set_elem: add NFT_SET_ELEM_ATTR_DATA to set data for mapping

We need this new attribute to configure the data that is attached
to an element. This is useful for the mapping feature to retrieve
data based on keys (like a dictionary) that nftables provides.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/libnftables/set.h b/include/libnftables/set.h
index 211c065e3f4ca2d8ce0bdc67872f5f17ee7002a6..d1f6d163f7f48cb413909ed951541d99ffc77b0e 100644 (file)
--- a/include/libnftables/set.h
+++ b/include/libnftables/set.h
@@ -53,6 +53,7 @@ enum {
        NFT_SET_ELEM_ATTR_KEY,
        NFT_SET_ELEM_ATTR_VERDICT,
        NFT_SET_ELEM_ATTR_CHAIN,
+       NFT_SET_ELEM_ATTR_DATA,
 };
 
 struct nft_set_elem;

diff --git a/src/set_elem.c b/src/set_elem.c
index fb03d7116a3e2c4bdaa0e7b90acb2fe2480f3516..dae1f8c7227f47b332ef9076a99f1ad6028ac312 100644 (file)
--- a/src/set_elem.c
+++ b/src/set_elem.c
@@ -58,6 +58,7 @@ void nft_set_elem_attr_unset(struct nft_set_elem *s, uint16_t attr)
        case NFT_SET_ELEM_ATTR_FLAGS:
        case NFT_SET_ELEM_ATTR_KEY:     /* NFTA_SET_ELEM_KEY */
        case NFT_SET_ELEM_ATTR_VERDICT: /* NFTA_SET_ELEM_DATA */
+       case NFT_SET_ELEM_ATTR_DATA:    /* NFTA_SET_ELEM_DATA */
                break;
        default:
                return;
@@ -87,6 +88,10 @@ void nft_set_elem_attr_set(struct nft_set_elem *s, uint16_t attr,
 
                s->data.chain = strdup(data);
                break;
+       case NFT_SET_ELEM_ATTR_DATA:    /* NFTA_SET_ELEM_DATA */
+               memcpy(s->data.val, data, data_len);
+               s->data.len = data_len;
+               break;
        default:
                return;
        }
@@ -121,6 +126,12 @@ void *nft_set_elem_attr_get(struct nft_set_elem *s, uint16_t attr, size_t *data_
                if (s->flags & (1 << NFT_SET_ELEM_ATTR_CHAIN))
                        return &s->data.chain;
                break;
+       case NFT_SET_ELEM_ATTR_DATA:    /* NFTA_SET_ELEM_DATA */
+               if (s->flags & (1 << NFT_SET_ELEM_ATTR_DATA)) {
+                       *data_len = s->data.len;
+                       return &s->data.val;
+               }
+               break;
        default:
                break;
        }
@@ -189,6 +200,13 @@ void nft_set_elem_nlmsg_build_payload(struct nlmsghdr *nlh,
                mnl_attr_nest_end(nlh, nest1);
                mnl_attr_nest_end(nlh, nest2);
        }
+       if (e->flags & (1 << NFT_SET_ELEM_ATTR_DATA)) {
+               struct nlattr *nest1;
+
+               nest1 = mnl_attr_nest_start(nlh, NFTA_SET_ELEM_DATA);
+               mnl_attr_put(nlh, NFTA_DATA_VALUE, e->data.len, e->data.val);
+               mnl_attr_nest_end(nlh, nest1);
+       }
 }
 
 void nft_set_elems_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_set *s)
@@ -271,6 +289,9 @@ static int nft_set_elems_parse2(struct nft_set *s, const struct nlattr *nest)
                case DATA_CHAIN:
                        s->flags |= (1 << NFT_SET_ELEM_ATTR_CHAIN);
                        break;
+               case DATA_VALUE:
+                       s->flags |= (1 << NFT_SET_ELEM_ATTR_DATA);
+                       break;
                }
         }
        if (ret < 0)