* @keylen: key length
* @datatype: mapping data type
* @datalen: mapping data len
+ * @objtype: mapping object type
* @init: initializer
* @policy: set mechanism policy
* @desc: set mechanism desc
unsigned int keylen;
const struct datatype *datatype;
unsigned int datalen;
+ uint32_t objtype;
struct expr *init;
uint32_t policy;
struct {
if (set == NULL)
return expr_error(ctx->msgs, mapping,
"mapping outside of map context");
- if (!(set->flags & NFT_SET_MAP))
+ if (!(set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)))
return set_error(ctx, set, "set is not a map");
expr_set_context(&ctx->ectx, set->keytype, set->keylen);
return 0;
}
+static int stmt_evaluate_objref_map(struct eval_ctx *ctx, struct stmt *stmt)
+{
+ struct expr *map = stmt->objref.expr;
+ struct expr *mappings;
+
+ expr_set_context(&ctx->ectx, NULL, 0);
+ if (expr_evaluate(ctx, &map->map) < 0)
+ return -1;
+ if (expr_is_constant(map->map))
+ return expr_error(ctx->msgs, map->map,
+ "Map expression can not be constant");
+
+ mappings = map->mappings;
+ mappings->set_flags |= NFT_SET_OBJECT;
+
+ switch (map->mappings->ops->type) {
+ case EXPR_SET:
+ mappings = implicit_set_declaration(ctx, "__objmap%d",
+ ctx->ectx.dtype,
+ ctx->ectx.len,
+ mappings);
+ mappings->set->datatype = &string_type;
+ mappings->set->datalen = NFT_OBJ_MAXNAMELEN * BITS_PER_BYTE;
+ mappings->set->objtype = stmt->objref.type;
+
+ map->mappings = mappings;
+
+ ctx->set = mappings->set;
+ if (expr_evaluate(ctx, &map->mappings->set->init) < 0)
+ return -1;
+ ctx->set = NULL;
+
+ map->mappings->set->flags |=
+ map->mappings->set->init->set_flags;
+ case EXPR_SYMBOL:
+ if (expr_evaluate(ctx, &map->mappings) < 0)
+ return -1;
+ if (map->mappings->ops->type != EXPR_SET_REF ||
+ !(map->mappings->set->flags & NFT_SET_OBJECT))
+ return expr_error(ctx->msgs, map->mappings,
+ "Expression is not a map");
+ break;
+ default:
+ BUG("invalid mapping expression %s\n",
+ map->mappings->ops->name);
+ }
+
+ if (!datatype_equal(map->map->dtype, map->mappings->set->keytype))
+ return expr_binary_error(ctx->msgs, map->mappings, map->map,
+ "datatype mismatch, map expects %s, "
+ "mapping expression has type %s",
+ map->mappings->set->keytype->desc,
+ map->map->dtype->desc);
+
+ map->dtype = map->mappings->set->datatype;
+ map->flags |= EXPR_F_CONSTANT;
+
+ /* Data for range lookups needs to be in big endian order */
+ if (map->mappings->set->flags & NFT_SET_INTERVAL &&
+ byteorder_conversion(ctx, &map->map, BYTEORDER_BIG_ENDIAN) < 0)
+ return -1;
+
+ return 0;
+}
+
static int stmt_evaluate_objref(struct eval_ctx *ctx, struct stmt *stmt)
{
+ /* We need specific map evaluation for stateful objects. */
+ if (stmt->objref.expr->ops->type == EXPR_MAP)
+ return stmt_evaluate_objref_map(ctx, stmt);
+
if (stmt_evaluate_arg(ctx, stmt,
&string_type, NFT_OBJ_MAXNAMELEN * BITS_PER_BYTE,
&stmt->objref.expr) < 0)
if (set->datalen == 0 && set->datatype->type != TYPE_VERDICT)
return set_error(ctx, set, "unqualified mapping data "
"type specified in map definition");
+ } else if (set->flags & NFT_SET_OBJECT) {
+ set->datatype = &string_type;
+ set->datalen = NFT_OBJ_MAXNAMELEN * BITS_PER_BYTE;
}
ctx->set = set;
return nls;
}
