src: enable set expiration date for set elements

Currently, the expiration of every element in a set or map
is a read-only parameter generated at kernel side.

This change will permit to set a certain expiration date
per element that will be required, for example, during
stateful replication among several nodes.

This patch will enable the _expires_ input parameter in
the parser and propagate NFTNL_SET_ELEM_EXPIRATION in
order to send the configured value.

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/netlink.c b/src/netlink.c
index 24d8f03ae4be79caf58dc47875cf6502925cda75..97eb082c6547d13f26800bbc661d65ba29260011 100644 (file)
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -122,6 +122,9 @@ static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set,
        if (elem->timeout)
                nftnl_set_elem_set_u64(nlse, NFTNL_SET_ELEM_TIMEOUT,
                                       elem->timeout);
+       if (elem->expiration)
+               nftnl_set_elem_set_u64(nlse, NFTNL_SET_ELEM_EXPIRATION,
+                                      elem->expiration);
        if (elem->comment || expr->elem_flags) {
                udbuf = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN);
                if (!udbuf)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 670e91f544c7584ab4ed0493def1a2d468b55ca8..4f2e34752fa965bc2374058fb778f0fcc97f67f5 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -255,6 +255,7 @@ int nft_lex(void *, void *, void *);
 %token TIMEOUT                 "timeout"
 %token GC_INTERVAL             "gc-interval"
 %token ELEMENTS                        "elements"
+%token EXPIRES                 "expires"
 
 %token POLICY                  "policy"
 %token MEMORY                  "memory"
@@ -3367,6 +3368,10 @@ set_elem_option          :       TIMEOUT                 time_spec
                        {
                                $<expr>0->timeout = $2;
                        }
+                       |       EXPIRES         time_spec
+                       {
+                               $<expr>0->expiration = $2;
+                       }
                        |       comment_spec
                        {
                                $<expr>0->comment = $1;

diff --git a/src/scanner.l b/src/scanner.l
index d1f6e8799834a29a4e5eae949bb4defc017bc2df..b46b25e72f01aeb92e1e900b8107707ebca5fa28 100644 (file)
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -302,6 +302,7 @@ addrstring  ({macaddr}|{ip4addr}|{ip6addr})
 "timeout"              { return TIMEOUT; }
 "gc-interval"          { return GC_INTERVAL; }
 "elements"             { return ELEMENTS; }
+"expires"              { return EXPIRES; }
 
 "policy"               { return POLICY; }
 "size"                 { return SIZE; }