[PATCH nft 1/4] mnl: add function to convert flowtable device list to array

[PATCH nft 1/4] mnl: add function to convert flowtable device list to array

[Pablo Neira Ayuso]

This patch adds nft_flowtable_dev_array() to convert the list of devices
into an array. This array is released through
nft_flowtable_dev_array_free().

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/mnl.c | 54 ++++++++++++++++++++++++++++++++++--------------------
 1 file changed, 34 insertions(+), 20 deletions(-)

diff --git a/src/mnl.c b/src/mnl.c
index 94e80261afb7..2890014ebf3d 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -1590,29 +1590,13 @@ err:
 	return NULL;
 }
 
-int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd,
-			  unsigned int flags)
+static const char **nft_flowtable_dev_array(struct cmd *cmd)
 {
-	struct nftnl_flowtable *flo;
 	unsigned int ifname_len;
 	const char **dev_array;
 	char ifname[IFNAMSIZ];
-	struct nlmsghdr *nlh;
 	int i = 0, len = 1;
 	struct expr *expr;
-	int priority;
-
-	flo = nftnl_flowtable_alloc();
-	if (!flo)
-		memory_allocation_error();
-
-	nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_FAMILY,
-				cmd->handle.family);
-	nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_HOOKNUM,
-				cmd->flowtable->hook.num);
-	mpz_export_data(&priority, cmd->flowtable->priority.expr->value,
-			BYTEORDER_HOST_ENDIAN, sizeof(int));
-	nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_PRIO, priority);
 
 	list_for_each_entry(expr, &cmd->flowtable->dev_expr->expressions, list)
 		len++;
@@ -1628,14 +1612,44 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd,
 	}
 
 	dev_array[i] = NULL;
-	nftnl_flowtable_set_data(flo, NFTNL_FLOWTABLE_DEVICES,
-				 dev_array, sizeof(char *) * len);
 
-	i = 0;
+	return dev_array;
+}
+
+static void nft_flowtable_dev_array_free(const char **dev_array)
+{
+	int i = 0;
+
 	while (dev_array[i] != NULL)
 		xfree(dev_array[i++]);
 
 	free(dev_array);
+}
+
+int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd,
+			  unsigned int flags)
+{
+	struct nftnl_flowtable *flo;
+	const char **dev_array;
+	struct nlmsghdr *nlh;
+	int priority;
+
+	flo = nftnl_flowtable_alloc();
+	if (!flo)
+		memory_allocation_error();
+
+	nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_FAMILY,
+				cmd->handle.family);
+	nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_HOOKNUM,
+				cmd->flowtable->hook.num);
+	mpz_export_data(&priority, cmd->flowtable->priority.expr->value,
+			BYTEORDER_HOST_ENDIAN, sizeof(int));
+	nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_PRIO, priority);
+
+	dev_array = nft_flowtable_dev_array(cmd);
+	nftnl_flowtable_set_data(flo, NFTNL_FLOWTABLE_DEVICES,
+				 dev_array, 0);
+	nft_flowtable_dev_array_free(dev_array);
 
 	nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_FLAGS,
 				cmd->flowtable->flags);
-- 
2.20.1

[PATCH nft 2/4] src: add devices to an existing flowtable

[Pablo Neira Ayuso]

This patch allows you to add new devices to an existing flowtables.

 # nft add flowtable x y { devices = { eth0 } \; }

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/evaluate.c | 21 ++++++++++-----------
 src/mnl.c      | 16 +++++++++++-----
 2 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index 506f2c6a257e..9b7232d9148c 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3624,17 +3624,16 @@ static int flowtable_evaluate(struct eval_ctx *ctx, struct flowtable *ft)
 	if (table == NULL)
 		return table_not_found(ctx);
 
-	ft->hook.num = str2hooknum(NFPROTO_NETDEV, ft->hook.name);
-	if (ft->hook.num == NF_INET_NUMHOOKS)
-		return chain_error(ctx, ft, "invalid hook %s", ft->hook.name);
-
-	if (!evaluate_priority(ctx, &ft->priority, NFPROTO_NETDEV, ft->hook.num))
-		return __stmt_binary_error(ctx, &ft->priority.loc, NULL,
-					   "invalid priority expression %s.",
-					   expr_name(ft->priority.expr));
-
-	if (!ft->dev_expr)
-		return chain_error(ctx, ft, "Unbound flowtable not allowed (must specify devices)");
+	if (ft->hook.name) {
+		ft->hook.num = str2hooknum(NFPROTO_NETDEV, ft->hook.name);
+		if (ft->hook.num == NF_INET_NUMHOOKS)
+			return chain_error(ctx, ft, "invalid hook %s",
+					   ft->hook.name);
+		if (!evaluate_priority(ctx, &ft->priority, NFPROTO_NETDEV, ft->hook.num))
+			return __stmt_binary_error(ctx, &ft->priority.loc, NULL,
+						   "invalid priority expression %s.",
+						   expr_name(ft->priority.expr));
+	}
 
 	return 0;
 }
diff --git a/src/mnl.c b/src/mnl.c
index 2890014ebf3d..8f8fcc2c7ae0 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -1640,11 +1640,17 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd,
 
 	nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_FAMILY,
 				cmd->handle.family);
-	nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_HOOKNUM,
-				cmd->flowtable->hook.num);
-	mpz_export_data(&priority, cmd->flowtable->priority.expr->value,
-			BYTEORDER_HOST_ENDIAN, sizeof(int));
-	nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_PRIO, priority);
+
+	if (cmd->flowtable->hook.name) {
+		nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_HOOKNUM,
+					cmd->flowtable->hook.num);
+		mpz_export_data(&priority, cmd->flowtable->priority.expr->value,
+				BYTEORDER_HOST_ENDIAN, sizeof(int));
+		nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_PRIO, priority);
+	} else {
+		nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_HOOKNUM, 0);
+		nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_PRIO, 0);
+	}
 
 	dev_array = nft_flowtable_dev_array(cmd);
 	nftnl_flowtable_set_data(flo, NFTNL_FLOWTABLE_DEVICES,
-- 
2.20.1