-static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *expr)
+static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set,
+ const struct expr *expr)
{
const struct expr *elem, *key, *data;
struct nftnl_set_elem *nlse;
nftnl_udata_buf_len(udbuf));
nftnl_udata_buf_free(udbuf);
}
-
- if (data != NULL) {
+ if (set->set_flags & NFT_SET_MAP && data != NULL) {
netlink_gen_data(data, &nld);
switch (data->ops->type) {
case EXPR_VERDICT:
break;
}
}
+ if (set->set_flags & NFT_SET_OBJECT) {
+ netlink_gen_data(data, &nld);
+ nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_OBJREF,
+ nld.value, nld.len);
+ }
if (expr->flags & EXPR_F_INTERVAL_END)
nftnl_set_elem_set_u32(nlse, NFTNL_SET_ELEM_FLAGS,
{
struct set *set;
const struct datatype *keytype, *datatype;
- uint32_t flags, key, data, data_len;
+ uint32_t flags, key, data, data_len, objtype = 0;
key = nftnl_set_get_u32(nls, NFTNL_SET_KEY_TYPE);
keytype = dtype_map_from_kernel(key);
} else
datatype = NULL;
+ if (flags & NFT_SET_OBJECT) {
+ objtype = nftnl_set_get_u32(nls, NFTNL_SET_OBJ_TYPE);
+ datatype = &string_type;
+ }
+
set = set_alloc(&netlink_location);
set->handle.family = nftnl_set_get_u32(nls, NFTNL_SET_FAMILY);
set->handle.table = xstrdup(nftnl_set_get_str(nls, NFTNL_SET_TABLE));
set->keylen = nftnl_set_get_u32(nls, NFTNL_SET_KEY_LEN) * BITS_PER_BYTE;
set->flags = nftnl_set_get_u32(nls, NFTNL_SET_FLAGS);
+ set->objtype = objtype;
+
set->datatype = datatype;
if (nftnl_set_is_set(nls, NFTNL_SET_DATA_LEN)) {
data_len = nftnl_set_get_u32(nls, NFTNL_SET_DATA_LEN);
nftnl_set_set_u32(nls, NFTNL_SET_DATA_LEN,
set->datalen / BITS_PER_BYTE);
}
+ if (set->flags & NFT_SET_OBJECT)
+ nftnl_set_set_u32(nls, NFTNL_SET_OBJ_TYPE, set->objtype);
+
if (set->timeout)
nftnl_set_set_u64(nls, NFTNL_SET_TIMEOUT, set->timeout);
if (set->gc_int)
const struct expr *expr;
list_for_each_entry(expr, &set->expressions, list) {
- nlse = alloc_nftnl_setelem(expr);
+ nlse = alloc_nftnl_setelem(set, expr);
nftnl_set_elem_add(nls, nlse);
}
}
nle = nftnl_set_elem_get(nlse, NFTNL_SET_ELEM_EXPR, NULL);
expr->stmt = netlink_parse_set_expr(set, nle);
}
-
- if (flags & NFT_SET_ELEM_INTERVAL_END) {
+ if (flags & NFT_SET_ELEM_INTERVAL_END)
expr->flags |= EXPR_F_INTERVAL_END;
- } else {
+
+ if (set->flags & NFT_SET_MAP) {
if (nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_DATA)) {
nld.value = nftnl_set_elem_get(nlse, NFTNL_SET_ELEM_DATA,
&nld.len);
expr = mapping_expr_alloc(&netlink_location, expr, data);
}
+ if (set->flags & NFT_SET_OBJECT) {
+ nld.value = nftnl_set_elem_get(nlse, NFTNL_SET_ELEM_OBJREF,
+ &nld.len);
+ data = netlink_alloc_value(&netlink_location, &nld);
+ data->dtype = &string_type;
+ data->byteorder = BYTEORDER_HOST_ENDIAN;
+ mpz_switch_byteorder(data->value, data->len / BITS_PER_BYTE);
+ expr = mapping_expr_alloc(&netlink_location, expr, data);
+ }
out:
compound_expr_add(set->init, expr);
return 0;
expr = netlink_alloc_value(&netlink_location, &nld);
expr->dtype = &string_type;
expr->byteorder = BYTEORDER_HOST_ENDIAN;
+ } else if (nftnl_expr_is_set(nle, NFTNL_EXPR_OBJREF_SET_SREG)) {
+ struct expr *left, *right;
+ enum nft_registers sreg;
+ const char *name;
+ struct set *set;
+
