src: add support for flowtable counter

Allow users to enable flow counters via control plane toggle, e.g.

 table ip x {
	flowtable y {
		hook ingress priority 0;
		counter;
	}

	chain z {
		type filter hook ingress priority filter;
		flow add @z
	}
 }

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/rule.h b/include/rule.h
index 70c8c4cf7b43f9e0eaa718012a03158bd6a97716..db11b1d60658079ba4ac0362310910207d5caf1a 100644 (file)
--- a/include/rule.h
+++ b/include/rule.h
@@ -491,6 +491,7 @@ struct flowtable {
        const char              **dev_array;
        struct expr             *dev_expr;
        int                     dev_array_len;
+       uint32_t                flags;
        unsigned int            refcnt;
 };
 

diff --git a/src/mnl.c b/src/mnl.c
index 18a73e2878b608174f55e35cf535ae8d7fb5535b..2eea85e838fcbc5827d865ba7c1adb3a2ef2bfde 100644 (file)
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -1629,6 +1629,9 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd,
 
        free(dev_array);
 
+       nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_FLAGS,
+                               cmd->flowtable->flags);
+
        netlink_dump_flowtable(flo, ctx);
 
        nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(ctx->batch),

diff --git a/src/netlink.c b/src/netlink.c
index b254753f7424b99bbf87dffacb8cca4ae5a5d0cf..ab1afd42f60bda0caeee888b16258f44bb5ecdd1 100644 (file)
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1342,6 +1342,8 @@ netlink_delinearize_flowtable(struct netlink_ctx *ctx,
                                                    &priority);
        flowtable->hooknum =
                nftnl_flowtable_get_u32(nlo, NFTNL_FLOWTABLE_HOOKNUM);
+       flowtable->flags =
+               nftnl_flowtable_get_u32(nlo, NFTNL_FLOWTABLE_FLAGS);
 
        return flowtable;
 }

diff --git a/src/parser_bison.y b/src/parser_bison.y
index e14118ca971e7b63eab1eac56de177235bee8ff0..9976bcafb2c4a1fa5e318abfeab24255f37444ff 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1892,6 +1892,10 @@ flowtable_block          :       /* empty */     { $$ = $<flowtable>-1; }
                        {
                                $$->dev_expr = $4;
                        }
+                       |       flowtable_block COUNTER
+                       {
+                               $$->flags |= NFT_FLOWTABLE_COUNTER;
+                       }
                        ;
 
 flowtable_expr         :       '{'     flowtable_list_expr     '}'

diff --git a/src/rule.c b/src/rule.c
index ab99bbd22616cd9fbf130f02407d130560e1c767..92fa129be0776903984b3260cdd18bc9e930e5bf 100644 (file)
--- a/src/rule.c
+++ b/src/rule.c
@@ -2247,6 +2247,10 @@ static void flowtable_print_declaration(const struct flowtable *flowtable,
                        nft_print(octx, ", ");
        }
        nft_print(octx, " }%s", opts->stmt_separator);
+
+       if (flowtable->flags & NFT_FLOWTABLE_COUNTER)
+               nft_print(octx, "%s%scounter%s", opts->tab, opts->tab,
+                         opts->stmt_separator);
 }
 
 static void do_flowtable_print(const struct flowtable *flowtable,