This patch allows users to specify a unsigned 64-bit cookie for rules.
The userspace application assigns the cookie number for tracking the rule.
The cookie needs to be non-zero. This cookie value is only relevant to
userspace since this resides in the user data area.
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
Phil, you suggested a cookie to track rules, here it is. A few notes:
- This patch is missing json support.
- No need for kernel update since the cookie is stored in the user data area.
include/rule.h | 3 ++-
src/netlink_delinearize.c | 22 +++++++++++++++-------
src/netlink_linearize.c | 16 ++++++++++++----
src/parser_bison.y | 18 +++++++++++++++++-
src/rule.c | 2 ++
src/scanner.l | 1 +
6 files changed, 49 insertions(+), 13 deletions(-)
diff --git a/include/rule.h b/include/rule.h
index 60eadfa3c9a2..0dd29625e613 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -275,8 +275,9 @@ struct rule {
struct location location;
struct list_head stmts;
unsigned int num_stmts;
- const char *comment;
unsigned int refcnt;
+ const char *comment;
+ uint64_t cookie;
};
extern struct rule *rule_alloc(const struct location *loc,
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 9e3ed53d09f1..7a25f5b0ddf4 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -2816,6 +2816,10 @@ static int parse_rule_udata_cb(const struct nftnl_udata *attr, void *data)
if (value[len - 1] != '\0')
return -1;
break;
+ case NFTNL_UDATA_RULE_COOKIE:
+ if (len != sizeof(uint64_t))
+ return -1;
+ break;
default:
return 0;
}
@@ -2823,24 +2827,28 @@ static int parse_rule_udata_cb(const struct nftnl_udata *attr, void *data)
return 0;
}
-static char *nftnl_rule_get_comment(const struct nftnl_rule *nlr)
+static int nftnl_rule_get_userdata(const struct nftnl_rule *nlr, struct rule *rule)
{
const struct nftnl_udata *tb[NFTNL_UDATA_RULE_MAX + 1] = {};
const void *data;
uint32_t len;
if (!nftnl_rule_is_set(nlr, NFTNL_RULE_USERDATA))
- return NULL;
+ return 0;
data = nftnl_rule_get_data(nlr, NFTNL_RULE_USERDATA, &len);
if (nftnl_udata_parse(data, len, parse_rule_udata_cb, tb) < 0)
- return NULL;
+ return -1;
- if (!tb[NFTNL_UDATA_RULE_COMMENT])
- return NULL;
+ if (tb[NFTNL_UDATA_RULE_COMMENT]) {
+ rule->comment =
+ xstrdup(nftnl_udata_get(tb[NFTNL_UDATA_RULE_COMMENT]));
+ }
+ if (tb[NFTNL_UDATA_RULE_COOKIE])
+ rule->cookie = nftnl_udata_get_u64(tb[NFTNL_UDATA_RULE_COOKIE]);
- return xstrdup(nftnl_udata_get(tb[NFTNL_UDATA_RULE_COMMENT]));
+ return 0;
}
struct rule *netlink_delinearize_rule(struct netlink_ctx *ctx,
@@ -2866,7 +2874,7 @@ struct rule *netlink_delinearize_rule(struct netlink_ctx *ctx,
pctx->table = table_lookup(&h, &ctx->nft->cache);
assert(pctx->table != NULL);
- pctx->rule->comment = nftnl_rule_get_comment(nlr);
+ nftnl_rule_get_userdata(nlr, pctx->rule);
nftnl_expr_foreach(nlr, netlink_parse_rule_expr, pctx);
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 846df46b75fd..a5d86449d7f2 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -1516,6 +1516,7 @@ static void netlink_gen_stmt(struct netlink_linearize_ctx *ctx,
void netlink_linearize_rule(struct netlink_ctx *ctx, struct nftnl_rule *nlr,
const struct rule *rule)
{
+ struct nftnl_udata_buf *udata = NULL;
struct netlink_linearize_ctx lctx;
const struct stmt *stmt;
@@ -1526,20 +1527,27 @@ void netlink_linearize_rule(struct netlink_ctx *ctx, struct nftnl_rule *nlr,
list_for_each_entry(stmt, &rule->stmts, list)
netlink_gen_stmt(&lctx, stmt);
- if (rule->comment) {
- struct nftnl_udata_buf *udata;
-
+ if (rule->comment || rule->cookie) {
udata = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN);
if (!udata)
memory_allocation_error();
+ }
+ if (rule->comment) {
if (!nftnl_udata_put_strz(udata, NFTNL_UDATA_RULE_COMMENT,
rule->comment))
memory_allocation_error();
+ }
+ if (rule->cookie) {
+ if (!nftnl_udata_put_u64(udata, NFTNL_UDATA_RULE_COOKIE,
+ rule->cookie))
+ memory_allocation_error();
+ }
+
+ if (udata) {
nftnl_rule_set_data(nlr, NFTNL_RULE_USERDATA,
nftnl_udata_buf_data(udata),
nftnl_udata_buf_len(udata));
-
nftnl_udata_buf_free(udata);
}
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 167c315810ed..9d982900eb94 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -543,6 +543,7 @@ int nft_lex(void *, void *, void *);
%token POSITION "position"
%token INDEX "index"
%token COMMENT "comment"
+%token COOKIE "cookie"
%token XML "xml"
%token JSON "json"
@@ -568,7 +569,7 @@ int nft_lex(void *, void *, void *);
%type <string> identifier type_identifier string comment_spec
%destructor { xfree($$); } identifier type_identifier string comment_spec
-%type <val> time_spec quota_used
+%type <val> time_spec quota_used cookie_spec
%type <expr> data_type_expr data_type_atom_expr
%destructor { expr_free($$); } data_type_expr data_type_atom_expr
@@ -2482,6 +2483,12 @@ comment_spec : COMMENT string
}
;
+cookie_spec : COOKIE NUM
+ {
+ $$ = $2;
+ }
+ ;
+
ruleset_spec : /* empty */
{
memset(&$$, 0, sizeof($$));
@@ -2502,6 +2509,15 @@ rule : rule_alloc
{
$$->comment = $2;
}
+ | rule_alloc cookie_spec
+ {
+ $$->cookie = $2;
+ }
+ | rule_alloc cookie_spec comment_spec
+ {
+ $$->cookie = $2;
+ $$->comment = $3;
+ }
;
rule_alloc : stmt_list
diff --git a/src/rule.c b/src/rule.c
index 6335aa2189ad..551a7dc01ce2 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -664,6 +664,8 @@ void rule_print(const struct rule *rule, struct output_ctx *octx)
nft_print(octx, " ");
}
+ if (rule->cookie)
+ nft_print(octx, " cookie %"PRIu64"", rule->cookie);
if (rule->comment)
nft_print(octx, " comment \"%s\"", rule->comment);
diff --git a/src/scanner.l b/src/scanner.l
index 45699c85d7d0..7117ebb918fc 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -300,6 +300,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"position" { return POSITION; }
"index" { return INDEX; }
"comment" { return COMMENT; }
+"cookie" { return COOKIE; }
"constant" { return CONSTANT; }
"interval" { return INTERVAL; }
--
2.20.1
