diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-03-06 18:58:29 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-03-07 12:48:03 +0100 |
commit | a43cc8d53096de069fab5d9bf1a2cc7b655c21c7 (patch) | |
tree | e92be32ae5a89481c3861d671796c658104ad127 /src/evaluate.c | |
parent | 783e853198b33576c3de23eeb0c03f9711e1fd4b (diff) |
src: support for get element command
You need a Linux kernel >= 4.15 to use this feature.
This patch allows us to dump the content of an existing set.
# nft list ruleset
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2, 3.3.3.3,
5.5.5.5-6.6.6.6 }
}
}
You check if a single element exists in the set:
# nft get element x x { 1.1.1.5 }
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2 }
}
}
Output means '1.1.1.5' belongs to the '1.1.1.1-2.2.2.2' interval.
You can also check for intervals:
# nft get element x x { 1.1.1.1-2.2.2.2 }
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2 }
}
}
If you try to check for an element that doesn't exist, an error is
displayed.
# nft get element x x { 1.1.1.0 }
Error: Could not receive set elements: No such file or directory
get element x x { 1.1.1.0 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You can also check for multiple elements in one go:
# nft get element x x { 1.1.1.5, 5.5.5.10 }
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2, 5.5.5.5-6.6.6.6 }
}
}
You can also use this to fetch the existing timeout for specific
elements, in case you have a set with timeouts in place:
# nft get element w z { 2.2.2.2 }
table ip w {
set z {
type ipv4_addr
timeout 30s
elements = { 2.2.2.2 expires 17s }
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/evaluate.c')
-rw-r--r-- | src/evaluate.c | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 41ba1617..a2c1c728 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3146,6 +3146,34 @@ static int cmd_evaluate_delete(struct eval_ctx *ctx, struct cmd *cmd) } } +static int cmd_evaluate_get(struct eval_ctx *ctx, struct cmd *cmd) +{ + struct table *table; + struct set *set; + int ret; + + ret = cache_update(ctx->nf_sock, ctx->cache, cmd->op, ctx->msgs, + ctx->debug_mask & NFT_DEBUG_NETLINK, ctx->octx); + if (ret < 0) + return ret; + + switch (cmd->obj) { + case CMD_OBJ_SETELEM: + table = table_lookup(&cmd->handle, ctx->cache); + if (table == NULL) + return cmd_error(ctx, "Could not process rule: Table '%s' does not exist", + cmd->handle.table); + set = set_lookup(table, cmd->handle.set); + if (set == NULL || set->flags & (NFT_SET_MAP | NFT_SET_EVAL)) + return cmd_error(ctx, "Could not process rule: Set '%s' does not exist", + cmd->handle.set); + + return setelem_evaluate(ctx, &cmd->expr); + default: + BUG("invalid command object type %u\n", cmd->obj); + } +} + static int cmd_evaluate_list_obj(struct eval_ctx *ctx, const struct cmd *cmd, uint32_t obj_type) { @@ -3486,6 +3514,7 @@ static const char * const cmd_op_name[] = { [CMD_CREATE] = "create", [CMD_INSERT] = "insert", [CMD_DELETE] = "delete", + [CMD_GET] = "get", [CMD_LIST] = "list", [CMD_FLUSH] = "flush", [CMD_RENAME] = "rename", @@ -3523,6 +3552,8 @@ int cmd_evaluate(struct eval_ctx *ctx, struct cmd *cmd) return cmd_evaluate_add(ctx, cmd); case CMD_DELETE: return cmd_evaluate_delete(ctx, cmd); + case CMD_GET: + return cmd_evaluate_get(ctx, cmd); case CMD_LIST: return cmd_evaluate_list(ctx, cmd); case CMD_RESET: |