Re: [PATCH nft] support of dynamic map addition and update of elements

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Thu, 15 Mar 2018 19:35:56 +0100

On Thu, Mar 15, 2018 at 07:24:01PM +0100, Pablo Neira Ayuso wrote:
> On Thu, Mar 15, 2018 at 09:23:21AM +0100, Laura Garcia Liebana wrote:
> > The support of dynamic adds and updates are only available for sets
> > and meters. This patch gives such abilities to maps as well.
> > 
> > This patch is useful in cases where dynamic population of maps are
> > required, for example, to maintain a persistence during some period
> > of time.
> > 
> > Example:
> > 
> > table ip nftlb {
> >     map persistencia {
> >         type ipv4_addr : mark
> >         timeout 1h
> >         elements = { 192.168.1.132 expires 59m55s : 0x00000064,
> >                      192.168.56.101 expires 59m24s : 0x00000065 }
> >     }
> > 
> >     chain pre {
> >         type nat hook prerouting priority 0; policy accept;
> >         map update \
> >             { @nh,96,32 : numgen inc mod 2 offset 100 } @persistencia
> 
> Not related to this patch, but this reminds me I think it would be
> good if we place curly braces around the key in set updates:
> 
>          set update { ip saddr } @x
> 
> >     }
> > }
> > 
> > An example of the netlink generated sequence:
> > 
> >  nft --debug=netlink add rule ip nftlb pre map add \
> >     { ip saddr : numgen inc mod 2 offset 100 } @persistencia
> > ip nftlb pre
> >   [ payload load 4b @ network header + 12 => reg 1 ]
> >   [ numgen reg 2 = inc mod 2 offset 100 ]
> >   [ dynset add reg_key 1 set persistencia sreg_data 2 ]

There's a shift/reduce conflict in bison with this syntax, problem is
'map_expr'.

We could use this syntax instead?

        update map { @nh,96,32 : numgen inc mod 2 offset 100 } @persistencia

(see patch below)

We should get this in sync with existing dynset syntax:

        update set { 192.168.2.1 } @x

BTW, Florian wanted to have upper ceiling for all sets/maps that are
populated from the packet path, so we may need a follow up patch on top
of this one to make sure map definition includes 'size X' option,
otherwise, display an error.

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 39b99ae8c288..6fba7e59555c 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2719,10 +2719,10 @@ set_stmt_op             :       ADD     { $$ = NFT_DYNSET_OP_ADD; }
                        |       UPDATE  { $$ = NFT_DYNSET_OP_UPDATE; }
                        ;
 
-map_stmt               :       MAP     set_stmt_op     '{'     set_elem_expr_stmt      COLON   set_elem_expr_stmt      '}'     symbol_expr
+map_stmt               :       set_stmt_op     MAP '{' set_elem_expr_stmt      COLON   set_elem_expr_stmt      '}'     symbol_expr
                        {
                                $$ = map_stmt_alloc(&@$);
-                               $$->map.op  = $2;
+                               $$->map.op  = $1;
                                $$->map.map = map_expr_alloc(&@$, $4, $6);
                                $$->map.set = $8;
                        }
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






