_ADDR)) {
+ ret = snprintf(buf + offset, len, "sreg_addr %u", dup->sreg_addr);
+ SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+ }
+
+ if (e->flags & (1 << NFT_EXPR_DUP_SREG_DEV)) {
+ ret = snprintf(buf + offset, len, "sreg_dev %u", dup->sreg_dev);
+ SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+ }
+
+ return offset;
+}
+
+static int nft_rule_expr_dup_snprintf(char *buf, size_t len, uint32_t type,
+ uint32_t flags, struct nft_rule_expr *e)
+{
+ switch (type) {
+ case NFT_OUTPUT_DEFAULT:
+ return nft_rule_expr_dup_snprintf_default(buf, len, e, flags);
+ case NFT_OUTPUT_XML:
+ case NFT_OUTPUT_JSON:
+ return nft_rule_expr_dup_export(buf, len, e, type);
+ default:
+ break;
+ }
+ return -1;
+}
+
+struct expr_ops expr_ops_dup = {
+ .name = "dup",
+ .alloc_len = sizeof(struct nft_expr_dup),
+ .max_attr = NFTA_DUP_MAX,
+ .set = nft_rule_expr_dup_set,
+ .get = nft_rule_expr_dup_get,
+ .parse = nft_rule_expr_dup_parse,
+ .build = nft_rule_expr_dup_build,
+ .snprintf = nft_rule_expr_dup_snprintf,
+ .xml_parse = nft_rule_expr_dup_xml_parse,
+ .json_parse = nft_rule_expr_dup_json_parse,
+};
diff --git a/src/expr_ops.c b/src/expr_ops.c
index 2de5805..c93d7de 100644
--- a/src/expr_ops.c
+++ b/src/expr_ops.c
@@ -9,6 +9,7 @@ extern struct expr_ops expr_ops_byteorder;
extern struct expr_ops expr_ops_cmp;
extern struct expr_ops expr_ops_counter;
extern struct expr_ops expr_ops_ct;
+extern struct expr_ops expr_ops_dup;
extern struct expr_ops expr_ops_exthdr;
extern struct expr_ops expr_ops_immediate;
extern struct expr_ops expr_ops_limit;
@@ -31,6 +32,7 @@ static struct expr_ops *expr_ops[] = {
&expr_ops_cmp,
&expr_ops_counter,
&expr_ops_ct,
+ &expr_ops_dup,
&expr_ops_exthdr,
&expr_ops_immediate,
&expr_ops_limit,
diff --git a/tests/Makefile.am b/tests/Makefile.am
index c0356f1..51403e5 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -14,6 +14,7 @@ check_PROGRAMS = nft-parsing-test \
nft-expr_counter-test \
nft-expr_cmp-test \
nft-expr_ct-test \
+ nft-expr_dup-test \
nft-expr_exthdr-test \
nft-expr_immediate-test \
nft-expr_limit-test \
@@ -62,6 +63,9 @@ nft_expr_exthdr_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
nft_expr_ct_test_SOURCES = nft-expr_ct-test.c
nft_expr_ct_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
+nft_expr_dup_test_SOURCES = nft-expr_dup-test.c
+nft_expr_dup_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
+
nft_expr_immediate_test_SOURCES = nft-expr_counter-test.c
nft_expr_immediate_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
diff --git a/tests/nft-expr_dup-test.c b/tests/nft-expr_dup-test.c
new file mode 100644
index 0000000..ed060af
--- /dev/null
+++ b/tests/nft-expr_dup-test.c
@@ -0,0 +1,94 @@
+/*
+ * (C) 2013 by Ana Rey Botello <anarey@gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+
+#include <linux/netfilter/nf_tables.h>
+#include <libmnl/libmnl.h>
+#include <libnftnl/rule.h>
+#include <libnftnl/expr.h>
+
+static int test_ok = 1;
+static void print_err(const char *msg)
+{
+ test_ok = 0;
