Re: [PATCH nft v2] src: add ct timeout support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Jul 7, 2018 at 7:03 PM, Harsha Sharma
<harshasharmaiitr@xxxxxxxxx> wrote:
> This patch adds support for adding, listing and deleting ct timeout
> objects which can be assigned via rule to assign connection tracking
> timeout policies via objref infrastructure.
>
> %nft add table filter
> %nft add chain filter output
> %nft add ct timeout filter test-tcp { protocol:tcp, established:132 \; }
> %nft add rule filter output ct timeout set test-tcp
> %nft list ruleset
>
> table ip filter {
>         ct timeout test-tcp {
>                 protocol tcp
>                 l3proto ip
>                 established 132
>         }
>
>         chain output {
>                 ct timeout set "test-tcp"
>         }
> }
>
> %nft delete rule filter output handle <handle>
> %nft delete ct timeout filter test-tcp
>
> Signed-off-by: Harsha Sharma <harshasharmaiitr@xxxxxxxxx>
> ---
> Changes in v2:
>  - Change in syntax for addition of ct timeout objects
>  - remove tokens from scanner and parser_bison for timeout states
>  - list only updated timeout values
>  - change in log message accordingly
>  - other minor changes
>
>  include/linux/netfilter/nf_tables.h |  13 ++++-
>  include/rule.h                      |  19 +++++++
>  src/evaluate.c                      |   4 ++
>  src/netlink.c                       |  21 ++++++++
>  src/parser_bison.y                  |  60 ++++++++++++++++++++-
>  src/rule.c                          | 102 ++++++++++++++++++++++++++++++++++++
>  src/statement.c                     |   4 ++
>  7 files changed, 221 insertions(+), 2 deletions(-)
>
> diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
> index 88e0ca1..8e7c757 100644
> --- a/include/linux/netfilter/nf_tables.h
> +++ b/include/linux/netfilter/nf_tables.h
> @@ -958,6 +958,7 @@ enum nft_socket_keys {
>   * @NFT_CT_DST_IP: conntrack layer 3 protocol destination (IPv4 address)
>   * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address)
>   * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address)
> + * @NFT_CT_TIMEOUT: connection tracking timeout policy assigned to conntrack
>   */
>  enum nft_ct_keys {
>         NFT_CT_STATE,
> @@ -983,6 +984,7 @@ enum nft_ct_keys {
>         NFT_CT_DST_IP,
>         NFT_CT_SRC_IP6,
>         NFT_CT_DST_IP6,
> +       NFT_CT_TIMEOUT,
>         __NFT_CT_MAX
>  };
>  #define NFT_CT_MAX             (__NFT_CT_MAX - 1)
> @@ -1373,13 +1375,22 @@ enum nft_ct_helper_attributes {
>  };
>  #define NFTA_CT_HELPER_MAX     (__NFTA_CT_HELPER_MAX - 1)
>
> +enum nft_ct_timeout_attributes {
> +       NFTA_CT_TIMEOUT_L3PROTO,
> +       NFTA_CT_TIMEOUT_L4PROTO,
> +       NFTA_CT_TIMEOUT_DATA,
> +       __NFTA_CT_TIMEOUT_MAX,
> +};
> +#define NFTA_CT_TIMEOUT_MAX     (__NFTA_CT_TIMEOUT_MAX - 1)
> +
>  #define NFT_OBJECT_UNSPEC      0
>  #define NFT_OBJECT_COUNTER     1
>  #define NFT_OBJECT_QUOTA       2
>  #define NFT_OBJECT_CT_HELPER   3
>  #define NFT_OBJECT_LIMIT       4
>  #define NFT_OBJECT_CONNLIMIT   5
> -#define __NFT_OBJECT_MAX       6
> +#define NFT_OBJECT_CT_TIMEOUT  6
> +#define __NFT_OBJECT_MAX       7
>  #define NFT_OBJECT_MAX         (__NFT_OBJECT_MAX - 1)
>
>  /**
