git.ipfire.org Git - thirdparty/nftables.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 13 Apr 2022 02:01:22 +0000 (04:01 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 13 Apr 2022 11:44:01 +0000 (13:44 +0200)
commit	3e8d934e4f7224b0db64f89e9097370630062064
tree	11d285463bccccf28068494592a1d48dbf5237c8	tree
parent	7a6e16040d65227557f1f2224b5904a7373da86e	commit \| diff

intervals: support to partial deletion with automerge

Splice the existing set element cache with the elements to be deleted
and merge sort it. The elements to be deleted are identified by the
EXPR_F_REMOVE flag.

The set elements to be deleted is automerged in first place if the
automerge flag is set on.

There are four possible deletion scenarios:

- Exact match, eg. delete [a-b] and there is a [a-b] range in the kernel set.
- Adjust left side of range, eg. delete [a-b] from range [a-x] where x > b.
- Adjust right side of range, eg. delete [a-b] from range [x-b] where x < a.
- Split range, eg. delete [a-b] from range [x-y] where x < a and b < y.

Update nft_evaluate() to use the safe list variant since new commands
are dynamically registered to the list to update ranges.

This patch also restores the set element existence check for Linux
kernels <= 5.7.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/expression.h		diff \| blob \| blame \| history
include/intervals.h		diff \| blob \| blame \| history
src/evaluate.c		diff \| blob \| blame \| history
src/intervals.c		diff \| blob \| blame \| history
src/libnftables.c		diff \| blob \| blame \| history