setelem: add timeout support for set elements

Support specifying per element timeout values and displaying the expiration
time.

If an element should not use the default timeout value of the set, an
element specific value can be specified as follows:

# nft add element filter test { 192.168.0.1, 192.168.0.2 timeout 10m}

For listing of elements that use the default timeout value, just the
expiration time is shown, otherwise the element specific timeout value
is also displayed:

set test {
	type ipv4_addr
	timeout 1h
	elements = { 192.168.0.2 timeout 10m expires 9m59s, 192.168.0.1 expires 59m59s}
}

Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/expression.h b/include/expression.h
index d481f288d2cb3c91f712e2d0659d08e84bb52918..6f23b6ddd6783d989f3e426fa7417b9a97f59ed9 100644 (file)
--- a/include/expression.h
+++ b/include/expression.h
@@ -234,6 +234,8 @@ struct expr {
                struct {
                        /* EXPR_SET_ELEM */
                        struct expr             *key;
+                       uint64_t                timeout;
+                       uint64_t                expiration;
                };
                struct {
                        /* EXPR_UNARY */

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 8671505eea8b3c03c874961fd60709d3a096650e..6894ba33d158c328b432b4a4a831f47018751281 100644 (file)
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -289,12 +289,16 @@ enum nft_set_elem_flags {
  * @NFTA_SET_ELEM_KEY: key value (NLA_NESTED: nft_data)
  * @NFTA_SET_ELEM_DATA: data value of mapping (NLA_NESTED: nft_data_attributes)
  * @NFTA_SET_ELEM_FLAGS: bitmask of nft_set_elem_flags (NLA_U32)
+ * @NFTA_SET_ELEM_TIMEOUT: timeout value (NLA_U64)
+ * @NFTA_SET_ELEM_EXPIRATION: expiration time (NLA_U64)
  */
 enum nft_set_elem_attributes {
        NFTA_SET_ELEM_UNSPEC,
        NFTA_SET_ELEM_KEY,
        NFTA_SET_ELEM_DATA,
        NFTA_SET_ELEM_FLAGS,
+       NFTA_SET_ELEM_TIMEOUT,
+       NFTA_SET_ELEM_EXPIRATION,
        __NFTA_SET_ELEM_MAX
 };
 #define NFTA_SET_ELEM_MAX      (__NFTA_SET_ELEM_MAX - 1)

diff --git a/src/expression.c b/src/expression.c
index 678939681c590b22c588945589ac70aedd5a648d..2037c60769daf542a8b221c62aeb48c13ed0c43f 100644 (file)
--- a/src/expression.c
+++ b/src/expression.c
@@ -889,6 +889,14 @@ struct expr *set_ref_expr_alloc(const struct location *loc, struct set *set)
 static void set_elem_expr_print(const struct expr *expr)
 {
        expr_print(expr->key);
+       if (expr->timeout) {
+               printf(" timeout ");
+               time_print(expr->timeout / 1000);
+       }
+       if (expr->expiration) {
+               printf(" expires ");
+               time_print(expr->expiration / 1000);
+       }
 }
 
 static void set_elem_expr_destroy(struct expr *expr)

diff --git a/src/netlink.c b/src/netlink.c
index e1d6421fbd88f2d6704faa50fdf3b2c1a85bf3f9..7d675d7fc1997414e4ba0972ecaa3fc5f76f3a8d 100644 (file)
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -225,6 +225,9 @@ static struct nft_set_elem *alloc_nft_setelem(const struct expr *expr)
 
        netlink_gen_data(key, &nld);
        nft_set_elem_attr_set(nlse, NFT_SET_ELEM_ATTR_KEY, &nld.value, nld.len);
+       if (elem->timeout)
+               nft_set_elem_attr_set_u64(nlse, NFT_SET_ELEM_ATTR_TIMEOUT,
+                                         elem->timeout);
 
        if (data != NULL) {
                netlink_gen_data(data, &nld);
@@ -1404,6 +1407,10 @@ static int netlink_delinearize_setelem(struct nft_set_elem *nlse,
                key = bitmask_expr_to_binops(key);
 
        expr = set_elem_expr_alloc(&netlink_location, key);
+       if (nft_set_elem_attr_is_set(nlse, NFT_SET_ELEM_ATTR_TIMEOUT))
+               expr->timeout    = nft_set_elem_attr_get_u64(nlse, NFT_SET_ELEM_ATTR_TIMEOUT);
+       if (nft_set_elem_attr_is_set(nlse, NFT_SET_ELEM_ATTR_EXPIRATION))
+               expr->expiration = nft_set_elem_attr_get_u64(nlse, NFT_SET_ELEM_ATTR_EXPIRATION);
 
        if (flags & NFT_SET_ELEM_INTERVAL_END) {
                expr->flags |= EXPR_F_INTERVAL_END;

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 8083187854645740c38a85b3679896232b39320c..736704a594a2c3c24e1c79a440ea5bd5f30734fe 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1779,6 +1779,7 @@ set_list_member_expr      :       opt_newline     set_expr        opt_newline
                        ;
 
 set_elem_expr          :       set_elem_expr_alloc
+                       |       set_elem_expr_alloc             set_elem_options
                        ;
 
 set_elem_expr_alloc    :       set_lhs_expr
@@ -1787,6 +1788,19 @@ set_elem_expr_alloc      :       set_lhs_expr
                        }
                        ;
 
+set_elem_options       :       set_elem_option
+                       {
+                               $<expr>$        = $<expr>0;
+                       }
+                       |       set_elem_options        set_elem_option
+                       ;
+
+set_elem_option                :       TIMEOUT                 time_spec
+                       {
+                               $<expr>0->timeout = $2 * 1000;
+                       }
+                       ;
+
 set_lhs_expr           :       concat_expr
                        |       multiton_expr
                        ;