+ printf("\033[31mERROR:\e[0m %s\n", msg);
+}
+
+static void cmp_nft_rule_expr(struct nft_rule_expr *rule_a,
+ struct nft_rule_expr *rule_b)
+{
+ if (nft_rule_expr_get_u32(rule_a, NFT_EXPR_DUP_SREG_ADDR) !=
+ nft_rule_expr_get_u32(rule_b, NFT_EXPR_DUP_SREG_ADDR))
+ print_err("Expr SREG_TO mismatches");
+ if (nft_rule_expr_get_u32(rule_a, NFT_EXPR_DUP_SREG_DEV) !=
+ nft_rule_expr_get_u32(rule_b, NFT_EXPR_DUP_SREG_DEV))
+ print_err("Expr SREG_OIF mismatches");
+}
+
+int main(int argc, char *argv[])
+{
+ struct nft_rule *a, *b;
+ struct nft_rule_expr *ex;
+ struct nlmsghdr *nlh;
+ char buf[4096];
+ struct nft_rule_expr_iter *iter_a, *iter_b;
+ struct nft_rule_expr *rule_a, *rule_b;
+
+ a = nft_rule_alloc();
+ b = nft_rule_alloc();
+ if (a == NULL || b == NULL)
+ print_err("OOM");
+ ex = nft_rule_expr_alloc("dup");
+ if (ex == NULL)
+ print_err("OOM");
+
+ nft_rule_expr_set_u32(ex, NFT_EXPR_DUP_SREG_ADDR, 0x12345678);
+ nft_rule_expr_set_u32(ex, NFT_EXPR_DUP_SREG_DEV, 0x78123456);
+
+ nft_rule_add_expr(a, ex);
+
+ nlh = nft_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234);
+ nft_rule_nlmsg_build_payload(nlh, a);
+
+ if (nft_rule_nlmsg_parse(nlh, b) < 0)
+ print_err("parsing problems");
+
+ iter_a = nft_rule_expr_iter_create(a);
+ iter_b = nft_rule_expr_iter_create(b);
+ if (iter_a == NULL || iter_b == NULL)
+ print_err("OOM");
+
+ rule_a = nft_rule_expr_iter_next(iter_a);
+ rule_b = nft_rule_expr_iter_next(iter_b);
+ if (rule_a == NULL || rule_b == NULL)
+ print_err("OOM");
+
+ cmp_nft_rule_expr(rule_a, rule_b);
+
+ if (nft_rule_expr_iter_next(iter_a) != NULL ||
+ nft_rule_expr_iter_next(iter_b) != NULL)
+ print_err("More 1 expr.");
+
+ nft_rule_expr_iter_destroy(iter_a);
+ nft_rule_expr_iter_destroy(iter_b);
+ nft_rule_free(a);
+ nft_rule_free(b);
+
+ if (!test_ok)
+ exit(EXIT_FAILURE);
+
+ printf("%s: \033[32mOK\e[0m\n", argv[0]);
+ return EXIT_SUCCESS;
+}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH libnftnl 2/3] expr: limit: add burst attribute
2015-08-17 2:24 [PATCH libnftnl 1/3] expr: add dup expression support Pablo Neira Ayuso
@ 2015-08-17 2:24 ` Pablo Neira Ayuso
2015-08-17 2:24 ` [PATCH libnftnl 3/3] expr: limit: add per-byte limiting support Pablo Neira Ayuso
2015-08-17 13:24 ` [PATCH libnftnl 1/3] expr: add dup expression support Patrick McHardy
2 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2015-08-17 2:24 UTC (permalink / raw)
To: netfilter-devel; +Cc: kaber, fw
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/buffer.h | 1 +
include/libnftnl/expr.h | 1 +
include/linux/netfilter/nf_tables.h | 2 ++
src/expr/limit.c | 32 ++++++++++++++++++++++++++++----
tests/nft-expr_limit-test.c | 4 ++++
5 files changed, 36 insertions(+), 4 deletions(-)
diff --git a/include/buffer.h b/include/buffer.h
index 38b6136..08e697c 100644
--- a/include/buffer.h
+++ b/include/buffer.h
@@ -38,6 +38,7 @@ int nft_buf_reg(struct nft_buf *b, int type, union nft_data_reg *reg,
#define BASE "base"
#define BYTES "bytes"
+#define BURST "burst"
