[PATCH nft] src: add dynamic flag and use it

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Mon, 11 Jun 2018 17:29:43 +0200

We need to signal the kernel to use a set backend that supports dynamic
updates.

Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
 src/parser_bison.y                                | 2 ++
 src/scanner.l                                     | 1 +
 tests/shell/testcases/sets/0028autoselect_0       | 6 +++---
 tests/shell/testcases/sets/0031set_timeout_size_0 | 2 +-
 4 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 33915ed8702a..98bfebadefcf 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -242,6 +242,7 @@ int nft_lex(void *, void *, void *);
 
 %token CONSTANT			"constant"
 %token INTERVAL			"interval"
+%token DYNAMIC			"dynamic"
 %token AUTOMERGE		"auto-merge"
 %token TIMEOUT			"timeout"
 %token GC_INTERVAL		"gc-interval"
@@ -1541,6 +1542,7 @@ set_flag_list		:	set_flag_list	COMMA		set_flag
 set_flag		:	CONSTANT	{ $$ = NFT_SET_CONSTANT; }
 			|	INTERVAL	{ $$ = NFT_SET_INTERVAL; }
 			|	TIMEOUT		{ $$ = NFT_SET_TIMEOUT; }
+			|	DYNAMIC		{ $$ = NFT_SET_EVAL; }
 			;
 
 map_block_alloc		:	/* empty */
diff --git a/src/scanner.l b/src/scanner.l
index 416bd27af142..657fa2daa1f2 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -293,6 +293,7 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 
 "constant"		{ return CONSTANT; }
 "interval"		{ return INTERVAL; }
+"dynamic"		{ return DYNAMIC; }
 "auto-merge"		{ return AUTOMERGE; }
 "timeout"		{ return TIMEOUT; }
 "gc-interval"		{ return GC_INTERVAL; }
diff --git a/tests/shell/testcases/sets/0028autoselect_0 b/tests/shell/testcases/sets/0028autoselect_0
index 711743378e85..23f43a22e737 100755
--- a/tests/shell/testcases/sets/0028autoselect_0
+++ b/tests/shell/testcases/sets/0028autoselect_0
@@ -7,9 +7,9 @@
 set -e
 
 $NFT add table t
-$NFT add set t s1 { type inet_proto \; }
-$NFT add set t s2 { type ipv4_addr \; }
-$NFT add set t s3 { type ipv4_addr \; size 1024\; }
+$NFT add set t s1 { type inet_proto \; flags dynamic \; }
+$NFT add set t s2 { type ipv4_addr \; flags dynamic \; }
+$NFT add set t s3 { type ipv4_addr \; size 1024\; flags dynamic \; }
 $NFT add chain t c {type filter hook input priority 0 \; }
 
 $NFT add rule t c meta iifname foobar add @s1 { ip protocol }
diff --git a/tests/shell/testcases/sets/0031set_timeout_size_0 b/tests/shell/testcases/sets/0031set_timeout_size_0
index f1d9aa6006e5..9edd5f6ffdea 100755
--- a/tests/shell/testcases/sets/0031set_timeout_size_0
+++ b/tests/shell/testcases/sets/0031set_timeout_size_0
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 RULESET="add table x
-add set x y { type ipv4_addr; size 128; timeout 30s; }
+add set x y { type ipv4_addr; size 128; timeout 30s; flags dynamic; }
 add chain x test
 add rule x test set update ip saddr timeout 1d2h3m4s8ms @y
 add rule x test set update ip daddr timeout 100ms @y"
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