> diff --git a/include/rule.h b/include/rule.h
> index 909ff36..f4afc9c 100644
> --- a/include/rule.h
> +++ b/include/rule.h
> @@ -4,6 +4,8 @@
>  #include <stdint.h>
>  #include <nftables.h>
>  #include <list.h>
> +#include <libnftnl/cttimeout.h>
> +#include <netinet/in.h>
>
>  /**
>   * struct handle_spec - handle ID
> @@ -308,6 +310,12 @@ struct ct_helper {
>         uint8_t l4proto;
>  };
>
> +struct ct_timeout {
> +       uint16_t l3proto;
> +       uint8_t l4proto;
> +       uint32_t *timeout;
> +};
> +
>  struct limit {
>         uint64_t        rate;
>         uint64_t        unit;
> @@ -336,6 +344,7 @@ struct obj {
>                 struct quota            quota;
>                 struct ct_helper        ct_helper;
>                 struct limit            limit;
> +               struct ct_timeout       ct_timeout;
>         };
>  };
>
> @@ -462,6 +471,7 @@ enum cmd_obj {
>         CMD_OBJ_LIMITS,
>         CMD_OBJ_FLOWTABLE,
>         CMD_OBJ_FLOWTABLES,
> +       CMD_OBJ_CT_TIMEOUT,
>  };
>
>  struct markup {
> @@ -617,4 +627,13 @@ enum udata_set_elem_flags {
>         SET_ELEM_F_INTERVAL_OPEN        = 0x1,
>  };
>
> +struct timeout_protocol {
> +       uint32_t attr_max;
> +       const char *const *state_to_name;
> +       uint32_t *dflt_timeout;
> +};
> +
> +extern struct timeout_protocol timeout_protocol[IPPROTO_MAX];
> +extern int timeout_str2num(const char *timeout_state, unsigned int l4);
> +
>  #endif /* NFTABLES_RULE_H */
> diff --git a/src/evaluate.c b/src/evaluate.c
> index c4ee3cc..69f3230 100644
> --- a/src/evaluate.c
> +++ b/src/evaluate.c
> @@ -3130,6 +3130,7 @@ static int cmd_evaluate_add(struct eval_ctx *ctx, struct cmd *cmd)
>         case CMD_OBJ_COUNTER:
>         case CMD_OBJ_QUOTA:
>         case CMD_OBJ_CT_HELPER:
> +       case CMD_OBJ_CT_TIMEOUT:
>         case CMD_OBJ_LIMIT:
>                 return 0;
>         default:
> @@ -3157,6 +3158,7 @@ static int cmd_evaluate_delete(struct eval_ctx *ctx, struct cmd *cmd)
>         case CMD_OBJ_COUNTER:
>         case CMD_OBJ_QUOTA:
>         case CMD_OBJ_CT_HELPER:
> +       case CMD_OBJ_CT_TIMEOUT:
>         case CMD_OBJ_LIMIT:
>                 return 0;
>         default:
> @@ -3289,6 +3291,8 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd)
>                 return cmd_evaluate_list_obj(ctx, cmd, NFT_OBJECT_COUNTER);
>         case CMD_OBJ_CT_HELPER:
>                 return cmd_evaluate_list_obj(ctx, cmd, NFT_OBJECT_CT_HELPER);
> +       case CMD_OBJ_CT_TIMEOUT:
> +               return cmd_evaluate_list_obj(ctx, cmd, NFT_OBJECT_CT_TIMEOUT);
>         case CMD_OBJ_LIMIT:
>                 return cmd_evaluate_list_obj(ctx, cmd, NFT_OBJECT_LIMIT);
>         case CMD_OBJ_COUNTERS:
> diff --git a/src/netlink.c b/src/netlink.c
> index 394af2f..967d9cc 100644
> --- a/src/netlink.c
> +++ b/src/netlink.c
> @@ -28,6 +28,7 @@
>  #include <libnftnl/udata.h>
>  #include <libnftnl/ruleset.h>
>  #include <libnftnl/common.h>
> +#include <libnftnl/cttimeout.h>
>  #include <linux/netfilter/nfnetlink.h>
>  #include <linux/netfilter/nf_tables.h>
>  #include <linux/netfilter.h>
> @@ -41,6 +42,7 @@
>  #include <utils.h>
>  #include <erec.h>
>  #include <iface.h>
> +#include <rule.h>
>
