On Tue, Jan 28, 2020 at 09:17:52PM +0100, Stefano Brivio wrote:
> On Tue, 28 Jan 2020 20:30:16 +0100
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>
> > On Sun, Jan 19, 2020 at 02:35:25PM +0100, Stefano Brivio wrote:
> > > If NFTNL_SET_DESC_CONCAT data is passed, pass that to the kernel
> > > as NFTA_SET_DESC_CONCAT attributes: it describes the length of
> > > single concatenated fields, in bytes.
> > >
> > > Similarly, parse NFTA_SET_DESC_CONCAT attributes if received
> > > from the kernel.
> > >
> > > This is the libnftnl counterpart for nftables patch:
> > > src: Add support for NFTNL_SET_DESC_CONCAT
> > >
> > > v3:
> > > - use NFTNL_SET_DESC_CONCAT and NFTA_SET_DESC_CONCAT instead of a
> > > stand-alone NFTA_SET_SUBKEY attribute (Pablo Neira Ayuso)
> > > - pass field length in bytes instead of bits, fields would get
> > > unnecessarily big otherwise
> > > v2:
> > > - fixed grammar in commit message
> > > - removed copy of array bytes in nftnl_set_nlmsg_build_subkey_payload(),
> > > we're simply passing values to htonl() (Phil Sutter)
> > >
> > > Signed-off-by: Stefano Brivio <sbrivio@xxxxxxxxxx>
> > > ---
> > > include/libnftnl/set.h | 1 +
> > > include/set.h | 2 +
> > > src/set.c | 111 ++++++++++++++++++++++++++++++++++-------
> > > 3 files changed, 95 insertions(+), 19 deletions(-)
> > >
> > > diff --git a/include/libnftnl/set.h b/include/libnftnl/set.h
> > > index db3fa686d60a..dcae354b76c4 100644
> > > --- a/include/libnftnl/set.h
> > > +++ b/include/libnftnl/set.h
> > > @@ -24,6 +24,7 @@ enum nftnl_set_attr {
> > > NFTNL_SET_ID,
> > > NFTNL_SET_POLICY,
> > > NFTNL_SET_DESC_SIZE,
> > > + NFTNL_SET_DESC_CONCAT,
> >
> > This one needs to be defined at the end to not break binary interface.
>
> Hah, right, I just focused on not breaking kernel UAPI and didn't check
> this. I'll move it.
Good, thanks.
> > Compilation breaks for some reason:
> >
> > In file included from ../include/internal.h:10,
> > from gen.c:9:
> > ../include/set.h:28:22: error: ‘NFT_REG32_COUNT’ undeclared here (not
> > in a function); did you mean ‘NFT_REG32_15’?
> > 28 | uint8_t field_len[NFT_REG32_COUNT];
> > | ^~~~~~~~~~~~~~~
> > | NFT_REG32_15
>
> That's something that comes from kernel headers changes, now
> commit f3a2181e16f1 ("netfilter: nf_tables: Support for sets with
> multiple ranged fields"), this hunk:
>
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index c13106496bd2..065218a20bb7 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -48,6 +48,7 @@ enum nft_registers {
>
> #define NFT_REG_SIZE 16
> #define NFT_REG32_SIZE 4
> +#define NFT_REG32_COUNT (NFT_REG32_15 - NFT_REG32_00 + 1)
>
> /**
> * enum nft_verdicts - nf_tables internal verdicts
>
> I didn't include those in userspace patches, following e.g. current
> iproute2 practice. Let me know if I should actually submit that as
> separate change -- I thought it would be more practical for you to sync
> headers as needed.
I'd suggest you send a separated patch to get the nf_tables.h cached
copy under libnftnl/include/linux/
I occasionally make patches like this one:
commit 239fabea9a436aaa7b787f389d80dfb57f7b893c
Author: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Date: Tue Aug 13 21:41:45 2019 +0200
include: resync nf_tables.h cache copy
Get this header in sync with 5.3-rc1.
You bring all pending updates, so you help keep it sync :-)
Thanks.
