Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 79ebb5bb authored by Laura Garcia Liebana's avatar Laura Garcia Liebana Committed by Pablo Neira Ayuso
Browse files

netfilter: nf_tables: enable set expiration time for set elements 



Currently, the expiration of every element in a set or map
is a read-only parameter generated at kernel side.

This change will permit to set a certain expiration date
per element that will be required, for example, during
stateful replication among several nodes.

This patch handles the NFTA_SET_ELEM_EXPIRATION in order
to configure the expiration parameter per element, or
will use the timeout in the case that the expiration
is not set.

Signed-off-by: default avatarLaura Garcia Liebana <nevola@gmail.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 2f0513d4

include/net/netfilter/nf_tables.h

+1 −1
Original line number Diff line number Diff line
@@ -636,7 +636,7 @@ static inline struct nft_object **nft_set_ext_obj(const struct nft_set_ext *ext) 
void *nft_set_elem_init(const struct nft_set *set,

			const struct nft_set_ext_tmpl *tmpl,

			const u32 *key, const u32 *data,

			u64 timeout, gfp_t gfp);

			u64 timeout, u64 expiration, gfp_t gfp);

void nft_set_elem_destroy(const struct nft_set *set, void *elem,

			  bool destroy_expr);

net/netfilter/nf_tables_api.c

+20 −6
Original line number Diff line number Diff line
@@ -3873,6 +3873,7 @@ static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = { 
	[NFTA_SET_ELEM_DATA]		= { .type = NLA_NESTED },

	[NFTA_SET_ELEM_FLAGS]		= { .type = NLA_U32 },

	[NFTA_SET_ELEM_TIMEOUT]		= { .type = NLA_U64 },

	[NFTA_SET_ELEM_EXPIRATION]	= { .type = NLA_U64 },

	[NFTA_SET_ELEM_USERDATA]	= { .type = NLA_BINARY,

					    .len = NFT_USERDATA_MAXLEN },

	[NFTA_SET_ELEM_EXPR]		= { .type = NLA_NESTED },
@@ -4326,7 +4327,7 @@ static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx, 
void *nft_set_elem_init(const struct nft_set *set,

			const struct nft_set_ext_tmpl *tmpl,

			const u32 *key, const u32 *data,

			u64 timeout, gfp_t gfp)

			u64 timeout, u64 expiration, gfp_t gfp)

{

	struct nft_set_ext *ext;

	void *elem;
@@ -4341,9 +4342,11 @@ void *nft_set_elem_init(const struct nft_set *set, 
	memcpy(nft_set_ext_key(ext), key, set->klen);

	if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))

		memcpy(nft_set_ext_data(ext), data, set->dlen);

	if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))

		*nft_set_ext_expiration(ext) =

			get_jiffies_64() + timeout;

	if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {

		*nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;

		if (expiration == 0)

			*nft_set_ext_expiration(ext) += timeout;

	}

	if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))

		*nft_set_ext_timeout(ext) = timeout;
@@ -4408,6 +4411,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, 
	struct nft_trans *trans;

	u32 flags = 0;

	u64 timeout;

	u64 expiration;

	u8 ulen;

	int err;
@@ -4451,6 +4455,16 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, 
		timeout = set->timeout;

	}



	expiration = 0;

	if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {

		if (!(set->flags & NFT_SET_TIMEOUT))

			return -EINVAL;

		err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],

					    &expiration);

		if (err)

			return err;

	}



	err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,

			    nla[NFTA_SET_ELEM_KEY]);

	if (err < 0)
@@ -4533,7 +4547,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, 


	err = -ENOMEM;

	elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,

				      timeout, GFP_KERNEL);

				      timeout, expiration, GFP_KERNEL);

	if (elem.priv == NULL)

		goto err3;
@@ -4735,7 +4749,7 @@ static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set, 


	err = -ENOMEM;

	elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,

				      GFP_KERNEL);

				      0, GFP_KERNEL);

	if (elem.priv == NULL)

		goto err2;

net/netfilter/nft_dynset.c

+1 −1
Original line number Diff line number Diff line
@@ -60,7 +60,7 @@ static void *nft_dynset_new(struct nft_set *set, const struct nft_expr *expr, 
	elem = nft_set_elem_init(set, &priv->tmpl,

				 &regs->data[priv->sreg_key],

				 &regs->data[priv->sreg_data],

				 timeout, GFP_ATOMIC);

				 timeout, 0, GFP_ATOMIC);

	if (elem == NULL)

		goto err1;