This patch adds options to choose set optimization mechanisms.
Two new statements are added to the set syntax, and they can be mixed:
nft add set filter set1 { type ipv4_addr ; size 1024 ; }
nft add set filter set1 { type ipv4_addr ; policy memory ; }
nft add set filter set1 { type ipv4_addr ; policy performance ; }
nft add set filter set1 { type ipv4_addr ; policy memory ; size 1024 ; }
nft add set filter set1 { type ipv4_addr ; size 1024 ; policy memory ; }
nft add set filter set1 { type ipv4_addr ; policy performance ; size 1024 ; }
nft add set filter set1 { type ipv4_addr ; size 1024 ; policy performance ; }
Also valid for maps:
nft add map filter map1 { type ipv4_addr : verdict ; policy performace ; }
[...]
This is the output format, which can be imported later with `nft -f':
table filter {
set set1 {
type ipv4_addr
policy memory
size 1024
}
}
In this approach the parser accepts default options such as 'performance',
given they are a valid configurations, but aren't sent to the kernel.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* @datatype: mapping data type
* @datalen: mapping data len
* @init: initializer
+ * @policy: set mechanism policy
+ * @desc: set mechanism desc
*/
struct set {
struct list_head list;
const struct datatype *datatype;
unsigned int datalen;
struct expr *init;
+ uint32_t policy;
+ struct {
+ uint32_t size;
+ } desc;
};
extern struct set *set_alloc(const struct location *loc);
set->datalen = data_len * BITS_PER_BYTE;
}
+ if (nft_set_attr_is_set(nls, NFT_SET_ATTR_POLICY))
+ set->policy = nft_set_attr_get_u32(nls, NFT_SET_ATTR_POLICY);
+
+ if (nft_set_attr_is_set(nls, NFT_SET_ATTR_DESC_SIZE))
+ set->desc.size = nft_set_attr_get_u32(nls,
+ NFT_SET_ATTR_DESC_SIZE);
+
return set;
}
}
set->handle.set_id = ++set_id;
nft_set_attr_set_u32(nls, NFT_SET_ATTR_ID, set->handle.set_id);
+
+ if (!(set->flags & (SET_F_CONSTANT))) {
+ if (set->policy != NFT_SET_POL_PERFORMANCE) {
+ nft_set_attr_set_u32(nls, NFT_SET_ATTR_POLICY,
+ set->policy);
+ }
+
+ if (set->desc.size != 0) {
+ nft_set_attr_set_u32(nls, NFT_SET_ATTR_DESC_SIZE,
+ set->desc.size);
+ }
+ }
+
netlink_dump_set(nls);
err = mnl_nft_set_batch_add(nf_sock, nls, NLM_F_EXCL, ctx->seqnum);
#include <linux/netfilter/nf_tables.h>
#include <linux/netfilter/nf_conntrack_tuple_common.h>
#include <libnftnl/common.h>
+#include <libnftnl/set.h>
#include <rule.h>
#include <statement.h>
%token INTERVAL "interval"
%token ELEMENTS "elements"
+%token POLICY "policy"
+%token MEMORY "memory"
+%token PERFORMANCE "performance"
+%token SIZE "size"
+
%token <val> NUM "number"
%token <string> STRING "string"
%token <string> QUOTED_STRING
%type <val> set_flag_list set_flag
+%type <val> set_policy_spec
+
%type <set> set_block_alloc set_block
%destructor { set_free($$); } set_block_alloc
$1->init = $4;
$$ = $1;
}
+ | set_block set_mechanism stmt_seperator
;
set_flag_list : set_flag_list COMMA set_flag
$1->init = $4;
$$ = $1;
}
+ | map_block set_mechanism stmt_seperator
+ ;
+
+set_mechanism : POLICY set_policy_spec
+ {
+ $<set>0->policy = $2;
+ }
+ | SIZE NUM
+ {
+ $<set>0->desc.size = $2;
+ }
+ ;
+
+set_policy_spec : PERFORMANCE { $$ = NFT_SET_POL_PERFORMANCE; }
+ | MEMORY { $$ = NFT_SET_POL_MEMORY; }
;
hook_spec : TYPE STRING HOOK STRING PRIORITY NUM
newset->datatype = set->datatype;
newset->datalen = set->datalen;
newset->init = expr_clone(set->init);
+ newset->policy = set->policy;
+ newset->desc.size = set->desc.size;
return newset;
}
const char *stmt_separator;
};
+static const char *set_policy2str(uint32_t policy)
+{
+ switch (policy) {
+ case NFT_SET_POL_PERFORMANCE:
+ return "performance";
+ case NFT_SET_POL_MEMORY:
+ return "memory";
+ default:
+ return "unknown";
+ }
+}
+
static void do_set_print(const struct set *set, struct print_fmt_options *opts)
{
const char *delim = "";
printf("%s%stype %s", opts->tab, opts->tab, set->keytype->name);
if (set->flags & SET_F_MAP)
printf(" : %s", set->datatype->name);
+
printf("%s", opts->stmt_separator);
+ if (!(set->flags & (SET_F_CONSTANT))) {
+ if (set->policy != NFT_SET_POL_PERFORMANCE) {
+ printf("%s%spolicy %s%s", opts->tab, opts->tab,
+ set_policy2str(set->policy),
+ opts->stmt_separator);
+ }
+
+ if (set->desc.size > 0) {
+ printf("%s%ssize %u%s", opts->tab, opts->tab,
+ set->desc.size, opts->stmt_separator);
+ }
+ }
+
if (set->flags & (SET_F_CONSTANT | SET_F_INTERVAL)) {
printf("%s%sflags ", opts->tab, opts->tab);
if (set->flags & SET_F_CONSTANT) {
"interval" { return INTERVAL; }
"elements" { return ELEMENTS; }
+"policy" { return POLICY; }
+"size" { return SIZE; }
+"performance" { return PERFORMANCE; }
+"memory" { return MEMORY; }
+
"counter" { return COUNTER; }
"packets" { return PACKETS; }
"bytes" { return BYTES; }
projects / thirdparty / nftables.git / commitdiff
