parser_bison: allow to use quota in sets

src: support for restoring element quota

This patch allows you to restore quota in dynamic sets.

 table ip x {
        set y {
                type ipv4_addr
                size 65535
                flags dynamic,timeout
                counter quota 500 bytes
                timeout 1h
                elements = { 8.8.8.8 counter packets 9 bytes 756 quota 500 bytes used 500 bytes timeout 1h expires 56m57s47ms }
        }

        chain z {
                type filter hook output priority filter; policy accept;
                update @y { ip daddr } counter packets 6 bytes 507
        }
 }

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/parser_bison.y b/src/parser_bison.y
index b950afce46ece721352d22855bca4b6665069fea..b1b67623cf660e168aaf5f5a5cb026c0fea26624 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -4552,6 +4552,22 @@ set_elem_stmt            :       COUNTER close_scope_counter
                                $$->connlimit.count = $4;
                                $$->connlimit.flags = NFT_CONNLIMIT_F_INV;
                        }
+                       |       QUOTA   quota_mode NUM quota_unit quota_used    close_scope_quota
+                       {
+                               struct error_record *erec;
+                               uint64_t rate;
+
+                               erec = data_unit_parse(&@$, $4, &rate);
+                               xfree($4);
+                               if (erec != NULL) {
+                                       erec_queue(erec, state->msgs);
+                                       YYERROR;
+                               }
+                               $$ = quota_stmt_alloc(&@$);
+                               $$->quota.bytes = $3 * rate;
+                               $$->quota.used = $5;
+                               $$->quota.flags = $2;
+                       }
                        |       LAST USED       NEVER   close_scope_last
                        {
                                $$ = last_stmt_alloc(&@$);

diff --git a/tests/shell/testcases/sets/0060set_multistmt_1 b/tests/shell/testcases/sets/0060set_multistmt_1
new file mode 100755 (executable)
index 0000000..1652668
--- /dev/null
+++ b/tests/shell/testcases/sets/0060set_multistmt_1
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+RULESET="table x {
+       set y {
+               type ipv4_addr
+               size 65535
+               flags dynamic
+               counter quota 500 bytes
+               elements = { 1.2.3.4 counter packets 9 bytes 756 quota 500 bytes used 500 bytes }
+       }
+       chain y {
+               type filter hook output priority filter; policy accept;
+               update @y { ip daddr }
+       }
+}"
+
+$NFT -f - <<< $RULESET
+# should work
+if [ $? -ne 0 ]
+then
+       exit 1
+fi
+
+# should work
+$NFT add element x y { 1.1.1.1 }
+if [ $? -ne 0 ]
+then
+       exit 1
+fi
+
+# should work
+$NFT add element x y { 2.2.2.2 counter quota 1000 bytes }
+if [ $? -ne 0 ]
+then
+       exit 1
+fi
+
+exit 0

diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft
new file mode 100644 (file)
index 0000000..ac1bd26
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft
@@ -0,0 +1,15 @@
+table ip x {
+       set y {
+               type ipv4_addr
+               size 65535
+               flags dynamic
+               counter quota 500 bytes
+               elements = { 1.1.1.1 counter packets 0 bytes 0 quota 500 bytes, 1.2.3.4 counter packets 9 bytes 756 quota 500 bytes used 500 bytes,
+                            2.2.2.2 counter packets 0 bytes 0 quota 1000 bytes }
+       }
+
+       chain y {
+               type filter hook output priority filter; policy accept;
+               update @y { ip daddr }
+       }
+}