>  #define nft_mon_print(monh, ...) nft_print(monh->ctx->octx, __VA_ARGS__)
>
> @@ -334,6 +336,20 @@ alloc_nftnl_obj(const struct handle *h, struct obj *obj)
>                         nftnl_obj_set_u16(nlo, NFTNL_OBJ_CT_HELPER_L3PROTO,
>                                           obj->ct_helper.l3proto);
>                 break;
> +       case NFT_OBJECT_CT_TIMEOUT:
> +               nftnl_obj_set_u8(nlo, NFTNL_OBJ_CT_TIMEOUT_L4PROTO,
> +                                 obj->ct_timeout.l4proto);
> +               if (obj->ct_timeout.l3proto)
> +                       nftnl_obj_set_u16(nlo, NFTNL_OBJ_CT_TIMEOUT_L3PROTO,
> +                                         obj->ct_timeout.l3proto);
> +               else
> +                       nftnl_obj_set_u16(nlo, NFTNL_OBJ_CT_TIMEOUT_L3PROTO,
> +                                         NFPROTO_IPV4);
> +               for (unsigned int i = 0; i < timeout_protocol[obj->ct_timeout.l4proto].attr_max; ++i) {
> +                       if (obj->ct_timeout.timeout[i])
> +                               nftnl_timeout_policy_attr_set_u32(nlo, i, obj->ct_timeout.timeout[i]);
> +               }
> +               break;
>         case NFT_OBJECT_LIMIT:
>                 nftnl_obj_set_u64(nlo, NFTNL_OBJ_LIMIT_RATE, obj->limit.rate);
>                 nftnl_obj_set_u64(nlo, NFTNL_OBJ_LIMIT_UNIT, obj->limit.unit);
> @@ -1437,6 +1453,11 @@ struct obj *netlink_delinearize_obj(struct netlink_ctx *ctx,
>                 obj->ct_helper.l3proto = nftnl_obj_get_u16(nlo, NFTNL_OBJ_CT_HELPER_L3PROTO);
>                 obj->ct_helper.l4proto = nftnl_obj_get_u8(nlo, NFTNL_OBJ_CT_HELPER_L4PROTO);
>                 break;
> +       case NFT_OBJECT_CT_TIMEOUT:
> +               obj->ct_timeout.l3proto = nftnl_obj_get_u16(nlo, NFTNL_OBJ_CT_TIMEOUT_L3PROTO);
> +               obj->ct_timeout.l4proto = nftnl_obj_get_u8(nlo, NFTNL_OBJ_CT_TIMEOUT_L4PROTO);
> +               obj->ct_timeout.timeout = nftnl_obj_get_void(nlo, NFTNL_OBJ_CT_TIMEOUT_DATA);
> +               break;
>         case NFT_OBJECT_LIMIT:
>                 obj->limit.rate =
>                         nftnl_obj_get_u64(nlo, NFTNL_OBJ_LIMIT_RATE);
> diff --git a/src/parser_bison.y b/src/parser_bison.y
> index 98bfeba..5540288 100644
> --- a/src/parser_bison.y
> +++ b/src/parser_bison.y
> @@ -12,6 +12,7 @@
>
>  #include <stddef.h>
>  #include <stdio.h>
> +#include <stdlib.h>
>  #include <inttypes.h>
>  #include <syslog.h>
>  #include <netinet/ip.h>
> @@ -154,6 +155,7 @@ int nft_lex(void *, void *, void *);
>         struct handle_spec      handle_spec;
>         struct position_spec    position_spec;
>         const struct exthdr_desc *exthdr_desc;
> +       struct ct_timeout       *ct_timeout;
>  }
>
>  %token TOKEN_EOF 0             "end of file"
> @@ -546,7 +548,7 @@ int nft_lex(void *, void *, void *);
>  %type <flowtable>              flowtable_block_alloc flowtable_block
>  %destructor { flowtable_free($$); }    flowtable_block_alloc
>
> -%type <obj>                    obj_block_alloc counter_block quota_block ct_helper_block limit_block
> +%type <obj>                    obj_block_alloc counter_block quota_block ct_helper_block ct_timeout_block limit_block
>  %destructor { obj_free($$); }  obj_block_alloc
>
