diff options
author | Rosy Song <rosysong@rosinson.com> | 2018-05-15 11:42:29 +0800 |
---|---|---|
committer | Hauke Mehrtens <hauke@hauke-m.de> | 2018-05-21 18:07:47 +0200 |
commit | 39e87e0ffc4eabf27d25459a369be425e9ef0474 (patch) | |
tree | b7bff5520f53bccf4d2b40b0440b85ec6b3359bc /package/network/utils/nftables/patches/201-src-add-support-to-add-flowtables.patch | |
parent | c7e9d72f056a190fe14b1ebc3f07e726121e2965 (diff) | |
download | upstream-39e87e0ffc4eabf27d25459a369be425e9ef0474.tar.gz upstream-39e87e0ffc4eabf27d25459a369be425e9ef0474.tar.bz2 upstream-39e87e0ffc4eabf27d25459a369be425e9ef0474.zip |
nftables: bump to 0.8.5 version
Signed-off-by: Rosy Song <rosysong@rosinson.com>
Diffstat (limited to 'package/network/utils/nftables/patches/201-src-add-support-to-add-flowtables.patch')
-rw-r--r-- | package/network/utils/nftables/patches/201-src-add-support-to-add-flowtables.patch | 515 |
1 files changed, 0 insertions, 515 deletions
diff --git a/package/network/utils/nftables/patches/201-src-add-support-to-add-flowtables.patch b/package/network/utils/nftables/patches/201-src-add-support-to-add-flowtables.patch deleted file mode 100644 index 888a767160..0000000000 --- a/package/network/utils/nftables/patches/201-src-add-support-to-add-flowtables.patch +++ /dev/null @@ -1,515 +0,0 @@ -From: Pablo Neira Ayuso <pablo@netfilter.org> -Date: Thu, 18 Jan 2018 08:43:23 +0100 -Subject: [PATCH] src: add support to add flowtables - -This patch allows you to create flowtable: - - # nft add table x - # nft add flowtable x m { hook ingress priority 10\; devices = { eth0, wlan0 }\; } - -You have to specify hook and priority. So far, only the ingress hook is -supported. The priority represents where this flowtable is placed in the -ingress hook, which is registered to the devices that the user -specifies. - -You can also use the 'create' command instead to bail out in case that -there is an existing flowtable with this name. - -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> ---- - ---- a/include/expression.h -+++ b/include/expression.h -@@ -407,6 +407,8 @@ extern struct expr *prefix_expr_alloc(co - extern struct expr *range_expr_alloc(const struct location *loc, - struct expr *low, struct expr *high); - -+extern struct expr *compound_expr_alloc(const struct location *loc, -+ const struct expr_ops *ops); - extern void compound_expr_add(struct expr *compound, struct expr *expr); - extern void compound_expr_remove(struct expr *compound, struct expr *expr); - extern void list_expr_sort(struct list_head *head); ---- a/include/mnl.h -+++ b/include/mnl.h -@@ -92,6 +92,10 @@ int mnl_nft_obj_batch_del(struct nftnl_o - struct nftnl_flowtable_list * - mnl_nft_flowtable_dump(struct netlink_ctx *ctx, int family, const char *table); - -+int mnl_nft_flowtable_batch_add(struct nftnl_flowtable *flo, -+ struct nftnl_batch *batch, unsigned int flags, -+ uint32_t seqnum); -+ - struct nftnl_ruleset *mnl_nft_ruleset_dump(struct netlink_ctx *ctx, - uint32_t family); - int mnl_nft_event_listener(struct mnl_socket *nf_sock, unsigned int debug_mask, ---- a/include/netlink.h -+++ b/include/netlink.h -@@ -7,6 +7,7 @@ - #include <libnftnl/expr.h> - #include <libnftnl/set.h> - #include <libnftnl/object.h> -+#include <libnftnl/flowtable.h> - - #include <linux/netlink.h> - #include <linux/netfilter/nf_tables.h> -@@ -182,6 +183,9 @@ extern int netlink_delete_obj(struct net - extern int netlink_list_flowtables(struct netlink_ctx *ctx, - const struct handle *h, - const struct location *loc); -+extern int netlink_add_flowtable(struct netlink_ctx *ctx, -+ const struct handle *h, struct flowtable *ft, -+ uint32_t flags); - - extern void netlink_dump_chain(const struct nftnl_chain *nlc, - struct netlink_ctx *ctx); ---- a/include/rule.h -+++ b/include/rule.h -@@ -322,10 +322,13 @@ uint32_t obj_type_to_cmd(uint32_t type); - struct flowtable { - struct list_head list; - struct handle handle; -+ struct scope scope; - struct location location; -+ const char * hookstr; - unsigned int hooknum; - int priority; - const char **dev_array; -+ struct expr *dev_expr; - int dev_array_len; - unsigned int refcnt; - }; -@@ -383,6 +386,8 @@ enum cmd_ops { - * @CMD_OBJ_CHAIN: chain - * @CMD_OBJ_CHAINS: multiple chains - * @CMD_OBJ_TABLE: table -+ * @CMD_OBJ_FLOWTABLE: flowtable -+ * @CMD_OBJ_FLOWTABLES: flowtables - * @CMD_OBJ_RULESET: ruleset - * @CMD_OBJ_EXPR: expression - * @CMD_OBJ_MONITOR: monitor -@@ -422,6 +427,7 @@ enum cmd_obj { - CMD_OBJ_CT_HELPERS, - CMD_OBJ_LIMIT, - CMD_OBJ_LIMITS, -+ CMD_OBJ_FLOWTABLE, - CMD_OBJ_FLOWTABLES, - }; - -@@ -481,6 +487,7 @@ struct cmd { - struct rule *rule; - struct chain *chain; - struct table *table; -+ struct flowtable *flowtable; - struct monitor *monitor; - struct markup *markup; - struct obj *object; ---- a/src/evaluate.c -+++ b/src/evaluate.c -@@ -2897,6 +2897,24 @@ static int set_evaluate(struct eval_ctx - return 0; - } - -+static uint32_t str2hooknum(uint32_t family, const char *hook); -+ -+static int flowtable_evaluate(struct eval_ctx *ctx, struct flowtable *ft) -+{ -+ struct table *table; -+ -+ table = table_lookup_global(ctx); -+ if (table == NULL) -+ return cmd_error(ctx, "Could not process rule: Table '%s' does not exist", -+ ctx->cmd->handle.table); -+ -+ ft->hooknum = str2hooknum(NFPROTO_NETDEV, ft->hookstr); -+ if (ft->hooknum == NF_INET_NUMHOOKS) -+ return chain_error(ctx, ft, "invalid hook %s", ft->hookstr); -+ -+ return 0; -+} -+ - static int rule_evaluate(struct eval_ctx *ctx, struct rule *rule) - { - struct stmt *stmt, *tstmt = NULL; -@@ -3069,6 +3087,14 @@ static int cmd_evaluate_add(struct eval_ - return chain_evaluate(ctx, cmd->chain); - case CMD_OBJ_TABLE: - return table_evaluate(ctx, cmd->table); -+ case CMD_OBJ_FLOWTABLE: -+ ret = cache_update(ctx->nf_sock, ctx->cache, cmd->op, -+ ctx->msgs, ctx->debug_mask & NFT_DEBUG_NETLINK, ctx->octx); -+ if (ret < 0) -+ return ret; -+ -+ handle_merge(&cmd->flowtable->handle, &cmd->handle); -+ return flowtable_evaluate(ctx, cmd->flowtable); - case CMD_OBJ_COUNTER: - case CMD_OBJ_QUOTA: - case CMD_OBJ_CT_HELPER: ---- a/src/expression.c -+++ b/src/expression.c -@@ -663,8 +663,8 @@ struct expr *range_expr_alloc(const stru - return expr; - } - --static struct expr *compound_expr_alloc(const struct location *loc, -- const struct expr_ops *ops) -+struct expr *compound_expr_alloc(const struct location *loc, -+ const struct expr_ops *ops) - { - struct expr *expr; - ---- a/src/mnl.c -+++ b/src/mnl.c -@@ -1011,6 +1011,22 @@ err: - return NULL; - } - -+int mnl_nft_flowtable_batch_add(struct nftnl_flowtable *flo, -+ struct nftnl_batch *batch, unsigned int flags, -+ uint32_t seqnum) -+{ -+ struct nlmsghdr *nlh; -+ -+ nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(batch), -+ NFT_MSG_NEWFLOWTABLE, -+ nftnl_flowtable_get_u32(flo, NFTNL_FLOWTABLE_FAMILY), -+ NLM_F_CREATE | flags, seqnum); -+ nftnl_flowtable_nlmsg_build_payload(nlh, flo); -+ mnl_nft_batch_continue(batch); -+ -+ return 0; -+} -+ - /* - * ruleset - */ ---- a/src/netlink.c -+++ b/src/netlink.c -@@ -1773,6 +1773,64 @@ static struct obj *netlink_delinearize_o - return obj; - } - -+static struct nftnl_flowtable *alloc_nftnl_flowtable(const struct handle *h, -+ const struct flowtable *ft) -+{ -+ struct nftnl_flowtable *flo; -+ -+ flo = nftnl_flowtable_alloc(); -+ if (flo == NULL) -+ memory_allocation_error(); -+ -+ nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_FAMILY, h->family); -+ nftnl_flowtable_set_str(flo, NFTNL_FLOWTABLE_TABLE, h->table); -+ if (h->flowtable != NULL) -+ nftnl_flowtable_set_str(flo, NFTNL_FLOWTABLE_NAME, h->flowtable); -+ -+ return flo; -+} -+ -+static void netlink_dump_flowtable(struct nftnl_flowtable *flo, -+ struct netlink_ctx *ctx) -+{ -+ FILE *fp = ctx->octx->output_fp; -+ -+ if (!(ctx->debug_mask & NFT_DEBUG_NETLINK) || !fp) -+ return; -+ -+ nftnl_flowtable_fprintf(fp, flo, 0, 0); -+ fprintf(fp, "\n"); -+} -+ -+int netlink_add_flowtable(struct netlink_ctx *ctx, const struct handle *h, -+ struct flowtable *ft, uint32_t flags) -+{ -+ struct nftnl_flowtable *flo; -+ const char *dev_array[8]; -+ struct expr *expr; -+ int i = 0, err; -+ -+ flo = alloc_nftnl_flowtable(h, ft); -+ nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_HOOKNUM, ft->hooknum); -+ nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_PRIO, ft->priority); -+ -+ list_for_each_entry(expr, &ft->dev_expr->expressions, list) -+ dev_array[i++] = expr->identifier; -+ -+ dev_array[i] = NULL; -+ nftnl_flowtable_set_array(flo, NFTNL_FLOWTABLE_DEVICES, dev_array); -+ -+ netlink_dump_flowtable(flo, ctx); -+ -+ err = mnl_nft_flowtable_batch_add(flo, ctx->batch, flags, ctx->seqnum); -+ if (err < 0) -+ netlink_io_error(ctx, &ft->location, "Could not add flowtable: %s", -+ strerror(errno)); -+ nftnl_flowtable_free(flo); -+ -+ return err; -+} -+ - static int list_obj_cb(struct nftnl_obj *nls, void *arg) - { - struct netlink_ctx *ctx = arg; ---- a/src/parser_bison.y -+++ b/src/parser_bison.y -@@ -145,6 +145,7 @@ int nft_lex(void *, void *, void *); - struct expr *expr; - struct set *set; - struct obj *obj; -+ struct flowtable *flowtable; - struct counter *counter; - struct quota *quota; - struct ct *ct; -@@ -189,6 +190,7 @@ int nft_lex(void *, void *, void *); - - %token HOOK "hook" - %token DEVICE "device" -+%token DEVICES "devices" - %token TABLE "table" - %token TABLES "tables" - %token CHAIN "chain" -@@ -200,6 +202,7 @@ int nft_lex(void *, void *, void *); - %token ELEMENT "element" - %token MAP "map" - %token MAPS "maps" -+%token FLOWTABLE "flowtable" - %token HANDLE "handle" - %token RULESET "ruleset" - %token TRACE "trace" -@@ -500,9 +503,9 @@ int nft_lex(void *, void *, void *); - %type <cmd> base_cmd add_cmd replace_cmd create_cmd insert_cmd delete_cmd list_cmd reset_cmd flush_cmd rename_cmd export_cmd monitor_cmd describe_cmd import_cmd - %destructor { cmd_free($$); } base_cmd add_cmd replace_cmd create_cmd insert_cmd delete_cmd list_cmd reset_cmd flush_cmd rename_cmd export_cmd monitor_cmd describe_cmd import_cmd - --%type <handle> table_spec chain_spec chain_identifier ruleid_spec handle_spec position_spec rule_position ruleset_spec --%destructor { handle_free(&$$); } table_spec chain_spec chain_identifier ruleid_spec handle_spec position_spec rule_position ruleset_spec --%type <handle> set_spec set_identifier obj_spec obj_identifier -+%type <handle> table_spec chain_spec flowtable_spec chain_identifier ruleid_spec handle_spec position_spec rule_position