parser: allow ct timeouts to use time_spec values

author Florian Westphal <fw@strlen.de>

Wed, 2 Aug 2023 15:47:14 +0000 (17:47 +0200)

committer Florian Westphal <fw@strlen.de>

Thu, 3 Aug 2023 11:06:19 +0000 (13:06 +0200)
author Florian Westphal <fw@strlen.de>
Wed, 2 Aug 2023 15:47:14 +0000 (17:47 +0200)
committer Florian Westphal <fw@strlen.de>
Thu, 3 Aug 2023 11:06:19 +0000 (13:06 +0200)
diff --git a/doc/stateful-objects.txt b/doc/stateful-objects.txt

index e3c79220811ff8a9905221ffcf0099d5612834a6..00d3c5f104631e92ca0fe45cc5990ed9989d8e7c 100644 (file)
--- a/doc/stateful-objects.txt
+++ b/doc/stateful-objects.txt
@@ -94,7 +94,7 @@ table ip filter {
         ct timeout customtimeout {
                 protocol tcp;
                 l3proto ip
-               policy = { established: 120, close: 20 }
+               policy = { established: 2m, close: 20s }
         }
  
         chain output {
diff --git a/src/parser_bison.y b/src/parser_bison.y

index ef5011c1d723d734d7f8d6c8c903a284d3c102aa..36172713470ae86d8b23854b6c30caec08eaaf96 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -673,7 +673,7 @@ int nft_lex(void *, void *, void *);
  %type <string>                 identifier type_identifier string comment_spec
  %destructor { xfree($$); }     identifier type_identifier string comment_spec
  
-%type <val>                    time_spec quota_used
+%type <val>                    time_spec time_spec_or_num_s quota_used
  
  %type <expr>                   data_type_expr data_type_atom_expr
  %destructor { expr_free($$); }  data_type_expr data_type_atom_expr
@@ -2790,6 +2790,11 @@ time_spec                :       STRING
                         }
                         ;
  
+/* compatibility kludge to allow either 60, 60s, 1m, ... */
+time_spec_or_num_s     :       NUM
+                       |       time_spec { $$ = $1 / 1000u; }
+                       ;
+
  family_spec            :       /* empty */             { $$ = NFPROTO_IPV4; }
                         |       family_spec_explicit
                         ;
@@ -4812,8 +4817,7 @@ timeout_states            :       timeout_state
                         }
                         ;
  
-timeout_state          :       STRING  COLON   NUM
-
+timeout_state          :       STRING  COLON   time_spec_or_num_s
                         {
                                 struct timeout_state *ts;
  
diff --git a/src/rule.c b/src/rule.c

index 4e60c1e636569af14edf72af821a6443f0179cfe..99c4f0bb8b00302afaff871c91abf8f50a38f570 100644 (file)
--- a/src/rule.c
+++ b/src/rule.c
@@ -1684,11 +1684,14 @@ static void print_proto_timeout_policy(uint8_t l4, const uint32_t *timeout,
         nft_print(octx, "%s%spolicy = { ", opts->tab, opts->tab);
         for (i = 0; i < timeout_protocol[l4].array_size; i++) {
                 if (timeout[i] != timeout_protocol[l4].dflt_timeout[i]) {
+                       uint64_t timeout_ms;
+
                         if (comma)
                                 nft_print(octx, ", ");
-                       nft_print(octx, "%s : %u",
-                                 timeout_protocol[l4].state_to_name[i],
-                                 timeout[i]);
+                       timeout_ms = timeout[i] * 1000u;
+                       nft_print(octx, "%s : ",
+                                 timeout_protocol[l4].state_to_name[i]);
+                       time_print(timeout_ms, octx);
                         comma = true;
                 }
         }
diff --git a/tests/shell/testcases/listing/0013objects_0 b/tests/shell/testcases/listing/0013objects_0

index 4d39143d9ce030820056a968e4a7fc69bbbb2062..c81b94e20f65bdb784851df53320137647d6fee7 100755 (executable)
--- a/tests/shell/testcases/listing/0013objects_0
+++ b/tests/shell/testcases/listing/0013objects_0
@@ -15,7 +15,7 @@ EXPECTED="table ip test {
         ct timeout cttime {
                 protocol udp
                 l3proto ip
-               policy = { unreplied : 15, replied : 12 }
+               policy = { unreplied : 15s, replied : 12s }
         }
  
         ct expectation ctexpect {
diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft

index 7cff1ed5f21c725f3900ad4c120d371a31b84ec3..c5d9649e40381913315adc0cab274ee5400f5e90 100644 (file)
--- a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft
+++ b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft
@@ -2,7 +2,7 @@ table ip filter {
         ct timeout cttime {
                 protocol tcp
                 l3proto ip
-               policy = { established : 123, close : 12 }
+               policy = { established : 2m3s, close : 12s }
         }
  
         chain c {
author	Florian Westphal <fw@strlen.de>
	Wed, 2 Aug 2023 15:47:14 +0000 (17:47 +0200)
committer	Florian Westphal <fw@strlen.de>
	Thu, 3 Aug 2023 11:06:19 +0000 (13:06 +0200)
doc/stateful-objects.txt		patch \| blob \| blame \| history
src/parser_bison.y		patch \| blob \| blame \| history
src/rule.c		patch \| blob \| blame \| history
tests/shell/testcases/listing/0013objects_0		patch \| blob \| blame \| history
tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft		patch \| blob \| blame \| history