netfilter: nf_tables: support optional userdata for set elements

Add an userdata set extension and allow the user to attach arbitrary data to set elements. This is intended to hold TLV encoded data like comments or DNS annotations that have no meaning to the kernel. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Patrick McHardy <kaber@trash.net> 2015-04-05 08:43:38 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2015-04-08 10:58:27 -0400
commit: 68e942e88add0ac8576fc8397e86495edf3dcea7 (patch)
tree: a068c331abf3b14574ecc9bab024a879bcb21bcb /include
parent: 22fe54d5fefcfa98c58cc2f4607dd26d9648b3f5 (diff)
2 files changed, 9 insertions, 0 deletions
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 38c3496f7bf2..63c44bdfdd3b 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -350,6 +350,7 @@ void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
 *      @NFT_SET_EXT_FLAGS: element flags
 *      @NFT_SET_EXT_TIMEOUT: element timeout
 *      @NFT_SET_EXT_EXPIRATION: element expiration time
+ *      @NFT_SET_EXT_USERDATA: user data associated with the element
 *      @NFT_SET_EXT_NUM: number of extension types
 */
 enum nft_set_extensions {
@@ -358,6 +359,7 @@ enum nft_set_extensions {
        NFT_SET_EXT_FLAGS,
        NFT_SET_EXT_TIMEOUT,
        NFT_SET_EXT_EXPIRATION,
+        NFT_SET_EXT_USERDATA,
        NFT_SET_EXT_NUM
 };
@@ -464,6 +466,11 @@ static inline unsigned long *nft_set_ext_expiration(const struct nft_set_ext *ex
        return nft_set_ext(ext, NFT_SET_EXT_EXPIRATION);
 }
+static inline struct nft_userdata *nft_set_ext_userdata(const struct nft_set_ext *ext)
+{
+        return nft_set_ext(ext, NFT_SET_EXT_USERDATA);
+}
 static inline bool nft_set_elem_expired(const struct nft_set_ext *ext)
 {
        return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) &&
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 0b87b2f67fe3..05ee1e0804a3 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -292,6 +292,7 @@ enum nft_set_elem_flags {
 * @NFTA_SET_ELEM_FLAGS: bitmask of nft_set_elem_flags (NLA_U32)
 * @NFTA_SET_ELEM_TIMEOUT: timeout value (NLA_U64)
 * @NFTA_SET_ELEM_EXPIRATION: expiration time (NLA_U64)
+ * @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY)
 */
 enum nft_set_elem_attributes {
        NFTA_SET_ELEM_UNSPEC,
@@ -300,6 +301,7 @@ enum nft_set_elem_attributes {
        NFTA_SET_ELEM_FLAGS,
        NFTA_SET_ELEM_TIMEOUT,
        NFTA_SET_ELEM_EXPIRATION,
+        NFTA_SET_ELEM_USERDATA,
        __NFTA_SET_ELEM_MAX
 };
 #define NFTA_SET_ELEM_MAX       (__NFTA_SET_ELEM_MAX - 1)
author	Patrick McHardy <kaber@trash.net>	2015-04-05 08:43:38 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2015-04-08 10:58:27 -0400
commit	68e942e88add0ac8576fc8397e86495edf3dcea7 (patch)
tree	a068c331abf3b14574ecc9bab024a879bcb21bcb /include
parent	22fe54d5fefcfa98c58cc2f4607dd26d9648b3f5 (diff)