[PATCH nft] src: add cookie support for rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This patch allows users to specify a unsigned 64-bit cookie for rules.
The userspace application assigns the cookie number for tracking the rule.
The cookie needs to be non-zero. This cookie value is only relevant to
userspace since this resides in the user data area.

Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
Phil, you suggested a cookie to track rules, here it is. A few notes:

- This patch is missing json support.
- No need for kernel update since the cookie is stored in the user data area.

 include/rule.h            |  3 ++-
 src/netlink_delinearize.c | 22 +++++++++++++++-------
 src/netlink_linearize.c   | 16 ++++++++++++----
 src/parser_bison.y        | 18 +++++++++++++++++-
 src/rule.c                |  2 ++
 src/scanner.l             |  1 +
 6 files changed, 49 insertions(+), 13 deletions(-)

diff --git a/include/rule.h b/include/rule.h
index 60eadfa3c9a2..0dd29625e613 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -275,8 +275,9 @@ struct rule {
 	struct location		location;
 	struct list_head	stmts;
 	unsigned int		num_stmts;
-	const char		*comment;
 	unsigned int		refcnt;
+	const char		*comment;
+	uint64_t		cookie;
 };
 
 extern struct rule *rule_alloc(const struct location *loc,
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 9e3ed53d09f1..7a25f5b0ddf4 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -2816,6 +2816,10 @@ static int parse_rule_udata_cb(const struct nftnl_udata *attr, void *data)
 		if (value[len - 1] != '\0')
 			return -1;
 		break;
+	case NFTNL_UDATA_RULE_COOKIE:
+		if (len != sizeof(uint64_t))
+			return -1;
+		break;
 	default:
 		return 0;
 	}
@@ -2823,24 +2827,28 @@ static int parse_rule_udata_cb(const struct nftnl_udata *attr, void *data)
 	return 0;
 }
 
-static char *nftnl_rule_get_comment(const struct nftnl_rule *nlr)
+static int nftnl_rule_get_userdata(const struct nftnl_rule *nlr, struct rule *rule)
 {
 	const struct nftnl_udata *tb[NFTNL_UDATA_RULE_MAX + 1] = {};
 	const void *data;
 	uint32_t len;
 
 	if (!nftnl_rule_is_set(nlr, NFTNL_RULE_USERDATA))
-		return NULL;
+		return 0;
 
 	data = nftnl_rule_get_data(nlr, NFTNL_RULE_USERDATA, &len);
 
 	if (nftnl_udata_parse(data, len, parse_rule_udata_cb, tb) < 0)
-		return NULL;
+		return -1;
 
-	if (!tb[NFTNL_UDATA_RULE_COMMENT])
-		return NULL;
+	if (tb[NFTNL_UDATA_RULE_COMMENT]) {
+		rule->comment =
+			xstrdup(nftnl_udata_get(tb[NFTNL_UDATA_RULE_COMMENT]));
+	}
+	if (tb[NFTNL_UDATA_RULE_COOKIE])
+		rule->cookie = nftnl_udata_get_u64(tb[NFTNL_UDATA_RULE_COOKIE]);
 
-	return xstrdup(nftnl_udata_get(tb[NFTNL_UDATA_RULE_COMMENT]));
+	return 0;
 }
 
 struct rule *netlink_delinearize_rule(struct netlink_ctx *ctx,
@@ -2866,7 +2874,7 @@ struct rule *netlink_delinearize_rule(struct netlink_ctx *ctx,
 	pctx->table = table_lookup(&h, &ctx->nft->cache);
 	assert(pctx->table != NULL);
 
-	pctx->rule->comment = nftnl_rule_get_comment(nlr);
+	nftnl_rule_get_userdata(nlr, pctx->rule);
 
 	nftnl_expr_foreach(nlr, netlink_parse_rule_expr, pctx);
 
