On Tue, 28 Jan 2020 20:30:16 +0100
Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> On Sun, Jan 19, 2020 at 02:35:25PM +0100, Stefano Brivio wrote:
> > If NFTNL_SET_DESC_CONCAT data is passed, pass that to the kernel
> > as NFTA_SET_DESC_CONCAT attributes: it describes the length of
> > single concatenated fields, in bytes.
> >
> > Similarly, parse NFTA_SET_DESC_CONCAT attributes if received
> > from the kernel.
> >
> > This is the libnftnl counterpart for nftables patch:
> > src: Add support for NFTNL_SET_DESC_CONCAT
> >
> > v3:
> > - use NFTNL_SET_DESC_CONCAT and NFTA_SET_DESC_CONCAT instead of a
> > stand-alone NFTA_SET_SUBKEY attribute (Pablo Neira Ayuso)
> > - pass field length in bytes instead of bits, fields would get
> > unnecessarily big otherwise
> > v2:
> > - fixed grammar in commit message
> > - removed copy of array bytes in nftnl_set_nlmsg_build_subkey_payload(),
> > we're simply passing values to htonl() (Phil Sutter)
> >
> > Signed-off-by: Stefano Brivio <sbrivio@xxxxxxxxxx>
> > ---
> > include/libnftnl/set.h | 1 +
> > include/set.h | 2 +
> > src/set.c | 111 ++++++++++++++++++++++++++++++++++-------
> > 3 files changed, 95 insertions(+), 19 deletions(-)
> >
> > diff --git a/include/libnftnl/set.h b/include/libnftnl/set.h
> > index db3fa686d60a..dcae354b76c4 100644
> > --- a/include/libnftnl/set.h
> > +++ b/include/libnftnl/set.h
> > @@ -24,6 +24,7 @@ enum nftnl_set_attr {
> > NFTNL_SET_ID,
> > NFTNL_SET_POLICY,
> > NFTNL_SET_DESC_SIZE,
> > + NFTNL_SET_DESC_CONCAT,
>
> This one needs to be defined at the end to not break binary interface.
Hah, right, I just focused on not breaking kernel UAPI and didn't check
this. I'll move it.
> Compilation breaks for some reason:
>
> In file included from ../include/internal.h:10,
> from gen.c:9:
> ../include/set.h:28:22: error: ‘NFT_REG32_COUNT’ undeclared here (not
> in a function); did you mean ‘NFT_REG32_15’?
> 28 | uint8_t field_len[NFT_REG32_COUNT];
> | ^~~~~~~~~~~~~~~
> | NFT_REG32_15
That's something that comes from kernel headers changes, now
commit f3a2181e16f1 ("netfilter: nf_tables: Support for sets with
multiple ranged fields"), this hunk:
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index c13106496bd2..065218a20bb7 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -48,6 +48,7 @@ enum nft_registers {
#define NFT_REG_SIZE 16
#define NFT_REG32_SIZE 4
+#define NFT_REG32_COUNT (NFT_REG32_15 - NFT_REG32_00 + 1)
/**
* enum nft_verdicts - nf_tables internal verdicts
I didn't include those in userspace patches, following e.g. current
iproute2 practice. Let me know if I should actually submit that as
separate change -- I thought it would be more practical for you to sync
headers as needed.
--
Stefano