#define CHAIN "chain"
#define CODE "code"
#define DATA "data"
diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
index 91875ff..730c9b9 100644
--- a/include/libnftnl/expr.h
+++ b/include/libnftnl/expr.h
@@ -150,6 +150,7 @@ enum {
enum {
NFT_EXPR_LIMIT_RATE = NFT_RULE_EXPR_ATTR_BASE,
NFT_EXPR_LIMIT_UNIT,
+ NFT_EXPR_LIMIT_BURST,
};
enum {
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index cf4a1ce..e188ad2 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -761,11 +761,13 @@ enum nft_ct_attributes {
*
* @NFTA_LIMIT_RATE: refill rate (NLA_U64)
* @NFTA_LIMIT_UNIT: refill unit (NLA_U64)
+ * @NFTA_LIMIT_BURST: burst (NLA_U32)
*/
enum nft_limit_attributes {
NFTA_LIMIT_UNSPEC,
NFTA_LIMIT_RATE,
NFTA_LIMIT_UNIT,
+ NFTA_LIMIT_BURST,
__NFTA_LIMIT_MAX
};
#define NFTA_LIMIT_MAX (__NFTA_LIMIT_MAX - 1)
diff --git a/src/expr/limit.c b/src/expr/limit.c
index 3ad246e..5ac70c5 100644
--- a/src/expr/limit.c
+++ b/src/expr/limit.c
@@ -25,6 +25,7 @@
struct nft_expr_limit {
uint64_t rate;
uint64_t unit;
+ uint32_t burst;
};
static int
@@ -40,6 +41,9 @@ nft_rule_expr_limit_set(struct nft_rule_expr *e, uint16_t type,
case NFT_EXPR_LIMIT_UNIT:
limit->unit = *((uint64_t *)data);
break;
+ case NFT_EXPR_LIMIT_BURST:
+ limit->burst = *((uint32_t *)data);
+ break;
default:
return -1;
}
@@ -59,6 +63,9 @@ nft_rule_expr_limit_get(const struct nft_rule_expr *e, uint16_t type,
case NFT_EXPR_LIMIT_UNIT:
*data_len = sizeof(uint64_t);
return &limit->unit;
+ case NFT_EXPR_LIMIT_BURST:
+ *data_len = sizeof(uint32_t);
+ return &limit->burst;
}
return NULL;
}
@@ -77,6 +84,10 @@ static int nft_rule_expr_limit_cb(const struct nlattr *attr, void *data)
if (mnl_attr_validate(attr, MNL_TYPE_U64) < 0)
abi_breakage();
break;
+ case NFTA_LIMIT_BURST:
+ if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
+ abi_breakage();
+ break;
}
tb[type] = attr;
@@ -92,6 +103,8 @@ nft_rule_expr_limit_build(struct nlmsghdr *nlh, struct nft_rule_expr *e)
mnl_attr_put_u64(nlh, NFTA_LIMIT_RATE, htobe64(limit->rate));
if (e->flags & (1 << NFT_EXPR_LIMIT_UNIT))
mnl_attr_put_u64(nlh, NFTA_LIMIT_UNIT, htobe64(limit->unit));
+ if (e->flags & (1 << NFT_EXPR_LIMIT_BURST))
+ mnl_attr_put_u32(nlh, NFTA_LIMIT_BURST, htonl(limit->burst));
}
static int
@@ -111,6 +124,10 @@ nft_rule_expr_limit_parse(struct nft_rule_expr *e, struct nlattr *attr)
limit->unit = be64toh(mnl_attr_get_u64(tb[NFTA_LIMIT_UNIT]));
e->flags |= (1 << NFT_EXPR_LIMIT_UNIT);
}
+ if (tb[NFTA_LIMIT_BURST]) {
+ limit->burst = ntohl(mnl_attr_get_u32(tb[NFTA_LIMIT_BURST]));
+ e->flags |= (1 << NFT_EXPR_LIMIT_BURST);
+ }
return 0;
}
@@ -120,12 +137,14 @@ static int nft_rule_expr_limit_json_parse(struct nft_rule_expr *e, json_t *root,
{
#ifdef JSON_PARSING
uint64_t uval64;
+ uint32_t uval32;
if (nft_jansson_parse_val(root, "rate", NFT_TYPE_U64, &uval64, err) == 0)
nft_rule_expr_set_u64(e, NFT_EXPR_LIMIT_RATE, uval64);
-
if (nft_jansson_parse_val(root, "unit", NFT_TYPE_U64, &uval64, err) == 0)
nft_rule_expr_set_u64(e, NFT_EXPR_LIMIT_UNIT, uval64);