+ name = nftnl_expr_get_str(nle, NFTNL_EXPR_OBJREF_SET_NAME);
+ set = set_lookup(ctx->table, name);
+ if (set == NULL)
+ return netlink_error(ctx, loc,
+ "Unknown set '%s' in objref expression",
+ name);
+
+ sreg = netlink_parse_register(nle, NFTNL_EXPR_OBJREF_SET_SREG);
+ left = netlink_get_register(ctx, loc, sreg);
+ if (left == NULL)
+ return netlink_error(ctx, loc,
+ "objref expression has no left hand side");
+
+ if (left->len < set->keylen) {
+ left = netlink_parse_concat_expr(ctx, loc, sreg, set->keylen);
+ if (left == NULL)
+ return;
+ }
+
+ right = set_ref_expr_alloc(loc, set);
+ expr = map_expr_alloc(loc, left, right);
+ expr_set_type(expr, &string_type, BYTEORDER_HOST_ENDIAN);
+ type = set->objtype;
} else {
netlink_error(ctx, loc, "unknown objref expression type %u",
type);
static void netlink_gen_objref_stmt(struct netlink_linearize_ctx *ctx,
const struct stmt *stmt)
{
+ struct expr *expr = stmt->objref.expr;
struct nft_data_linearize nld;
struct nftnl_expr *nle;
+ uint32_t sreg_key;
nle = alloc_nft_expr("objref");
- netlink_gen_data(stmt->objref.expr, &nld);
- nftnl_expr_set(nle, NFTNL_EXPR_OBJREF_IMM_NAME, nld.value, nld.len);
- nftnl_expr_set_u32(nle, NFTNL_EXPR_OBJREF_IMM_TYPE, stmt->objref.type);
+ switch (expr->ops->type) {
+ case EXPR_MAP:
+ sreg_key = get_register(ctx, expr->map);
+ netlink_gen_expr(ctx, expr->map, sreg_key);
+ release_register(ctx, expr->map);
+ nftnl_expr_set_u32(nle, NFTNL_EXPR_OBJREF_SET_SREG, sreg_key);
+ nftnl_expr_set_str(nle, NFTNL_EXPR_OBJREF_SET_NAME,
+ expr->mappings->set->handle.set);
+ nftnl_expr_set_u32(nle, NFTNL_EXPR_OBJREF_SET_ID,
+ expr->mappings->set->handle.set_id);
+ break;
+ case EXPR_VALUE:
+ netlink_gen_data(stmt->objref.expr, &nld);
+ nftnl_expr_set(nle, NFTNL_EXPR_OBJREF_IMM_NAME,
+ nld.value, nld.len);
+ nftnl_expr_set_u32(nle, NFTNL_EXPR_OBJREF_IMM_TYPE,
+ stmt->objref.type);
+ break;
+ default:
+ BUG("unsupported expression %u\n", expr->ops->type);
+ }
nftnl_rule_add_expr(ctx->nlr, nle);
}
map_block_alloc : /* empty */
{
$$ = set_alloc(NULL);
- $$->flags |= NFT_SET_MAP;
}
;
{
$1->keytype = $3;
$1->datatype = $5;
+ $1->flags |= NFT_SET_MAP;
+ $$ = $1;
+ }
+ | map_block TYPE
+ data_type COLON COUNTER
+ stmt_seperator
+ {
+ $1->keytype = $3;
+ $1->objtype = NFT_OBJECT_COUNTER;
+ $1->flags |= NFT_SET_OBJECT;
+ $$ = $1;
+ }
+ | map_block TYPE
+ data_type COLON QUOTA
+ stmt_seperator
+ {
+ $1->keytype = $3;
+ $1->objtype = NFT_OBJECT_QUOTA;
+ $1->flags |= NFT_SET_OBJECT;
$$ = $1;
}
| map_block FLAGS set_flag_list stmt_seperator
const char *type;
uint32_t flags;
- if (set->flags & NFT_SET_MAP)
+ if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
type = "map";
else if (set->flags & NFT_SET_EVAL)
type = "flow table";
printf("%s%stype %s", opts->tab, opts->tab, set->keytype->name);
if (set->flags & NFT_SET_MAP)
printf(" : %s", set->datatype->name);
+ else if (set->flags & NFT_SET_OBJECT)
+ printf(" : %s", obj_type_name(set->objtype));
printf("%s", opts->stmt_separator);
set_to_intervals(ctx->msgs, set, expr, true) < 0)
return -1;
+ expr->set_flags |= set->flags;
if (netlink_add_setelems(ctx, h, expr, excl) < 0)
return -1;
projects / thirdparty / nftables.git / commitdiff