>  %type <list>                   stmt_list
> @@ -950,6 +952,10 @@ add_cmd                    :       TABLE           table_spec
>
>                                 $$ = cmd_alloc_obj_ct(CMD_ADD, NFT_OBJECT_CT_HELPER, &$3, &@$, $4);
>                         }
> +                       |       CT      TIMEOUT obj_spec        ct_obj_alloc    '{' ct_timeout_block '}' stmt_separator
> +                       {
> +                               $$ = cmd_alloc_obj_ct(CMD_ADD, NFT_OBJECT_CT_TIMEOUT, &$3, &@$, $4);
> +                       }
>                         |       LIMIT           obj_spec        limit_obj
>                         {
>                                 $$ = cmd_alloc(CMD_ADD, CMD_OBJ_LIMIT, &$2, &@$, $3);
> @@ -1031,6 +1037,10 @@ create_cmd               :       TABLE           table_spec
>                         {
>                                 $$ = cmd_alloc_obj_ct(CMD_CREATE, NFT_OBJECT_CT_HELPER, &$3, &@$, $4);
>                         }
> +                       |       CT      TIMEOUT obj_spec        ct_obj_alloc    '{' ct_timeout_block '}' stmt_separator
> +                       {
> +                               $$ = cmd_alloc_obj_ct(CMD_CREATE, NFT_OBJECT_CT_TIMEOUT, &$3, &@$, $4);
> +                       }
>                         |       LIMIT           obj_spec        limit_obj
>                         {
>                                 $$ = cmd_alloc(CMD_CREATE, CMD_OBJ_LIMIT, &$2, &@$, $3);
> @@ -1223,6 +1233,10 @@ list_cmd         :       TABLE           table_spec
>                         {
>                                 $$ = cmd_alloc(CMD_LIST, CMD_OBJ_CT_HELPERS, &$4, &@$, NULL);
>                         }
> +                       |       CT              TIMEOUT         TABLE           table_spec
> +                       {
> +                               $$ = cmd_alloc(CMD_LIST, CMD_OBJ_CT_TIMEOUT, &$4, &@$, NULL);
> +                       }
>                         ;
>
>  reset_cmd              :       COUNTERS        ruleset_spec
> @@ -1454,6 +1468,15 @@ table_block              :       /* empty */     { $$ = $<table>-1; }
>                                 list_add_tail(&$5->list, &$1->objs);
>                                 $$ = $1;
>                         }
> +                       |       table_block     CT      TIMEOUT obj_identifier obj_block_alloc '{'      ct_timeout_block        '}' stmt_separator
> +                       {
> +                               $5->location = @4;
> +                               $5->type = NFT_OBJECT_CT_TIMEOUT;
> +                               handle_merge(&$5->handle, &$4);
> +                               handle_free(&$4);
> +                               list_add_tail(&$5->list, &$1->objs);
> +                               $$ = $1;
> +                       }
>                         |       table_block     LIMIT           obj_identifier
>                                         obj_block_alloc '{'     limit_block     '}'
>                                         stmt_separator
> @@ -1749,6 +1772,15 @@ ct_helper_block          :       /* empty */     { $$ = $<obj>-1; }
>                         }
>                         ;
>
> +ct_timeout_block       :       /*empty */      { $$ = $<obj>-1; }