+ if (nft_jansson_parse_val(root, "burst", NFT_TYPE_U32, &uval32, err) == 0)
+ nft_rule_expr_set_u32(e, NFT_EXPR_LIMIT_BURST, uval32);
return 0;
#else
@@ -140,14 +159,17 @@ static int nft_rule_expr_limit_xml_parse(struct nft_rule_expr *e,
{
#ifdef XML_PARSING
uint64_t rate, unit;
+ uint32_t burst;
if (nft_mxml_num_parse(tree, "rate", MXML_DESCEND_FIRST, BASE_DEC,
&rate, NFT_TYPE_U64, NFT_XML_MAND, err) == 0)
nft_rule_expr_set_u64(e, NFT_EXPR_LIMIT_RATE, rate);
-
if (nft_mxml_num_parse(tree, "unit", MXML_DESCEND_FIRST, BASE_DEC,
&unit, NFT_TYPE_U64, NFT_XML_MAND, err) == 0)
nft_rule_expr_set_u64(e, NFT_EXPR_LIMIT_UNIT, unit);
+ if (nft_mxml_num_parse(tree, "burst", MXML_DESCEND_FIRST, BASE_DEC,
+ &burst, NFT_TYPE_U32, NFT_XML_MAND, err) == 0)
+ nft_rule_expr_set_u32(e, NFT_EXPR_LIMIT_BURST, burst);
return 0;
#else
@@ -178,6 +200,8 @@ static int nft_rule_expr_limit_export(char *buf, size_t size,
nft_buf_u64(&b, type, limit->rate, RATE);
if (e->flags & (1 << NFT_EXPR_LIMIT_UNIT))
nft_buf_u64(&b, type, limit->unit, UNIT);
+ if (e->flags & (1 << NFT_EXPR_LIMIT_BURST))
+ nft_buf_u32(&b, type, limit->burst, BURST);
return nft_buf_done(&b);
}
@@ -187,8 +211,8 @@ static int nft_rule_expr_limit_snprintf_default(char *buf, size_t len,
{
struct nft_expr_limit *limit = nft_expr_data(e);
- return snprintf(buf, len, "rate %"PRIu64"/%s ",
- limit->rate, get_unit(limit->unit));
+ return snprintf(buf, len, "rate %"PRIu64"/%s burst %u ",
+ limit->rate, get_unit(limit->unit), limit->burst);
}
static int
diff --git a/tests/nft-expr_limit-test.c b/tests/nft-expr_limit-test.c
index 38c3e5b..f86a78d 100644
--- a/tests/nft-expr_limit-test.c
+++ b/tests/nft-expr_limit-test.c
@@ -37,6 +37,9 @@ static void cmp_nft_rule_expr(struct nft_rule_expr *rule_a,
if (nft_rule_expr_get_u64(rule_a, NFT_EXPR_LIMIT_UNIT) !=
nft_rule_expr_get_u64(rule_b, NFT_EXPR_LIMIT_UNIT))
print_err("Expr CTR_PACKET mismatches");
+ if (nft_rule_expr_get_u64(rule_a, NFT_EXPR_LIMIT_BURST) !=
+ nft_rule_expr_get_u64(rule_b, NFT_EXPR_LIMIT_BURST))
+ print_err("Expr CTR_PACKET mismatches");
}
int main(int argc, char *argv[])
@@ -58,6 +61,7 @@ int main(int argc, char *argv[])
nft_rule_expr_set_u64(ex, NFT_EXPR_LIMIT_RATE, 0x123456789abcdef0);
nft_rule_expr_set_u64(ex, NFT_EXPR_LIMIT_UNIT, 0x123456789abcdef0);
+ nft_rule_expr_set_u32(ex, NFT_EXPR_LIMIT_BURST, 0x89123456);
nft_rule_add_expr(a, ex);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH libnftnl 3/3] expr: limit: add per-byte limiting support
2015-08-17 2:24 [PATCH libnftnl 1/3] expr: add dup expression support Pablo Neira Ayuso
2015-08-17 2:24 ` [PATCH libnftnl 2/3] expr: limit: add burst attribute Pablo Neira Ayuso
@ 2015-08-17 2:24 ` Pablo Neira Ayuso
2015-08-17 13:24 ` [PATCH libnftnl 1/3] expr: add dup expression support Patrick McHardy
2 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2015-08-17 2:24 UTC (permalink / raw)
To: netfilter-devel; +Cc: kaber, fw
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/libnftnl/expr.h | 1 +
include/linux/netfilter/nf_tables.h | 7 ++++++
