also add a test case.
Fixes: a87f2a2227be2 ("netfilter: support for element deletion")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Phil Sutter <phil@nwl.cc>
op = NFT_DYNSET_OP_ADD;
} else if (!strcmp(opstr, "update")) {
op = NFT_DYNSET_OP_UPDATE;
+ } else if (!strcmp(opstr, "delete")) {
+ op = NFT_DYNSET_OP_DELETE;
} else {
json_error(ctx, "Unknown set statement op '%s'.", opstr);
return NULL;
!set5 type ipv6_addr . ipv6_addr;ok
ip6 saddr . ip6 daddr @set5 drop;ok
add @set5 { ip6 saddr . ip6 daddr };ok
+delete @set5 { ip6 saddr . ip6 daddr };ok
}
]
+# delete @set5 { ip6 saddr . ip6 daddr }
+[
+ {
+ "set": {
+ "elem": {
+ "concat": [
+ {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip6"
+ }
+ },
+ {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip6"
+ }
+ }
+ ]
+ },
+ "op": "delete",
+ "set": "@set5"
+ }
+ }
+]
[ payload load 16b @ network header + 24 => reg 2 ]
[ dynset add reg_key 1 set set5 ]
+# delete @set5 { ip6 saddr . ip6 daddr }
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ payload load 16b @ network header + 8 => reg 1 ]
+ [ payload load 16b @ network header + 24 => reg 2 ]
+ [ dynset delete reg_key 1 set set5 ]
[ payload load 16b @ network header + 24 => reg 2 ]
[ dynset add reg_key 1 set set5 ]
+# delete @set5 { ip6 saddr . ip6 daddr }
+ip6 test-ip6 input
+ [ payload load 16b @ network header + 8 => reg 1 ]
+ [ payload load 16b @ network header + 24 => reg 2 ]
+ [ dynset delete reg_key 1 set set5 ]
+
[ payload load 16b @ network header + 24 => reg 2 ]
[ dynset add reg_key 1 set set5 ]
+# delete @set5 { ip6 saddr . ip6 daddr }
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x0000dd86 ]
+ [ payload load 16b @ network header + 8 => reg 1 ]
+ [ payload load 16b @ network header + 24 => reg 2 ]
+ [ dynset delete reg_key 1 set set5 ]
+
projects / thirdparty / nftables.git / commitdiff