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 846df46b75fd..a5d86449d7f2 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -1516,6 +1516,7 @@ static void netlink_gen_stmt(struct netlink_linearize_ctx *ctx,
 void netlink_linearize_rule(struct netlink_ctx *ctx, struct nftnl_rule *nlr,
 			    const struct rule *rule)
 {
+	struct nftnl_udata_buf *udata = NULL;
 	struct netlink_linearize_ctx lctx;
 	const struct stmt *stmt;
 
@@ -1526,20 +1527,27 @@ void netlink_linearize_rule(struct netlink_ctx *ctx, struct nftnl_rule *nlr,
 	list_for_each_entry(stmt, &rule->stmts, list)
 		netlink_gen_stmt(&lctx, stmt);
 
-	if (rule->comment) {
-		struct nftnl_udata_buf *udata;
-
+	if (rule->comment || rule->cookie) {
 		udata = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN);
 		if (!udata)
 			memory_allocation_error();
+	}
 
+	if (rule->comment) {
 		if (!nftnl_udata_put_strz(udata, NFTNL_UDATA_RULE_COMMENT,
 					  rule->comment))
 			memory_allocation_error();
+	}
+	if (rule->cookie) {
+		if (!nftnl_udata_put_u64(udata, NFTNL_UDATA_RULE_COOKIE,
+					 rule->cookie))
+			memory_allocation_error();
+	}
+
+	if (udata) {
 		nftnl_rule_set_data(nlr, NFTNL_RULE_USERDATA,
 				    nftnl_udata_buf_data(udata),
 				    nftnl_udata_buf_len(udata));
-
 		nftnl_udata_buf_free(udata);
 	}
 
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 167c315810ed..9d982900eb94 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -543,6 +543,7 @@ int nft_lex(void *, void *, void *);
 %token POSITION			"position"
 %token INDEX			"index"
 %token COMMENT			"comment"
+%token COOKIE			"cookie"
 
 %token XML			"xml"
 %token JSON			"json"
@@ -568,7 +569,7 @@ int nft_lex(void *, void *, void *);
 %type <string>			identifier type_identifier string comment_spec
 %destructor { xfree($$); }	identifier type_identifier string comment_spec
 
-%type <val>			time_spec quota_used
+%type <val>			time_spec quota_used cookie_spec
 
 %type <expr>			data_type_expr data_type_atom_expr
 %destructor { expr_free($$); }  data_type_expr data_type_atom_expr
@@ -2482,6 +2483,12 @@ comment_spec		:	COMMENT		string
 			}
 			;
 
+cookie_spec		:	COOKIE		NUM
+			{
+				$$ = $2;
+			}
+			;
+
 ruleset_spec		:	/* empty */
 			{
 				memset(&$$, 0, sizeof($$));
@@ -2502,6 +2509,15 @@ rule			:	rule_alloc
 			{
 				$$->comment = $2;
 			}
+			|	rule_alloc	cookie_spec
+			{
+				$$->cookie = $2;
+			}
+			|	rule_alloc	cookie_spec comment_spec
+			{
+				$$->cookie = $2;
+				$$->comment = $3;
+			}
 			;
 
 rule_alloc		:	stmt_list
diff --git a/src/rule.c b/src/rule.c
index 6335aa2189ad..551a7dc01ce2 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -664,6 +664,8 @@ void rule_print(const struct rule *rule, struct output_ctx *octx)
 			nft_print(octx, " ");
 	}
 
+	if (rule->cookie)
+		nft_print(octx, " cookie %"PRIu64"", rule->cookie);
 	if (rule->comment)
 		nft_print(octx, " comment \"%s\"", rule->comment);
 
diff --git a/src/scanner.l b/src/scanner.l
index 45699c85d7d0..7117ebb918fc 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -300,6 +300,7 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 "position"		{ return POSITION; }
 "index"			{ return INDEX; }
 "comment"		{ return COMMENT; }
+"cookie"		{ return COOKIE; }
 
 "constant"		{ return CONSTANT; }
 "interval"		{ return INTERVAL; }
-- 
2.20.1




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux