]> git.ipfire.org Git - thirdparty/nftables.git/commitdiff
projects / thirdparty / nftables.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 20b3b94)
parser: allow ct timeouts to use time_spec values
authorFlorian Westphal <fw@strlen.de>
Wed, 2 Aug 2023 15:47:14 +0000 (17:47 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Thu, 2 Nov 2023 10:56:20 +0000 (11:56 +0100)
commit 5c25c5a35cbd27911d233efd01efcb9be35c85af upstream.

For some reason the parser only allows raw numbers (seconds)
for ct timeouts, e.g.

ct timeout ttcp {
protocol tcp;
policy = { syn_sent : 3, ...

Also permit time_spec, e.g. "established : 5d".
Print the nicer time formats on output, but retain
raw numbers support on input for compatibility.

Signed-off-by: Florian Westphal <fw@strlen.de>
doc/stateful-objects.txt patch | blob | blame | history
src/parser_bison.y patch | blob | blame | history
src/rule.c patch | blob | blame | history
tests/shell/testcases/listing/0013objects_0 patch | blob | blame | history
tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft patch | blob | blame | history

diff --git a/doc/stateful-objects.txt b/doc/stateful-objects.txt
index e3c79220811ff8a9905221ffcf0099d5612834a6..00d3c5f104631e92ca0fe45cc5990ed9989d8e7c 100644 (file)
--- a/doc/stateful-objects.txt
+++ b/doc/stateful-objects.txt
@@ -94,7 +94,7 @@ table ip filter {
        ct timeout customtimeout {
                protocol tcp;
                l3proto ip
-               policy = { established: 120, close: 20 }
+               policy = { established: 2m, close: 20s }
        }
 
        chain output {
diff --git a/src/parser_bison.y b/src/parser_bison.y
index fca467a24993672b4083a7617e97368bf9e08a3e..1d3ad5377ff3490cf306f61c8a64ee3f43a5bc06 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -660,7 +660,7 @@ int nft_lex(void *, void *, void *);
 %type <string>                 identifier type_identifier string comment_spec
 %destructor { xfree($$); }     identifier type_identifier string comment_spec
 
-%type <val>                    time_spec quota_used
+%type <val>                    time_spec time_spec_or_num_s quota_used
 
 %type <expr>                   data_type_expr data_type_atom_expr
 %destructor { expr_free($$); }  data_type_expr data_type_atom_expr
@@ -2633,6 +2633,11 @@ time_spec                :       STRING
                        }
                        ;
 
+/* compatibility kludge to allow either 60, 60s, 1m, ... */
+time_spec_or_num_s     :       NUM
+                       |       time_spec { $$ = $1 / 1000u; }
+                       ;
+
 family_spec            :       /* empty */             { $$ = NFPROTO_IPV4; }
                        |       family_spec_explicit
                        ;
@@ -4628,8 +4633,7 @@ timeout_states            :       timeout_state
                        }
                        ;
 
-timeout_state          :       STRING  COLON   NUM
-
+timeout_state          :       STRING  COLON   time_spec_or_num_s
                        {
                                struct timeout_state *ts;
 
diff --git a/src/rule.c b/src/rule.c
index cebbd47a982e41262e243f22c84d1ca2eba267cd..88bd56564717bedd7439d2025dd20e632870cf11 100644 (file)
--- a/src/rule.c
+++ b/src/rule.c
@@ -1874,11 +1874,14 @@ static void print_proto_timeout_policy(uint8_t l4, const uint32_t *timeout,
        nft_print(octx, "%s%spolicy = { ", opts->tab, opts->tab);
        for (i = 0; i < timeout_protocol[l4].array_size; i++) {
                if (timeout[i] != timeout_protocol[l4].dflt_timeout[i]) {
+                       uint64_t timeout_ms;
+
                        if (comma)
                                nft_print(octx, ", ");
-                       nft_print(octx, "%s : %u",
-                                 timeout_protocol[l4].state_to_name[i],
-                                 timeout[i]);
+                       timeout_ms = timeout[i] * 1000u;
+                       nft_print(octx, "%s : ",
+                                 timeout_protocol[l4].state_to_name[i]);
+                       time_print(timeout_ms, octx);
                        comma = true;
                }
        }
diff --git a/tests/shell/testcases/listing/0013objects_0 b/tests/shell/testcases/listing/0013objects_0
index 4d39143d9ce030820056a968e4a7fc69bbbb2062..c81b94e20f65bdb784851df53320137647d6fee7 100755 (executable)
--- a/tests/shell/testcases/listing/0013objects_0
+++ b/tests/shell/testcases/listing/0013objects_0
@@ -15,7 +15,7 @@ EXPECTED="table ip test {
        ct timeout cttime {
                protocol udp
                l3proto ip
-               policy = { unreplied : 15, replied : 12 }
+               policy = { unreplied : 15s, replied : 12s }
        }
 
        ct expectation ctexpect {
diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft
index 7cff1ed5f21c725f3900ad4c120d371a31b84ec3..c5d9649e40381913315adc0cab274ee5400f5e90 100644 (file)
--- a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft
+++ b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft
@@ -2,7 +2,7 @@ table ip filter {
        ct timeout cttime {
                protocol tcp
                l3proto ip
-               policy = { established : 123, close : 12 }
+               policy = { established : 2m3s, close : 12s }
        }
 
        chain c {
Mirror of git://git.netfilter.org/nftables