src/expr/limit.c | 40 ++++++++++++++++++++++++++++++++---
tests/nft-expr_limit-test.c | 4 ++++
4 files changed, 49 insertions(+), 3 deletions(-)
diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
index 730c9b9..0d01c29 100644
--- a/include/libnftnl/expr.h
+++ b/include/libnftnl/expr.h
@@ -151,6 +151,7 @@ enum {
NFT_EXPR_LIMIT_RATE = NFT_RULE_EXPR_ATTR_BASE,
NFT_EXPR_LIMIT_UNIT,
NFT_EXPR_LIMIT_BURST,
+ NFT_EXPR_LIMIT_TYPE,
};
enum {
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index e188ad2..b977192 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -756,18 +756,25 @@ enum nft_ct_attributes {
};
#define NFTA_CT_MAX (__NFTA_CT_MAX - 1)
+enum nft_limit_type {
+ NFT_LIMIT_PKTS,
+ NFT_LIMIT_BYTES
+};
+
/**
* enum nft_limit_attributes - nf_tables limit expression netlink attributes
*
* @NFTA_LIMIT_RATE: refill rate (NLA_U64)
* @NFTA_LIMIT_UNIT: refill unit (NLA_U64)
* @NFTA_LIMIT_BURST: burst (NLA_U32)
+ * @NFTA_LIMIT_TYPE: type of limit (NLA_U32: enum nft_limit_type)
*/
enum nft_limit_attributes {
NFTA_LIMIT_UNSPEC,
NFTA_LIMIT_RATE,
NFTA_LIMIT_UNIT,
NFTA_LIMIT_BURST,
+ NFTA_LIMIT_TYPE,
__NFTA_LIMIT_MAX
};
#define NFTA_LIMIT_MAX (__NFTA_LIMIT_MAX - 1)
diff --git a/src/expr/limit.c b/src/expr/limit.c
index 5ac70c5..087041e 100644
--- a/src/expr/limit.c
+++ b/src/expr/limit.c
@@ -26,6 +26,7 @@ struct nft_expr_limit {
uint64_t rate;
uint64_t unit;
uint32_t burst;
+ enum nft_limit_type type;
};
static int
@@ -44,6 +45,9 @@ nft_rule_expr_limit_set(struct nft_rule_expr *e, uint16_t type,
case NFT_EXPR_LIMIT_BURST:
limit->burst = *((uint32_t *)data);
break;
+ case NFT_EXPR_LIMIT_TYPE:
+ limit->type = *((uint32_t *)data);
+ break;
default:
return -1;
}
@@ -66,6 +70,9 @@ nft_rule_expr_limit_get(const struct nft_rule_expr *e, uint16_t type,
case NFT_EXPR_LIMIT_BURST:
*data_len = sizeof(uint32_t);
return &limit->burst;
+ case NFT_EXPR_LIMIT_TYPE:
+ *data_len = sizeof(uint32_t);
+ return &limit->type;
}
return NULL;
}
@@ -85,6 +92,7 @@ static int nft_rule_expr_limit_cb(const struct nlattr *attr, void *data)
abi_breakage();
break;
case NFTA_LIMIT_BURST:
+ case NFTA_LIMIT_TYPE:
if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
abi_breakage();
break;
@@ -105,6 +113,8 @@ nft_rule_expr_limit_build(struct nlmsghdr *nlh, struct nft_rule_expr *e)
mnl_attr_put_u64(nlh, NFTA_LIMIT_UNIT, htobe64(limit->unit));
if (e->flags & (1 << NFT_EXPR_LIMIT_BURST))
mnl_attr_put_u32(nlh, NFTA_LIMIT_BURST, htonl(limit->burst));
+ if (e->flags & (1 << NFT_EXPR_LIMIT_TYPE))
+ mnl_attr_put_u32(nlh, NFTA_LIMIT_TYPE, htonl(limit->type));
}
static int
@@ -128,6 +138,10 @@ nft_rule_expr_limit_parse(struct nft_rule_expr *e, struct nlattr *attr)
limit->burst = ntohl(mnl_attr_get_u32(tb[NFTA_LIMIT_BURST]));
e->flags |= (1 << NFT_EXPR_LIMIT_BURST);
}
+ if (tb[NFTA_LIMIT_TYPE]) {
+ limit->type = ntohl(mnl_attr_get_u32(tb[NFTA_LIMIT_TYPE]));
+ e->flags |= (1 << NFT_EXPR_LIMIT_TYPE);
+ }
return 0;
}
@@ -145,6 +159,8 @@ static int nft_rule_expr_limit_json_parse(struct nft_rule_expr *e, json_t *root,
