setelem: add support for attaching comments to set elements

Syntax:

# nft add element filter test { 192.168.0.1 comment "some host" }

Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/expression.h b/include/expression.h
index 6f23b6ddd6783d989f3e426fa7417b9a97f59ed9..010cb954468ed61f257c1edb82f4f6ee18b6732b 100644 (file)
--- a/include/expression.h
+++ b/include/expression.h
@@ -236,6 +236,7 @@ struct expr {
                        struct expr             *key;
                        uint64_t                timeout;
                        uint64_t                expiration;
+                       const char              *comment;
                };
                struct {
                        /* EXPR_UNARY */

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 6894ba33d158c328b432b4a4a831f47018751281..334b3892ac04fa28e9473da49777346a1f7c09de 100644 (file)
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -291,6 +291,7 @@ enum nft_set_elem_flags {
  * @NFTA_SET_ELEM_FLAGS: bitmask of nft_set_elem_flags (NLA_U32)
  * @NFTA_SET_ELEM_TIMEOUT: timeout value (NLA_U64)
  * @NFTA_SET_ELEM_EXPIRATION: expiration time (NLA_U64)
+ * @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY)
  */
 enum nft_set_elem_attributes {
        NFTA_SET_ELEM_UNSPEC,
@@ -299,6 +300,7 @@ enum nft_set_elem_attributes {
        NFTA_SET_ELEM_FLAGS,
        NFTA_SET_ELEM_TIMEOUT,
        NFTA_SET_ELEM_EXPIRATION,
+       NFTA_SET_ELEM_USERDATA,
        __NFTA_SET_ELEM_MAX
 };
 #define NFTA_SET_ELEM_MAX      (__NFTA_SET_ELEM_MAX - 1)

diff --git a/src/expression.c b/src/expression.c
index 2037c60769daf542a8b221c62aeb48c13ed0c43f..3edc5501b362489babf6eb56d876b308075d9380 100644 (file)
--- a/src/expression.c
+++ b/src/expression.c
@@ -897,10 +897,13 @@ static void set_elem_expr_print(const struct expr *expr)
                printf(" expires ");
                time_print(expr->expiration / 1000);
        }
+       if (expr->comment)
+               printf(" comment \"%s\"", expr->comment);
 }
 
 static void set_elem_expr_destroy(struct expr *expr)
 {
+       xfree(expr->comment);
        expr_free(expr->key);
 }
 

diff --git a/src/netlink.c b/src/netlink.c
index 7d675d7fc1997414e4ba0972ecaa3fc5f76f3a8d..d31387f823222ce339e5c6eb1bff52b76cf90153 100644 (file)
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -228,6 +228,9 @@ static struct nft_set_elem *alloc_nft_setelem(const struct expr *expr)
        if (elem->timeout)
                nft_set_elem_attr_set_u64(nlse, NFT_SET_ELEM_ATTR_TIMEOUT,
                                          elem->timeout);
+       if (elem->comment)
+               nft_set_elem_attr_set(nlse, NFT_SET_ELEM_ATTR_USERDATA,
+                                     elem->comment, strlen(elem->comment) + 1);
 
        if (data != NULL) {
                netlink_gen_data(data, &nld);
@@ -1411,6 +1414,14 @@ static int netlink_delinearize_setelem(struct nft_set_elem *nlse,
                expr->timeout    = nft_set_elem_attr_get_u64(nlse, NFT_SET_ELEM_ATTR_TIMEOUT);
        if (nft_set_elem_attr_is_set(nlse, NFT_SET_ELEM_ATTR_EXPIRATION))
                expr->expiration = nft_set_elem_attr_get_u64(nlse, NFT_SET_ELEM_ATTR_EXPIRATION);
+       if (nft_set_elem_attr_is_set(nlse, NFT_SET_ELEM_ATTR_USERDATA)) {
+               const void *data;
+               uint32_t len;
+
+               data = nft_set_elem_attr_get(nlse, NFT_SET_ELEM_ATTR_USERDATA, &len);
+               expr->comment = xmalloc(len);
+               memcpy((char *)expr->comment, data, len);
+       }
 
        if (flags & NFT_SET_ELEM_INTERVAL_END) {
                expr->flags |= EXPR_F_INTERVAL_END;

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 736704a594a2c3c24e1c79a440ea5bd5f30734fe..0f2d71a3bc718b379a0ec7c869e8435afdcaa608 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1799,6 +1799,10 @@ set_elem_option          :       TIMEOUT                 time_spec
                        {
                                $<expr>0->timeout = $2 * 1000;
                        }
+                       |       COMMENT                 string
+                       {
+                               $<expr>0->comment = $2;
+                       }
                        ;
 
 set_lhs_expr           :       concat_expr