Hi Oliver,
On Sun, 22 Sep 2013, Oliver wrote:
> From: Oliver Smith <oliver@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
>
> This adds the core support for having comments on ipset entries.
>
> The comments are stored as standard null-terminated strings in
> dynamically allocated memory after being passed to the kernel. As a
> result of this, code has been added to the generic destroy function to
> iterate all extensions and call that extension's destroy task if the set
> has that extension activated, and if such a task is defined.
Patch is applied with a small modification:
> Signed-off-by: Oliver Smith <oliver@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
> ---
> kernel/include/linux/netfilter/ipset/ip_set.h | 50 ++++++++++++++++---
> .../include/linux/netfilter/ipset/ip_set_comment.h | 57 ++++++++++++++++++++++
> kernel/include/uapi/linux/netfilter/ipset/ip_set.h | 4 ++
> kernel/net/netfilter/ipset/ip_set_core.c | 14 ++++++
> 4 files changed, 117 insertions(+), 8 deletions(-)
> create mode 100644 kernel/include/linux/netfilter/ipset/ip_set_comment.h
>
> diff --git a/kernel/include/linux/netfilter/ipset/ip_set.h b/kernel/include/linux/netfilter/ipset/ip_set.h
> index c687abb..eb71377 100644
> --- a/kernel/include/linux/netfilter/ipset/ip_set.h
> +++ b/kernel/include/linux/netfilter/ipset/ip_set.h
> @@ -54,6 +54,8 @@ enum ip_set_extension {
> IPSET_EXT_TIMEOUT = (1 << IPSET_EXT_BIT_TIMEOUT),
> IPSET_EXT_BIT_COUNTER = 1,
> IPSET_EXT_COUNTER = (1 << IPSET_EXT_BIT_COUNTER),
> + IPSET_EXT_BIT_COMMENT = 2,
> + IPSET_EXT_COMMENT = (1 << IPSET_EXT_BIT_COMMENT),
> /* Mark set with an extension which needs to call destroy */
> IPSET_EXT_BIT_DESTROY = 7,
> IPSET_EXT_DESTROY = (1 << IPSET_EXT_BIT_DESTROY),
> @@ -61,11 +63,13 @@ enum ip_set_extension {
>
> #define SET_WITH_TIMEOUT(s) ((s)->extensions & IPSET_EXT_TIMEOUT)
> #define SET_WITH_COUNTER(s) ((s)->extensions & IPSET_EXT_COUNTER)
> +#define SET_WITH_COMMENT(s) ((s)->extensions & IPSET_EXT_COMMENT)
>
> /* Extension id, in size order */
> enum ip_set_ext_id {
> IPSET_EXT_ID_COUNTER = 0,
> IPSET_EXT_ID_TIMEOUT,
> + IPSET_EXT_ID_COMMENT,
> IPSET_EXT_ID_MAX,
> };
>
> @@ -86,6 +90,7 @@ struct ip_set_ext {
> u64 packets;
> u64 bytes;
> u32 timeout;
> + char *comment;
> };
>
> struct ip_set_counter {
> @@ -93,20 +98,19 @@ struct ip_set_counter {
> atomic64_t packets;
> };
>
> -struct ip_set;
> +struct ip_set_comment {
> + char *str;
> +};
>
> -static inline void
> -ip_set_ext_destroy(struct ip_set *set, void *data)
> -{
> - /* Check that the extension is enabled for the set and
> - * call it's destroy function for its extension part in data.
> - */
> -}
> +struct ip_set;
>
> #define ext_timeout(e, s) \
> (unsigned long *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_TIMEOUT])
> #define ext_counter(e, s) \
> (struct ip_set_counter *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_COUNTER])
> +#define ext_comment(e, s) \
> +(struct ip_set_comment *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_COMMENT])
> +
>
> typedef int (*ipset_adtfn)(struct ip_set *set, void *value,
> const struct ip_set_ext *ext,
> @@ -224,6 +228,35 @@ struct ip_set {
> };
>
> static inline void
> +ip_set_ext_destroy(struct ip_set *set, void *data)
> +{
> + /* Check that the extension is enabled for the set and
> + * call it's destroy function for its extension part in data.
> + */
> + if (SET_WITH_COMMENT(set))
> + ip_set_extensions[IPSET_EXT_ID_COMMENT].destroy(
> + ext_comment(data, set));
> +}
> +
> +static inline int ip_set_put_flags(struct sk_buff *skb, struct ip_set *set)
> +{
> + u32 cadt_flags = 0;
> +
> + if (SET_WITH_TIMEOUT(set))
> + if (unlikely(nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
> + htonl(set->timeout))))
> + return 1;
The function should return the same error code as nla_put_net32 (even if
it's not used at the moment): changed to return -EMSGSIZE.
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