nft_rule_expr_set_u64(e, NFT_EXPR_LIMIT_UNIT, uval64);
if (nft_jansson_parse_val(root, "burst", NFT_TYPE_U32, &uval32, err) == 0)
nft_rule_expr_set_u32(e, NFT_EXPR_LIMIT_BURST, uval32);
+ if (nft_jansson_parse_val(root, "type", NFT_TYPE_U32, &uval32, err) == 0)
+ nft_rule_expr_set_u32(e, NFT_EXPR_LIMIT_TYPE, uval32);
return 0;
#else
@@ -159,7 +175,7 @@ static int nft_rule_expr_limit_xml_parse(struct nft_rule_expr *e,
{
#ifdef XML_PARSING
uint64_t rate, unit;
- uint32_t burst;
+ uint32_t burst, type;
if (nft_mxml_num_parse(tree, "rate", MXML_DESCEND_FIRST, BASE_DEC,
&rate, NFT_TYPE_U64, NFT_XML_MAND, err) == 0)
@@ -170,6 +186,9 @@ static int nft_rule_expr_limit_xml_parse(struct nft_rule_expr *e,
if (nft_mxml_num_parse(tree, "burst", MXML_DESCEND_FIRST, BASE_DEC,
&burst, NFT_TYPE_U32, NFT_XML_MAND, err) == 0)
nft_rule_expr_set_u32(e, NFT_EXPR_LIMIT_BURST, burst);
+ if (nft_mxml_num_parse(tree, "type", MXML_DESCEND_FIRST, BASE_DEC,
+ &burst, NFT_TYPE_U32, NFT_XML_MAND, err) == 0)
+ nft_rule_expr_set_u32(e, NFT_EXPR_LIMIT_TYPE, type);
return 0;
#else
@@ -202,17 +221,32 @@ static int nft_rule_expr_limit_export(char *buf, size_t size,
nft_buf_u64(&b, type, limit->unit, UNIT);
if (e->flags & (1 << NFT_EXPR_LIMIT_BURST))
nft_buf_u32(&b, type, limit->burst, BURST);
+ if (e->flags & (1 << NFT_EXPR_LIMIT_TYPE))
+ nft_buf_u32(&b, type, limit->type, TYPE);
return nft_buf_done(&b);
}
+static const char *limit_to_type(enum nft_limit_type type)
+{
+ switch (type) {
+ default:
+ case NFT_LIMIT_PKTS:
+ return "packets";
+ case NFT_LIMIT_BYTES:
+ return "bytes";
+ }
+ return "unknown";
+}
+
static int nft_rule_expr_limit_snprintf_default(char *buf, size_t len,
struct nft_rule_expr *e)
{
struct nft_expr_limit *limit = nft_expr_data(e);
- return snprintf(buf, len, "rate %"PRIu64"/%s burst %u ",
- limit->rate, get_unit(limit->unit), limit->burst);
+ return snprintf(buf, len, "rate %"PRIu64"/%s burst %u type %s ",
+ limit->rate, get_unit(limit->unit), limit->burst,
+ limit_to_type(limit->type));
}
static int
diff --git a/tests/nft-expr_limit-test.c b/tests/nft-expr_limit-test.c
index f86a78d..1c272ba 100644
--- a/tests/nft-expr_limit-test.c
+++ b/tests/nft-expr_limit-test.c
@@ -40,6 +40,9 @@ static void cmp_nft_rule_expr(struct nft_rule_expr *rule_a,
if (nft_rule_expr_get_u64(rule_a, NFT_EXPR_LIMIT_BURST) !=
nft_rule_expr_get_u64(rule_b, NFT_EXPR_LIMIT_BURST))
print_err("Expr CTR_PACKET mismatches");
+ if (nft_rule_expr_get_u64(rule_a, NFT_EXPR_LIMIT_TYPE) !=
+ nft_rule_expr_get_u64(rule_b, NFT_EXPR_LIMIT_TYPE))
+ print_err("Expr TYPE mismatches");
}
int main(int argc, char *argv[])
@@ -62,6 +65,7 @@ int main(int argc, char *argv[])
nft_rule_expr_set_u64(ex, NFT_EXPR_LIMIT_RATE, 0x123456789abcdef0);
nft_rule_expr_set_u64(ex, NFT_EXPR_LIMIT_UNIT, 0x123456789abcdef0);
nft_rule_expr_set_u32(ex, NFT_EXPR_LIMIT_BURST, 0x89123456);
+ nft_rule_expr_set_u32(ex, NFT_EXPR_LIMIT_TYPE, 0xdef01234);
nft_rule_add_expr(a, ex);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH libnftnl 1/3] expr: add dup expression support
