netfilter: nf_tables: add set element timeout support

Add API support for set element timeouts. Elements can have a individual timeout value specified, overriding the sets' default. Two new extension types are used for timeouts - the timeout value and the expiration time. The timeout value only exists if it differs from the default value. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Patrick McHardy <kaber@trash.net> 2015-03-26 08:39:37 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2015-04-01 05:17:28 -0400
commit: c3e1b005ed1cc068fc9d454a6e745830d55d251d (patch)
tree: 8d0a0ecff6682b87f1c0811f52c8ad933ab64d2d /include
parent: 761da2935d6e18d178582dbdf315a3a458555505 (diff)
2 files changed, 24 insertions, 0 deletions
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 8936803a2ad5..f2726c537248 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -329,12 +329,16 @@ void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
 *      @NFT_SET_EXT_KEY: element key
 *      @NFT_SET_EXT_DATA: mapping data
 *      @NFT_SET_EXT_FLAGS: element flags
+ *      @NFT_SET_EXT_TIMEOUT: element timeout
+ *      @NFT_SET_EXT_EXPIRATION: element expiration time
 *      @NFT_SET_EXT_NUM: number of extension types
 */
 enum nft_set_extensions {
        NFT_SET_EXT_KEY,
        NFT_SET_EXT_DATA,
        NFT_SET_EXT_FLAGS,
+        NFT_SET_EXT_TIMEOUT,
+        NFT_SET_EXT_EXPIRATION,
        NFT_SET_EXT_NUM
 };
@@ -431,6 +435,22 @@ static inline u8 *nft_set_ext_flags(const struct nft_set_ext *ext)
        return nft_set_ext(ext, NFT_SET_EXT_FLAGS);
 }
+static inline u64 *nft_set_ext_timeout(const struct nft_set_ext *ext)
+{
+        return nft_set_ext(ext, NFT_SET_EXT_TIMEOUT);
+}
+static inline unsigned long *nft_set_ext_expiration(const struct nft_set_ext *ext)
+{
+        return nft_set_ext(ext, NFT_SET_EXT_EXPIRATION);
+}
+static inline bool nft_set_elem_expired(const struct nft_set_ext *ext)
+{
+        return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) &&
+               time_is_before_eq_jiffies(*nft_set_ext_expiration(ext));
+}
 static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set,
                                                   void *elem)
 {
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 971d245e7378..83441cc4594b 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -290,12 +290,16 @@ enum nft_set_elem_flags {
 * @NFTA_SET_ELEM_KEY: key value (NLA_NESTED: nft_data)
 * @NFTA_SET_ELEM_DATA: data value of mapping (NLA_NESTED: nft_data_attributes)
 * @NFTA_SET_ELEM_FLAGS: bitmask of nft_set_elem_flags (NLA_U32)
+ * @NFTA_SET_ELEM_TIMEOUT: timeout value (NLA_U64)
+ * @NFTA_SET_ELEM_EXPIRATION: expiration time (NLA_U64)
 */
 enum nft_set_elem_attributes {
        NFTA_SET_ELEM_UNSPEC,
        NFTA_SET_ELEM_KEY,
        NFTA_SET_ELEM_DATA,
        NFTA_SET_ELEM_FLAGS,
+        NFTA_SET_ELEM_TIMEOUT,
+        NFTA_SET_ELEM_EXPIRATION,
        __NFTA_SET_ELEM_MAX
 };
 #define NFTA_SET_ELEM_MAX       (__NFTA_SET_ELEM_MAX - 1)
author	Patrick McHardy <kaber@trash.net>	2015-03-26 08:39:37 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2015-04-01 05:17:28 -0400
commit	c3e1b005ed1cc068fc9d454a6e745830d55d251d (patch)
tree	8d0a0ecff6682b87f1c0811f52c8ad933ab64d2d /include
parent	761da2935d6e18d178582dbdf315a3a458555505 (diff)