> +                       |       ct_timeout_block     common_block
> +                       |       ct_timeout_block     stmt_separator
> +                       |       ct_timeout_block     ct_timeout_config
> +                       {
> +                               $$ = $1;
> +                       }
> +                       ;
> +
>  limit_block            :       /* empty */     { $$ = $<obj>-1; }
>                         |       limit_block     common_block
>                         |       limit_block     stmt_separator
> @@ -3171,6 +3203,7 @@ quota_obj         :       quota_config
>                         ;
>
>  ct_obj_type            :       HELPER          { $$ = NFT_OBJECT_CT_HELPER; }
> +                       |       TIMEOUT         { $$ = NFT_OBJECT_CT_TIMEOUT; }
>                         ;
>
>  ct_l4protoname         :       TCP     { $$ = IPPROTO_TCP; }
> @@ -3198,6 +3231,25 @@ ct_helper_config         :       TYPE    QUOTED_STRING   PROTOCOL        ct_l4protoname  stmt_separator
>                         }
>                         ;
>
> +ct_timeout_config      :       PROTOCOL        COLON   ct_l4protoname  COMMA   STRING  COLON   NUM      stmt_separator

ct_timeout_config      :       PROTOCOL        COLON   ct_l4protoname
COMMA   timeout_states      stmt_separator

I want to parse multiple timeout policies like this :

timeout_states : timeout_states timeout_state
                        |  timeout_state
                        ;
timeout_state   : STRING  COLON   NUM
                        {
                             size_t timeout_array_size =
sizeof(uint32_t) * (timeout_protocol[l4proto].attr_max);
                             int type =  timeout_str2num($1, l4proto);
                             timeout = calloc(1, timeout_array_size);
                             timeout[type] = $3;
                             $$ = timeout;
                         }
                         ;

So, I want to parse l4proto from ct_timeout_config to timeout_state.
Any idea, on how can I do this ?
Thanks.

> +                       {
> +                               struct ct_timeout *ct;
> +                               size_t timeout_array_size;
> +                               int l4proto = $3;
> +                               int type = timeout_str2num($5, l4proto);
> +
> +                               ct = &$<obj>0->ct_timeout;
> +                               ct->l4proto = l4proto;
> +                               timeout_array_size = sizeof(uint32_t) * (timeout_protocol[l4proto].attr_max);
> +                               ct->timeout = calloc(1, timeout_array_size);
> +                               ct->timeout[type] = $7;
> +                       }
> +                       |       L3PROTOCOL      family_spec_explicit    stmt_separator
> +                       {
> +                               $<obj>0->ct_timeout.l3proto = $2;
> +                       }
> +                       ;
> +
>  ct_obj_alloc           :
>                         {
>                                 $$ = obj_alloc(&@$);
> @@ -3672,6 +3724,7 @@ ct_key                    :       L3PROTOCOL      { $$ = NFT_CT_L3PROTOCOL; }
>                         |       PROTO_DST       { $$ = NFT_CT_PROTO_DST; }