[PATCH nft 3/4] src: delete devices to an existing flowtable

[Pablo Neira Ayuso]

This patch allows you to remove a device to an existing flowtable:

 # nft delete flowtable x y { devices = { eth0 } \;  }

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/mnl.c          | 11 +++++++++++
 src/parser_bison.y |  7 +++++++
 2 files changed, 18 insertions(+)

diff --git a/src/mnl.c b/src/mnl.c
index 8f8fcc2c7ae0..759ae41ceb01 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -1682,6 +1682,7 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd,
 int mnl_nft_flowtable_del(struct netlink_ctx *ctx, struct cmd *cmd)
 {
 	struct nftnl_flowtable *flo;
+	const char **dev_array;
 	struct nlmsghdr *nlh;
 
 	flo = nftnl_flowtable_alloc();
@@ -1691,6 +1692,16 @@ int mnl_nft_flowtable_del(struct netlink_ctx *ctx, struct cmd *cmd)
 	nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_FAMILY,
 				cmd->handle.family);
 
+	if (cmd->flowtable && cmd->flowtable->dev_expr) {
+		nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_HOOKNUM, 0);
+		nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_PRIO, 0);
+
+		dev_array = nft_flowtable_dev_array(cmd);
+		nftnl_flowtable_set_data(flo, NFTNL_FLOWTABLE_DEVICES,
+					 dev_array, 0);
+		nft_flowtable_dev_array_free(dev_array);
+	}
+
 	nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(ctx->batch),
 				    NFT_MSG_DELFLOWTABLE, cmd->handle.family,
 				    0, ctx->seqnum);
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 8e937ca305d1..461d9bf24d95 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1179,6 +1179,13 @@ delete_cmd		:	TABLE		table_spec
 			{
 				$$ = cmd_alloc(CMD_DELETE, CMD_OBJ_FLOWTABLE, &$2, &@$, NULL);
 			}
+			|	FLOWTABLE	flowtable_spec	flowtable_block_alloc
+						'{'	flowtable_block	'}'
+			{
+				$5->location = @5;
+				handle_merge(&$3->handle, &$2);
+				$$ = cmd_alloc(CMD_DELETE, CMD_OBJ_FLOWTABLE, &$2, &@$, $5);
+			}
 			|	COUNTER		obj_spec
 			{
 				$$ = cmd_alloc(CMD_DELETE, CMD_OBJ_COUNTER, &$2, &@$, NULL);
-- 
2.20.1

[PATCH nft 4/4] src: allow flowtable definitions with no devices

[Pablo Neira Ayuso]

 # nft add flowtable x y { hook ingress priority 0\; }

The listing shows no devices:

 # nft list ruleset
 table ip x {
        flowtable y {
                hook ingress priority filter
        }
 }

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/mnl.c  | 10 ++++++----
 src/rule.c | 14 ++++++++------
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/src/mnl.c b/src/mnl.c
index 759ae41ceb01..19f666416909 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -1652,10 +1652,12 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd,
 		nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_PRIO, 0);
 	}
 
-	dev_array = nft_flowtable_dev_array(cmd);
-	nftnl_flowtable_set_data(flo, NFTNL_FLOWTABLE_DEVICES,
-				 dev_array, 0);
-	nft_flowtable_dev_array_free(dev_array);
+	if (cmd->flowtable->dev_expr) {
+		dev_array = nft_flowtable_dev_array(cmd);
+		nftnl_flowtable_set_data(flo, NFTNL_FLOWTABLE_DEVICES,
+					 dev_array, 0);
+		nft_flowtable_dev_array_free(dev_array);
+	}
 
 	nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_FLAGS,
 				cmd->flowtable->flags);
diff --git a/src/rule.c b/src/rule.c
index 1f56faeb5c3c..21a52157391d 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -2272,13 +2272,15 @@ static void flowtable_print_declaration(const struct flowtable *flowtable,
 			   flowtable->hook.num, flowtable->priority.expr),
 		  opts->stmt_separator);
 
-	nft_print(octx, "%s%sdevices = { ", opts->tab, opts->tab);
-	for (i = 0; i < flowtable->dev_array_len; i++) {
-		nft_print(octx, "%s", flowtable->dev_array[i]);
-		if (i + 1 != flowtable->dev_array_len)
-			nft_print(octx, ", ");
+	if (flowtable->dev_array_len > 0) {
+		nft_print(octx, "%s%sdevices = { ", opts->tab, opts->tab);
+		for (i = 0; i < flowtable->dev_array_len; i++) {
+			nft_print(octx, "%s", flowtable->dev_array[i]);
+			if (i + 1 != flowtable->dev_array_len)
+				nft_print(octx, ", ");
+		}
+		nft_print(octx, " }%s", opts->stmt_separator);
 	}
-	nft_print(octx, " }%s", opts->stmt_separator);
 
 	if (flowtable->flags & NFT_FLOWTABLE_COUNTER)
 		nft_print(octx, "%s%scounter%s", opts->tab, opts->tab,
-- 
2.20.1