* [PATCH] netfilter: support for element deletion
@ 2019-07-13 16:03 Ander Juaristi
2019-07-18 16:38 ` Florian Westphal
0 siblings, 1 reply; 2+ messages in thread
From: Ander Juaristi @ 2019-07-13 16:03 UTC (permalink / raw)
To: netfilter-devel; +Cc: Ander Juaristi
This patch implements element deletion from ruleset.
Example:
table ip set-test {
set testset {
type ipv4_addr;
flags timeout;
}
chain outputchain {
policy accept;
type filter hook output priority filter;
delete @testset { ip saddr }
}
}
Signed-off-by: Ander Juaristi <a@juaristi.eus>
---
include/linux/netfilter/nf_tables.h | 1 +
src/parser_bison.y | 1 +
src/statement.c | 1 +
3 files changed, 3 insertions(+)
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 7bdb234..76a6b17 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -634,6 +634,7 @@ enum nft_lookup_attributes {
enum nft_dynset_ops {
NFT_DYNSET_OP_ADD,
NFT_DYNSET_OP_UPDATE,
+ NFT_DYNSET_OP_DELETE,
};
enum nft_dynset_flags {
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 670e91f..21646dc 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2998,6 +2998,7 @@ set_stmt : SET set_stmt_op set_elem_expr_stmt symbol_expr
set_stmt_op : ADD { $$ = NFT_DYNSET_OP_ADD; }
| UPDATE { $$ = NFT_DYNSET_OP_UPDATE; }
+ | DELETE { $$ = NFT_DYNSET_OP_DELETE; }
;
map_stmt : set_stmt_op symbol_expr '{' set_elem_expr_stmt COLON set_elem_expr_stmt '}'
diff --git a/src/statement.c b/src/statement.c
index c559423..eba53bf 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -660,6 +660,7 @@ struct stmt *nat_stmt_alloc(const struct location *loc,
const char * const set_stmt_op_names[] = {
[NFT_DYNSET_OP_ADD] = "add",
[NFT_DYNSET_OP_UPDATE] = "update",
+ [NFT_DYNSET_OP_DELETE] = "delete",
};
static void set_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
--
2.17.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] netfilter: support for element deletion
2019-07-13 16:03 [PATCH] netfilter: support for element deletion Ander Juaristi
@ 2019-07-18 16:38 ` Florian Westphal
0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2019-07-18 16:38 UTC (permalink / raw)
To: Ander Juaristi; +Cc: netfilter-devel
Ander Juaristi <a@juaristi.eus> wrote:
> This patch implements element deletion from ruleset.
>
> Example:
>
> table ip set-test {
> set testset {
> type ipv4_addr;
> flags timeout;
> }
>
> chain outputchain {
> policy accept;
> type filter hook output priority filter;
>
> delete @testset { ip saddr }
> }
> }
Care to add a test case for this?
Thanks.
Also:
src/nft --debug=netlink list ruleset
ip set-test outputchain 3
[ payload load 4b @ network header + 12 => reg 1 ]
[ dynset unknown reg_key 1 set testset timeout 0ms ]
so this is missing a small libnftnl patch too.
Also wonder why this prints 'timeout 0ms'. Can you investigate?
libnftnl should only print it if the attribute is set so we can
tell if the timeout is 0ms or if no timeout was set.
I've tested nft+kernel patch and I see ip saddr gets deleted again from
the set when i add an enty via 'nft add element',
So functionality-wise both the userspace and kernel space patches
are good.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-07-18 16:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-13 16:03 [PATCH] netfilter: support for element deletion Ander Juaristi
2019-07-18 16:38 ` Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).