This patchset resolves the main issues with the dynamic support for
range and its existing rb-tree implementation.
-ruleset.file-
table ip test {
set myset {
type ipv4_addr
flags interval
}
chain input {
type filter hook input priority 0; policy accept;
ip daddr @myset counter packets 0 bytes 0
}
}
-EOF-
# nft -f ruleset.file
Then, we add range elements:
# nft add element test myset { 127.0.0.0/24 }
# nft add element test myset { 127.0.1.0/24 }
# nft add element test myset { 127.0.2.0/24 }
# nft add element test myset { 127.0.3.0/24 }
# nft list set ip test myset
table ip test {
set myset {
type ipv4_addr
flags interval
elements = { 127.0.0.0/24, 127.0.1.0/24, 127.0.2.0/24, 127.0.3.0/24}
}
}
# nft delete element test myset { 127.0.2.0/24 }
# nft delete element test myset { 127.0.1.0/24 }
# nft delete element test myset { 127.0.0.0/24 }
# nft delete element test myset { 127.0.3.0/24 }
# nft list set ip test myset
table ip test {
set myset {
type ipv4_addr
flags interval
}
}
There is more work coming on this front, the bitmap set implementation
is on its way too. Will post the userspace patchset for nft soon.
Pablo Neira Ayuso (4):
netfilter: nf_tables: introduce nft_setelem_parse_flags() helper
netfilter: nf_tables: parse element flags from nft_del_setelem()
netfilter: nft_rbtree: introduce nft_rbtree_interval_end() helper
netfilter: nft_rbtree: allow adjacent intervals with dynamic updates
net/netfilter/nf_tables_api.c | 72 +++++++++++++++++++++++++++++++++----------
net/netfilter/nft_rbtree.c | 49 ++++++++++++++++++++++++-----
2 files changed, 96 insertions(+), 25 deletions(-)
--
2.1.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
