[PATCH nf-next 0/4] enhance stateful expression support

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Wed, 11 Mar 2020 15:13:14 +0100

Hi,

This patchset allows users to add and to restore stateful expressions
of set elements, e.g.

 table ip test {
        set test {
                type ipv4_addr
                size 65535
                flags dynamic,timeout
                timeout 30d
                gc-interval 1d
                elements = { 192.168.10.13 expires 19d23h52m27s576ms counter packets 51 bytes 17265 }
        }
        chain output {
                type filter hook output priority 0;
                update @test { ip saddr }
        }
 }

You can also add counters to elements from the control place, ie.

 table ip test {
        set test {
                type ipv4_addr
                size 65535
                elements = { 192.168.2.1 counter packets 75 bytes 19043 }
        }

        chain output {
                type filter hook output priority filter; policy accept;
                ip daddr @test
        }
 }

Thanks.

Pablo Neira Ayuso (4):
  netfilter: nf_tables: remove EXPORT_SYMBOL_GPL for nft_expr_init()
  netfilter: nf_tables: add elements with stateful expressions
  netfilter: nf_tables: add nft_set_elem_update_expr() helper function
  netfilter: nft_lookup: update element stateful expression

 include/net/netfilter/nf_tables.h | 14 ++++++++++++--
 net/netfilter/nf_tables_api.c     | 25 ++++++++++++++++++++++---
 net/netfilter/nft_dynset.c        |  8 +-------
 net/netfilter/nft_lookup.c        |  1 +
 4 files changed, 36 insertions(+), 12 deletions(-)

--
2.11.0