leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

netfilter: nf_tables: add support for dynamic set updates

Browse Source 
Add a new "dynset" expression for dynamic set updates.

A new set op ->update() is added which, for non existant elements,
invokes an initialization callback and inserts the new element.
For both new or existing elements the extenstion pointer is returned
to the caller to optionally perform timer updates or other actions.

Element removal is not supported so far, however that seems to be a
rather exotic need and can be added later on.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Patrick McHardy
2015-04-05 14:41:08 +02:00
committed by Pablo Neira Ayuso
parent 11113e190b
commit 22fe54d5fe
8 changed files with 315 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
include/net/netfilter/nf_tables.h
View File

@@ -196,6 +196,7 @@ struct nft_set_estimate {
};
struct nft_set_ext;
struct nft_expr;
/**
* struct nft_set_ops - nf_tables set operations
@@ -218,6 +219,15 @@ struct nft_set_ops {
bool (*lookup)(const struct nft_set *set,
const struct nft_data *key,
const struct nft_set_ext **ext);
bool (*update)(struct nft_set *set,
const struct nft_data *key,
void *(*new)(struct nft_set *,
const struct nft_expr *,
struct nft_data []),
const struct nft_expr *expr,
struct nft_data data[],
const struct nft_set_ext **ext);
int (*insert)(const struct nft_set *set,
const struct nft_set_elem *elem);
void (*activate)(const struct nft_set *set,
@@ -466,6 +476,11 @@ static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set,
return elem + set->ops->elemsize;
}
void *nft_set_elem_init(const struct nft_set *set,
const struct nft_set_ext_tmpl *tmpl,
const struct nft_data *key,
const struct nft_data *data,
u64 timeout, gfp_t gfp);
void nft_set_elem_destroy(const struct nft_set *set, void *elem);
/**
@@ -845,6 +860,8 @@ static inline u8 nft_genmask_cur(const struct net *net)
return 1 << ACCESS_ONCE(net->nft.gencursor);
}
#define NFT_GENMASK_ANY ((1 << 0) | (1 << 1))
/*
* Set element transaction helpers
*/

3
include/net/netfilter/nf_tables_core.h
View File

@@ -31,6 +31,9 @@ void nft_cmp_module_exit(void);
int nft_lookup_module_init(void);
void nft_lookup_module_exit(void);
int nft_dynset_module_init(void);
void nft_dynset_module_exit(void);
int nft_bitwise_module_init(void);
void nft_bitwise_module_exit(void);