ruleset_spec -+%destructor { handle_free(&$$); } table_spec chain_spec flowtable_spec chain_identifier ruleid_spec handle_spec position_spec rule_position ruleset_spec -+%type <handle> set_spec set_identifier flowtable_identifier obj_spec obj_identifier - %destructor { handle_free(&$$); } set_spec set_identifier obj_spec obj_identifier - %type <val> family_spec family_spec_explicit chain_policy prio_spec - -@@ -526,6 +529,9 @@ int nft_lex(void *, void *, void *); - %type <set> map_block_alloc map_block - %destructor { set_free($$); } map_block_alloc - -+%type <flowtable> flowtable_block_alloc flowtable_block -+%destructor { flowtable_free($$); } flowtable_block_alloc -+ - %type <obj> obj_block_alloc counter_block quota_block ct_helper_block limit_block - %destructor { obj_free($$); } obj_block_alloc - -@@ -606,8 +612,8 @@ int nft_lex(void *, void *, void *); - %type <expr> verdict_map_expr verdict_map_list_expr verdict_map_list_member_expr - %destructor { expr_free($$); } verdict_map_expr verdict_map_list_expr verdict_map_list_member_expr - --%type <expr> set_expr set_block_expr set_list_expr set_list_member_expr --%destructor { expr_free($$); } set_expr set_block_expr set_list_expr set_list_member_expr -+%type <expr> set_expr set_block_expr set_list_expr set_list_member_expr flowtable_expr flowtable_list_expr flowtable_expr_member -+%destructor { expr_free($$); } set_expr set_block_expr set_list_expr set_list_member_expr flowtable_expr flowtable_list_expr flowtable_expr_member - %type <expr> set_elem_expr set_elem_expr_alloc set_lhs_expr set_rhs_expr - %destructor { expr_free($$); } set_elem_expr set_elem_expr_alloc set_lhs_expr set_rhs_expr - %type <expr> set_elem_expr_stmt set_elem_expr_stmt_alloc -@@ -872,6 +878,13 @@ add_cmd : TABLE table_spec - { - $$ = cmd_alloc(CMD_ADD, CMD_OBJ_SETELEM, &$2, &@$, $3); - } -+ | FLOWTABLE flowtable_spec flowtable_block_alloc -+ '{' flowtable_block '}' -+ { -+ $5->location = @5; -+ handle_merge(&$3->handle, &$2); -+ $$ = cmd_alloc(CMD_ADD, CMD_OBJ_FLOWTABLE, &$2, &@$, $5); -+ } - | COUNTER obj_spec - { - struct obj *obj; -@@ -947,6 +960,13 @@ create_cmd : TABLE table_spec - { - $$ = cmd_alloc(CMD_CREATE, CMD_OBJ_SETELEM, &$2, &@$, $3); - } -+ | FLOWTABLE flowtable_spec flowtable_block_alloc -+ '{' flowtable_block '}' -+ { -+ $5->location = @5; -+ handle_merge(&$3->handle, &$2); -+ $$ = cmd_alloc(CMD_CREATE, CMD_OBJ_FLOWTABLE, &$2, &@$, $5); -+ } - | COUNTER obj_spec - { - struct obj *obj; -@@ -1317,6 +1337,17 @@ table_block : /* empty */ { $$ = $<tabl - list_add_tail(&$4->list, &$1->sets); - $$ = $1; - } -+ -+ | table_block FLOWTABLE flowtable_identifier -+ flowtable_block_alloc '{' flowtable_block '}' -+ stmt_separator -+ { -+ $4->location = @3; -+ handle_merge(&$4->handle, &$3); -+ handle_free(&$3); -+ list_add_tail(&$4->list, &$1->flowtables); -+ $$ = $1; -+ } - | table_block COUNTER obj_identifier - obj_block_alloc '{' counter_block '}' - stmt_separator -@@ -1512,6 +1543,62 @@ set_policy_spec : PERFORMANCE { $$ = NF - | MEMORY { $$ = NFT_SET_POL_MEMORY; } - ; - -+flowtable_block_alloc : /* empty */ -+ { -+ $$ = flowtable_alloc(NULL); -+ } -+ ; -+ -+flowtable_block : /* empty */ { $$ = $<flowtable>-1; } -+ | flowtable_block common_block -+ | flowtable_block stmt_separator -+ | flowtable_block HOOK STRING PRIORITY prio_spec stmt_separator -+ { -+ $$->hookstr = chain_hookname_lookup($3); -+ if ($$->hookstr == NULL) { -+ erec_queue(error(&@3, "unknown chain hook %s", $3), -+ state->msgs); -+ xfree($3); -+ YYERROR; -+ } -+ xfree($3); -+ -+ $$->priority = $5; -+ } -+ | flowtable_block DEVICES '=' flowtable_expr stmt_separator -+ { -+ $$->dev_expr = $4; -+ } -+ ; -+ -+flowtable_expr : '{' flowtable_list_expr '}' -+ { -+ $2->location = @$; -+ $$ = $2; -+ } -+ ; -+ -+flowtable_list_expr : flowtable_expr_member -+ { -+ $$ = compound_expr_alloc(&@$, NULL); -+ compound_expr_add($$, $1); -+ } -+ | flowtable_list_expr COMMA flowtable_expr_member -+ { -+ compound_expr_add($1, $3); -+ $$ = $1; -+ } -+ | flowtable_list_expr COMMA opt_newline -+ ; -+ -+flowtable_expr_member : STRING -+ { -+ $$ = symbol_expr_alloc(&@$, SYMBOL_VALUE, -+ current_scope(state), -+ $1); -+ } -+ ; -+ - data_type_atom_expr : type_identifier - { - const struct datatype *dtype = datatype_lookup_byname($1); -@@ -1720,6 +1807,21 @@ set_identifier : identifier - } - ; - -+ -+flowtable_spec : table_spec identifier -+ { -+ $$ = $1; -+ $$.flowtable = $2; -+ } -+ ; -+ -+flowtable_identifier : identifier -+ { -+ memset(&$$, 0, sizeof($$)); -+ $$.flowtable = $1; -+ } -+ ; -+ - obj_spec : table_spec identifier - { - $$ = $1; ---- a/src/rule.c -+++ b/src/rule.c -@@ -45,6 +45,8 @@ void handle_merge(struct handle *dst, co - dst->chain = xstrdup(src->chain); - if (dst->set == NULL && src->set != NULL) - dst->set = xstrdup(src->set); -+ if (dst->flowtable == NULL && src->flowtable != NULL) -+ dst->flowtable = xstrdup(src->flowtable); - if (dst->obj == NULL && src->obj != NULL) - dst->obj = xstrdup(src->obj); - if (dst->handle.id == 0) -@@ -857,6 +859,7 @@ struct cmd *cmd_alloc(enum cmd_ops op, e - void nft_cmd_expand(struct cmd *cmd) - { - struct list_head new_cmds; -+ struct flowtable *ft; - struct table *table; - struct chain *chain; - struct rule *rule; -@@ -896,6 +899,14 @@ void nft_cmd_expand(struct cmd *cmd) - &set->location, set_get(set)); - list_add_tail(&new->list, &new_cmds); - } -+ list_for_each_entry(ft, &table->flowtables, list) { -+ handle_merge(&ft->handle, &table->handle); -+ memset(&h, 0, sizeof(h)); -+ handle_merge(&h, &ft->handle); -+ new = cmd_alloc(CMD_ADD, CMD_OBJ_FLOWTABLE, &h, -+ &ft->location, flowtable_get(ft)); -+ list_add_tail(&new->list, &new_cmds); -+ } - list_for_each_entry(chain, &table->chains, list) { - list_for_each_entry(rule, &chain->rules, list) { - memset(&h, 0, sizeof(h)); -@@ -982,6 +993,9 @@ void cmd_free(struct cmd *cmd) - case CMD_OBJ_LIMIT: - obj_free(cmd->object); - break; -+ case CMD_OBJ_FLOWTABLE: -+ flowtable_free(cmd->flowtable); -+ break; - default: - BUG("invalid command object type %u\n", cmd->obj); - } -@@ -1071,6 +1085,9 @@ static int do_command_add(struct netlink - case CMD_OBJ_CT_HELPER: - case CMD_OBJ_LIMIT: - return netlink_add_obj(ctx, &cmd->handle, cmd->object, flags); -+ case CMD_OBJ_FLOWTABLE: -+ return netlink_add_flowtable(ctx, &cmd->handle, cmd->flowtable, -+ flags); - default: - BUG("invalid command object type %u\n", cmd->obj); - } ---- a/src/scanner.l -+++ b/src/scanner.l -@@ -238,6 +238,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr - - "hook" { return HOOK; } - "device" { return DEVICE; } -+"devices" { return DEVICES; } - "table" { return TABLE; } - "tables" { return TABLES; } - "chain" { return CHAIN; } -@@ -249,6 +250,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr - "element" { return ELEMENT; } - "map" { return MAP; } - "maps" { return MAPS; } -+"flowtable" { return FLOWTABLE; } - "handle" { return HANDLE; } - "ruleset" { return RULESET; } - "trace" { return TRACE; } |