>                         |       LABEL           { $$ = NFT_CT_LABELS; }
>                         |       EVENT           { $$ = NFT_CT_EVENTMASK; }
> +                       |       TIMEOUT         { $$ = NFT_CT_TIMEOUT; }
>                         |       ct_key_dir_optional
>                         ;
>
> @@ -3720,6 +3773,11 @@ ct_stmt                  :       CT      ct_key          SET     stmt_expr
>                                         $$->objref.type = NFT_OBJECT_CT_HELPER;
>                                         $$->objref.expr = $4;
>                                         break;
> +                               case NFT_CT_TIMEOUT:
> +                                       $$ = objref_stmt_alloc(&@$);
> +                                       $$->objref.type = NFT_OBJECT_CT_TIMEOUT;
> +                                       $$->objref.expr = $4;
> +                                       break;
>                                 default:
>                                         $$ = ct_stmt_alloc(&@$, $2, -1, $4);
>                                         break;
> diff --git a/src/rule.c b/src/rule.c
> index 188fc06..e3916cb 100644
> --- a/src/rule.c
> +++ b/src/rule.c
> @@ -29,6 +29,69 @@
>  #include <linux/netfilter.h>
>  #include <linux/netfilter_arp.h>
>
> +const char *const tcp_state_to_name[] = {
> +       [NFTA_CT_TIMEOUT_ATTR_TCP_SYN_SENT]     = "syn_sent",
> +       [NFTA_CT_TIMEOUT_ATTR_TCP_SYN_RECV]     = "syn_recv",
> +       [NFTA_CT_TIMEOUT_ATTR_TCP_ESTABLISHED]  = "established",
> +       [NFTA_CT_TIMEOUT_ATTR_TCP_FIN_WAIT]     = "fin_wait",
> +       [NFTA_CT_TIMEOUT_ATTR_TCP_CLOSE_WAIT]   = "close_wait",
> +       [NFTA_CT_TIMEOUT_ATTR_TCP_LAST_ACK]     = "last_ack",
> +       [NFTA_CT_TIMEOUT_ATTR_TCP_TIME_WAIT]    = "time_wait",
> +       [NFTA_CT_TIMEOUT_ATTR_TCP_CLOSE]        = "close",
> +       [NFTA_CT_TIMEOUT_ATTR_TCP_SYN_SENT2]    = "syn_sent2",
> +       [NFTA_CT_TIMEOUT_ATTR_TCP_RETRANS]      = "retrans",
> +       [NFTA_CT_TIMEOUT_ATTR_TCP_UNACK]        = "unack",
> +};
> +
> +const char *const udp_state_to_name[] = {
> +       [NFTA_CT_TIMEOUT_ATTR_UDP_UNREPLIED]    = "unreplied",
> +       [NFTA_CT_TIMEOUT_ATTR_UDP_REPLIED]      = "replied",
> +};
> +
> +uint32_t tcp_dflt_timeout[] = {
> +       [NFTA_CT_TIMEOUT_ATTR_TCP_SYN_SENT]     = 120,
> +       [NFTA_CT_TIMEOUT_ATTR_TCP_SYN_RECV]     = 60,
> +       [NFTA_CT_TIMEOUT_ATTR_TCP_ESTABLISHED]  = 432000,
> +       [NFTA_CT_TIMEOUT_ATTR_TCP_FIN_WAIT]     = 120,
> +       [NFTA_CT_TIMEOUT_ATTR_TCP_CLOSE_WAIT]   = 60,
> +       [NFTA_CT_TIMEOUT_ATTR_TCP_LAST_ACK]     = 30,
> +       [NFTA_CT_TIMEOUT_ATTR_TCP_TIME_WAIT]    = 120,
> +       [NFTA_CT_TIMEOUT_ATTR_TCP_CLOSE]        = 10,
> +       [NFTA_CT_TIMEOUT_ATTR_TCP_SYN_SENT2]    = 120,
> +       [NFTA_CT_TIMEOUT_ATTR_TCP_RETRANS]      = 300,
> +       [NFTA_CT_TIMEOUT_ATTR_TCP_UNACK]        = 300,
> +
> +};
> +
> +uint32_t udp_dflt_timeout[] = {
> +       [NFTA_CT_TIMEOUT_ATTR_UDP_UNREPLIED]    = 30,
> +       [NFTA_CT_TIMEOUT_ATTR_UDP_REPLIED]      = 180,
> +};
> +
> +struct timeout_protocol timeout_protocol[IPPROTO_MAX] = {
> +       [IPPROTO_TCP]   = {
> +               .attr_max       = NFTA_CT_TIMEOUT_ATTR_TCP_MAX,
> +               .state_to_name  = tcp_state_to_name,
> +               .dflt_timeout   = tcp_dflt_timeout,
> +       },
> +       [IPPROTO_UDP]   = {
> +               .attr_max       = NFTA_CT_TIMEOUT_ATTR_UDP_MAX,
> +               .state_to_name  = udp_state_to_name,
> +               .dflt_timeout   = udp_dflt_timeout,
> +       },
> +};
> +
> +int timeout_str2num(const char *timeout_state, unsigned int l4)
> +{
> +       unsigned int i;
> +
> +       for (i = 0; i < timeout_protocol[l4].attr_max; i++) {
> +               if (!strcmp(timeout_protocol[l4].state_to_name[i], timeout_state))
> +                       return i;
> +       }
> +       return -1;
> +}
> +
>  void handle_free(struct handle *h)
>  {
>         xfree(h->table.name);
> @@ -1089,6 +1152,7 @@ void cmd_free(struct cmd *cmd)
>                 case CMD_OBJ_COUNTER:
>                 case CMD_OBJ_QUOTA:
>                 case CMD_OBJ_CT_HELPER:
> +               case CMD_OBJ_CT_TIMEOUT:
>                 case CMD_OBJ_LIMIT:
>                         obj_free(cmd->object);
>                         break;
> @@ -1183,6 +1247,7 @@ static int do_command_add(struct netlink_ctx *ctx, struct cmd *cmd, bool excl)
>         case CMD_OBJ_COUNTER:
>         case CMD_OBJ_QUOTA:
>         case CMD_OBJ_CT_HELPER:
> +       case CMD_OBJ_CT_TIMEOUT:
>         case CMD_OBJ_LIMIT:
>                 return netlink_add_obj(ctx, cmd, flags);
>         case CMD_OBJ_FLOWTABLE:
> @@ -1268,6 +1333,9 @@ static int do_command_delete(struct netlink_ctx *ctx, struct cmd *cmd)
>                 return netlink_delete_obj(ctx, cmd, NFT_OBJECT_QUOTA);
>         case CMD_OBJ_CT_HELPER:
>                 return netlink_delete_obj(ctx, cmd, NFT_OBJECT_CT_HELPER);
> +       case CMD_OBJ_CT_TIMEOUT:
> +               return netlink_delete_obj(ctx, cmd,
> +                                         NFT_OBJECT_CT_TIMEOUT);
>         case CMD_OBJ_LIMIT:
>                 return netlink_delete_obj(ctx, cmd, NFT_OBJECT_LIMIT);
>         case CMD_OBJ_FLOWTABLE:
> @@ -1418,6 +1486,21 @@ static void print_proto_name_proto(uint8_t l4, struct output_ctx *octx)
>                 nft_print(octx, "%d\n", l4);
>  }
>
> +static void print_proto_timeout_policy(uint8_t l4, uint32_t *timeout,
> +                                      struct output_ctx *octx)
> +{
> +       unsigned int i;
> +
> +       nft_print(octx, "\t\t");
> +       for (i = 0; i < timeout_protocol[l4].attr_max; i++) {
> +               if (timeout[i] != timeout_protocol[l4].dflt_timeout[i]) {
> +                       nft_print(octx, "%s %u ",
> +                                 timeout_protocol[l4].state_to_name[i],
> +                                 timeout[i]);
> +               }
> +       }
> +}
> +
>  static void obj_print_data(const struct obj *obj,
>                            struct print_fmt_options *opts,
>                            struct output_ctx *octx)
> @@ -1465,6 +1548,19 @@ static void obj_print_data(const struct obj *obj,
>                 nft_print(octx, "\t\tl3proto %s",
>                           family2str(obj->ct_helper.l3proto));
>                 break;
> +       case NFT_OBJECT_CT_TIMEOUT:
> +               nft_print(octx, "ct timeout %s {", obj->handle.obj.name);
> +               if (octx->handle > 0)
> +                       nft_print(octx, " # handle %" PRIu64, obj->handle.handle.id);
> +               nft_print(octx, "%s", opts->nl);
> +               nft_print(octx, "\t\tprotocol ");
> +               print_proto_name_proto(obj->ct_timeout.l4proto, octx);
> +               nft_print(octx, "\t\tl3proto %s",
> +                         family2str(obj->ct_timeout.l3proto));
> +               nft_print(octx, "%s", opts->nl);
> +               print_proto_timeout_policy(obj->ct_timeout.l4proto,
> +                                          obj->ct_timeout.timeout, octx);
> +               break;
>         case NFT_OBJECT_LIMIT: {
>                 bool inv = obj->limit.flags & NFT_LIMIT_F_INV;
>                 const char *data_unit;
> @@ -1511,6 +1607,7 @@ static const char * const obj_type_name_array[] = {
>         [NFT_OBJECT_QUOTA]      = "quota",
>         [NFT_OBJECT_CT_HELPER]  = "",
>         [NFT_OBJECT_LIMIT]      = "limit",
> +       [NFT_OBJECT_CT_TIMEOUT] = "",
>  };
>
>  const char *obj_type_name(enum stmt_types type)
> @@ -1525,6 +1622,7 @@ static uint32_t obj_type_cmd_array[NFT_OBJECT_MAX + 1] = {
>         [NFT_OBJECT_QUOTA]      = CMD_OBJ_QUOTA,
>         [NFT_OBJECT_CT_HELPER]  = CMD_OBJ_CT_HELPER,
>         [NFT_OBJECT_LIMIT]      = CMD_OBJ_LIMIT,
> +       [NFT_OBJECT_CT_TIMEOUT] = CMD_OBJ_CT_TIMEOUT,
>  };
>
>  uint32_t obj_type_to_cmd(uint32_t type)
> @@ -1875,6 +1973,7 @@ static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd)
>         case CMD_OBJ_CT_HELPER:
>         case CMD_OBJ_CT_HELPERS:
>                 return do_list_obj(ctx, cmd, NFT_OBJECT_CT_HELPER);
> +       case CMD_OBJ_CT_TIMEOUT:
>         case CMD_OBJ_LIMIT:
>         case CMD_OBJ_LIMITS:
>                 return do_list_obj(ctx, cmd, NFT_OBJECT_LIMIT);
> @@ -2092,6 +2191,9 @@ struct cmd *cmd_alloc_obj_ct(enum cmd_ops op, int type, const struct handle *h,
>         case NFT_OBJECT_CT_HELPER:
>                 cmd_obj = CMD_OBJ_CT_HELPER;
>                 break;
> +       case NFT_OBJECT_CT_TIMEOUT:
> +               cmd_obj = CMD_OBJ_CT_TIMEOUT;
> +               break;
>         default:
>                 BUG("missing type mapping");
>         }
> diff --git a/src/statement.c b/src/statement.c
> index 6f5e666..3f88729 100644
> --- a/src/statement.c
> +++ b/src/statement.c
> @@ -203,6 +203,7 @@ static const char *objref_type[NFT_OBJECT_MAX + 1] = {
>         [NFT_OBJECT_QUOTA]      = "quota",
>         [NFT_OBJECT_CT_HELPER]  = "ct helper",
>         [NFT_OBJECT_LIMIT]      = "limit",
> +       [NFT_OBJECT_CT_TIMEOUT] = "ct timeout",
>  };
>
>  const char *objref_type_name(uint32_t type)
> @@ -219,6 +220,9 @@ static void objref_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
>         case NFT_OBJECT_CT_HELPER:
>                 nft_print(octx, "ct helper set ");
>                 break;
> +       case NFT_OBJECT_CT_TIMEOUT:
> +               nft_print(octx, "ct timeout set ");
> +               break;
>         default:
>                 nft_print(octx, "%s name ",
>                           objref_type_name(stmt->objref.type));
> --
> 2.14.1
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux