diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-03-06 18:58:29 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-03-07 12:48:03 +0100 |
commit | a43cc8d53096de069fab5d9bf1a2cc7b655c21c7 (patch) | |
tree | e92be32ae5a89481c3861d671796c658104ad127 /include | |
parent | 783e853198b33576c3de23eeb0c03f9711e1fd4b (diff) |
src: support for get element command
You need a Linux kernel >= 4.15 to use this feature.
This patch allows us to dump the content of an existing set.
# nft list ruleset
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2, 3.3.3.3,
5.5.5.5-6.6.6.6 }
}
}
You check if a single element exists in the set:
# nft get element x x { 1.1.1.5 }
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2 }
}
}
Output means '1.1.1.5' belongs to the '1.1.1.1-2.2.2.2' interval.
You can also check for intervals:
# nft get element x x { 1.1.1.1-2.2.2.2 }
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2 }
}
}
If you try to check for an element that doesn't exist, an error is
displayed.
# nft get element x x { 1.1.1.0 }
Error: Could not receive set elements: No such file or directory
get element x x { 1.1.1.0 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You can also check for multiple elements in one go:
# nft get element x x { 1.1.1.5, 5.5.5.10 }
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2, 5.5.5.5-6.6.6.6 }
}
}
You can also use this to fetch the existing timeout for specific
elements, in case you have a set with timeouts in place:
# nft get element w z { 2.2.2.2 }
table ip w {
set z {
type ipv4_addr
timeout 30s
elements = { 2.2.2.2 expires 17s }
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/expression.h | 5 | ||||
-rw-r--r-- | include/mnl.h | 2 | ||||
-rw-r--r-- | include/netlink.h | 3 | ||||
-rw-r--r-- | include/rule.h | 3 |
4 files changed, 13 insertions, 0 deletions
diff --git a/include/expression.h b/include/expression.h index 6f4edbf5..29dd0346 100644 --- a/include/expression.h +++ b/include/expression.h @@ -433,6 +433,11 @@ extern int set_to_intervals(struct list_head *msgs, struct set *set, unsigned int debug_mask, bool merge); extern void interval_map_decompose(struct expr *set); +extern struct expr *get_set_intervals(const struct set *set, + const struct expr *init); +struct table; +extern void get_set_decompose(struct table *table, struct set *set); + extern struct expr *mapping_expr_alloc(const struct location *loc, struct expr *from, struct expr *to); extern struct expr *map_expr_alloc(const struct location *loc, diff --git a/include/mnl.h b/include/mnl.h index 1b2450a9..d3eedeb7 100644 --- a/include/mnl.h +++ b/include/mnl.h @@ -79,6 +79,8 @@ int mnl_nft_setelem_batch_del(struct nftnl_set *nls, struct nftnl_batch *batch, int mnl_nft_setelem_batch_flush(struct nftnl_set *nls, struct nftnl_batch *batch, unsigned int flags, uint32_t seqnum); int mnl_nft_setelem_get(struct netlink_ctx *ctx, struct nftnl_set *nls); +struct nftnl_set *mnl_nft_setelem_get_one(struct netlink_ctx *ctx, + struct nftnl_set *nls); struct nftnl_obj_list *mnl_nft_obj_dump(struct netlink_ctx *ctx, int family, const char *table, diff --git a/include/netlink.h b/include/netlink.h index cbe9164d..146ec164 100644 --- a/include/netlink.h +++ b/include/netlink.h @@ -167,6 +167,9 @@ extern int netlink_delete_setelems_batch(struct netlink_ctx *ctx, const struct h const struct expr *expr); extern int netlink_get_setelems(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc, struct set *set); +extern int netlink_get_setelem(struct netlink_ctx *ctx, const struct handle *h, + const struct location *loc, struct table *table, + struct set *set, struct expr *init); extern int netlink_flush_setelems(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc); diff --git a/include/rule.h b/include/rule.h index 262814ea..86f72814 100644 --- a/include/rule.h +++ b/include/rule.h @@ -255,6 +255,7 @@ struct set { extern struct set *set_alloc(const struct location *loc); extern struct set *set_get(struct set *set); extern void set_free(struct set *set); +extern struct set *set_clone(const struct set *set); extern void set_add_hash(struct set *set, struct table *table); extern struct set *set_lookup(const struct table *table, const char *name); extern struct set *set_lookup_global(uint32_t family, const char *table, @@ -353,6 +354,7 @@ void flowtable_print(const struct flowtable *n, struct output_ctx *octx); * @CMD_CREATE: create object (exclusive) * @CMD_INSERT: insert object * @CMD_DELETE: delete object + * @CMD_GET: get object * @CMD_LIST: list container * @CMD_RESET: reset container * @CMD_FLUSH: flush container @@ -369,6 +371,7 @@ enum cmd_ops { CMD_CREATE, CMD_INSERT, CMD_DELETE, + CMD_GET, CMD_LIST, CMD_RESET, CMD_FLUSH, |