2015-08-17 2:24 [PATCH libnftnl 1/3] expr: add dup expression support Pablo Neira Ayuso
2015-08-17 2:24 ` [PATCH libnftnl 2/3] expr: limit: add burst attribute Pablo Neira Ayuso
2015-08-17 2:24 ` [PATCH libnftnl 3/3] expr: limit: add per-byte limiting support Pablo Neira Ayuso
@ 2015-08-17 13:24 ` Patrick McHardy
2015-08-17 15:18 ` Pablo Neira Ayuso
2 siblings, 1 reply; 5+ messages in thread
From: Patrick McHardy @ 2015-08-17 13:24 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, fw
On 17.08, Pablo Neira Ayuso wrote:
> index a99e6a9..cf4a1ce 100644
> --- a/include/linux/netfilter/nf_tables.h
> +++ b/include/linux/netfilter/nf_tables.h
> @@ -936,6 +936,20 @@ enum nft_redir_attributes {
> #define NFTA_REDIR_MAX (__NFTA_REDIR_MAX - 1)
>
> /**
> + * enum nft_tee_attributes - nf_tables tee expression netlink attributes
> + *
> + * @NFTA_DUP_SREG_ADDR: source register of destination (NLA_U32: nft_registers)
> + * @NFTA_DUP_SREG_DEV: output interface name (NLA_U32: nft_register)
> + */
> +enum nft_tee_attributes {
Shouldn't these be called nft_dup_attributes?
> + NFTA_DUP_UNSPEC,
> + NFTA_DUP_SREG_ADDR,
> + NFTA_DUP_SREG_DEV,
> + __NFTA_DUP_MAX
> +};
> +#define NFTA_DUP_MAX (__NFTA_DUP_MAX - 1)
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH libnftnl 1/3] expr: add dup expression support
2015-08-17 13:24 ` [PATCH libnftnl 1/3] expr: add dup expression support Patrick McHardy
@ 2015-08-17 15:18 ` Pablo Neira Ayuso
0 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2015-08-17 15:18 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel, fw
On Mon, Aug 17, 2015 at 02:24:20PM +0100, Patrick McHardy wrote:
> On 17.08, Pablo Neira Ayuso wrote:
> > index a99e6a9..cf4a1ce 100644
> > --- a/include/linux/netfilter/nf_tables.h
> > +++ b/include/linux/netfilter/nf_tables.h
> > @@ -936,6 +936,20 @@ enum nft_redir_attributes {
> > #define NFTA_REDIR_MAX (__NFTA_REDIR_MAX - 1)
> >
> > /**
> > + * enum nft_tee_attributes - nf_tables tee expression netlink attributes
> > + *
> > + * @NFTA_DUP_SREG_ADDR: source register of destination (NLA_U32: nft_registers)
> > + * @NFTA_DUP_SREG_DEV: output interface name (NLA_U32: nft_register)
> > + */
> > +enum nft_tee_attributes {
>
> Shouldn't these be called nft_dup_attributes?
Yes, this is a leftover from previous kernel patches, will resync this
headers and will push this into master after that is fixed. Thanks!
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-08-17 15:12 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-08-17 2:24 [PATCH libnftnl 1/3] expr: add dup expression support Pablo Neira Ayuso
2015-08-17 2:24 ` [PATCH libnftnl 2/3] expr: limit: add burst attribute Pablo Neira Ayuso
2015-08-17 2:24 ` [PATCH libnftnl 3/3] expr: limit: add per-byte limiting support Pablo Neira Ayuso
2015-08-17 13:24 ` [PATCH libnftnl 1/3] expr: add dup expression support Patrick McHardy
2015-08-17 15:18 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).