This patch adds support for the NFTA_SET_EXPR netlink attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
include/libnftnl/set.h | 1 +
include/libnftnl/udata.h | 1 +
include/linux/netfilter/nf_tables.h | 2 ++
include/set.h | 1 +
src/set.c | 27 +++++++++++++++++++++++++++
5 files changed, 32 insertions(+)
diff --git a/include/libnftnl/set.h b/include/libnftnl/set.h
index 6843adfa0c1e..5138bb99b426 100644
--- a/include/libnftnl/set.h
+++ b/include/libnftnl/set.h
@@ -30,6 +30,7 @@ enum nftnl_set_attr {
NFTNL_SET_OBJ_TYPE,
NFTNL_SET_HANDLE,
NFTNL_SET_DESC_CONCAT,
+ NFTNL_SET_EXPR,
__NFTNL_SET_MAX
};
#define NFTNL_SET_MAX (__NFTNL_SET_MAX - 1)
diff --git a/include/libnftnl/udata.h b/include/libnftnl/udata.h
index 8044041189b1..1d57bc3dce16 100644
--- a/include/libnftnl/udata.h
+++ b/include/libnftnl/udata.h
@@ -24,6 +24,7 @@ enum nftnl_udata_set_types {
NFTNL_UDATA_SET_MERGE_ELEMENTS,
NFTNL_UDATA_SET_KEY_TYPEOF,
NFTNL_UDATA_SET_DATA_TYPEOF,
+ NFTNL_UDATA_SET_EXPR,
__NFTNL_UDATA_SET_MAX
};
#define NFTNL_UDATA_SET_MAX (__NFTNL_UDATA_SET_MAX - 1)
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 57e83e152bf3..2d291f6eab62 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -342,6 +342,7 @@ enum nft_set_field_attributes {
* @NFTA_SET_USERDATA: user data (NLA_BINARY)
* @NFTA_SET_OBJ_TYPE: stateful object type (NLA_U32: NFT_OBJECT_*)
* @NFTA_SET_HANDLE: set handle (NLA_U64)
+ * @NFTA_SET_EXPR: set expression (NLA_NESTED: nft_expr_attributes)
*/
enum nft_set_attributes {
NFTA_SET_UNSPEC,
@@ -361,6 +362,7 @@ enum nft_set_attributes {
NFTA_SET_PAD,
NFTA_SET_OBJ_TYPE,
NFTA_SET_HANDLE,
+ NFTA_SET_EXPR,
__NFTA_SET_MAX
};
#define NFTA_SET_MAX (__NFTA_SET_MAX - 1)
diff --git a/include/set.h b/include/set.h
index 895ffdb48bdb..66ac129836de 100644
--- a/include/set.h
+++ b/include/set.h
@@ -33,6 +33,7 @@ struct nftnl_set {
uint32_t flags;
uint32_t gc_interval;
uint64_t timeout;
+ struct nftnl_expr *expr;
};
struct nftnl_set_list;
diff --git a/src/set.c b/src/set.c
index 651dcfa56022..15fa29d5f02c 100644
--- a/src/set.c
+++ b/src/set.c
@@ -51,6 +51,8 @@ void nftnl_set_free(const struct nftnl_set *s)
xfree(s->name);
if (s->flags & (1 << NFTNL_SET_USERDATA))
xfree(s->user.data);
+ if (s->flags & (1 << NFTNL_SET_EXPR))
+ nftnl_expr_free(s->expr);
list_for_each_entry_safe(elem, tmp, &s->element_list, head) {
list_del(&elem->head);
@@ -96,6 +98,9 @@ void nftnl_set_unset(struct nftnl_set *s, uint16_t attr)
case NFTNL_SET_USERDATA:
xfree(s->user.data);
break;
+ case NFTNL_SET_EXPR:
+ nftnl_expr_free(s->expr);
+ break;
default:
return;
}
@@ -195,6 +200,12 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data,
memcpy(s->user.data, data, data_len);
s->user.len = data_len;
break;
+ case NFTNL_SET_EXPR:
+ if (s->flags & (1 << NFTNL_SET_EXPR))
+ nftnl_expr_free(s->expr);
+
+ s->expr = (void *)data;
+ break;
}
s->flags |= (1 << attr);
return 0;
@@ -283,6 +294,8 @@ const void *nftnl_set_get_data(const struct nftnl_set *s, uint16_t attr,
case NFTNL_SET_USERDATA:
*data_len = s->user.len;
return s->user.data;
+ case NFTNL_SET_EXPR:
+ return s->expr;
}
return NULL;
}
@@ -432,6 +445,13 @@ void nftnl_set_nlmsg_build_payload(struct nlmsghdr *nlh, struct nftnl_set *s)
mnl_attr_put_u32(nlh, NFTA_SET_GC_INTERVAL, htonl(s->gc_interval));
if (s->flags & (1 << NFTNL_SET_USERDATA))
mnl_attr_put(nlh, NFTA_SET_USERDATA, s->user.len, s->user.data);
+ if (s->flags & (1 << NFTNL_SET_EXPR)) {
+ struct nlattr *nest1;
+
+ nest1 = mnl_attr_nest_start(nlh, NFTA_SET_EXPR);
+ nftnl_expr_build_payload(nlh, s->expr);
+ mnl_attr_nest_end(nlh, nest1);
+ }
}
@@ -635,6 +655,13 @@ int nftnl_set_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_set *s)
if (ret < 0)
return ret;
}
+ if (tb[NFTA_SET_EXPR]) {
+ s->expr = nftnl_expr_parse(tb[NFTA_SET_EXPR]);
+ if (!s->expr)
+ return -1;
+
+ s->flags |= (1 << NFTNL_SET_EXPR);
+ }
s->family = nfg->nfgen_family;
s->flags |= (1 << NFTNL_SET_FAMILY);
--
2.11.0
