[PATCH 0/5 nf-next,v2] enhance stateful expression support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This patchset allows users to add and to restore stateful expressions
of set elements, e.g.

 table ip test {
        set test {
                type ipv4_addr
                size 65535
                flags dynamic,timeout
                timeout 30d
                gc-interval 1d
                elements = { 192.168.10.13 expires 19d23h52m27s576ms counter packets 51 bytes 17265 }
        }
        chain output {
                type filter hook output priority 0;
                update @test { ip saddr }
        }
 }

You can also add counters to elements from the control place, ie.

 table ip test {
        set test {
                type ipv4_addr
                size 65535
                elements = { 192.168.2.1 counter packets 75 bytes 19043 }
        }

        chain output {
                type filter hook output priority filter; policy accept;
                ip daddr @test
        }
 }

v2: Missing patch to add nft_set_elem_expr_alloc() helper function.

Pablo Neira Ayuso (5):
  netfilter: nf_tables: add nft_set_elem_expr_alloc()
  netfilter: nf_tables: remove EXPORT_SYMBOL_GPL for nft_expr_init()
  netfilter: nf_tables: add elements with stateful expressions
  netfilter: nf_tables: add nft_set_elem_update_expr() helper function
  netfilter: nft_lookup: update element stateful expression

 include/net/netfilter/nf_tables.h | 18 +++++++++++--
 net/netfilter/nf_tables_api.c     | 55 ++++++++++++++++++++++++++++++++++++---
 net/netfilter/nft_dynset.c        | 23 +++-------------
 net/netfilter/nft_lookup.c        |  1 +
 4 files changed, 72 insertions(+), 25 deletions(-)

--
2.11.0
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux