src: support for get element command

You need a Linux kernel >= 4.15 to use this feature.

This patch allows us to dump the content of an existing set.

 # nft list ruleset
 table ip x {
        set x {
                type ipv4_addr
                flags interval
                elements = { 1.1.1.1-2.2.2.2, 3.3.3.3,
                             5.5.5.5-6.6.6.6 }
        }
 }

You check if a single element exists in the set:

 # nft get element x x { 1.1.1.5 }
 table ip x {
        set x {
                type ipv4_addr
                flags interval
                elements = { 1.1.1.1-2.2.2.2 }
        }
 }

Output means '1.1.1.5' belongs to the '1.1.1.1-2.2.2.2' interval.

You can also check for intervals:

 # nft get element x x { 1.1.1.1-2.2.2.2 }
 table ip x {
        set x {
                type ipv4_addr
                flags interval
                elements = { 1.1.1.1-2.2.2.2 }
        }
 }

If you try to check for an element that doesn't exist, an error is
displayed.

 # nft get element x x { 1.1.1.0 }
 Error: Could not receive set elements: No such file or directory
 get element x x { 1.1.1.0 }
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

You can also check for multiple elements in one go:

 # nft get element x x { 1.1.1.5, 5.5.5.10 }
 table ip x {
        set x {
                type ipv4_addr
                flags interval
                elements = { 1.1.1.1-2.2.2.2, 5.5.5.5-6.6.6.6 }
        }
 }

You can also use this to fetch the existing timeout for specific
elements, in case you have a set with timeouts in place:

 # nft get element w z { 2.2.2.2 }
 table ip w {
        set z {
                type ipv4_addr
                timeout 30s
                elements = { 2.2.2.2 expires 17s }
        }
 }

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 33 insertions, 2 deletions

diff --git a/src/mnl.c b/src/mnl.c
index f620a3bd..3d48bc1b 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -941,6 +941,37 @@ int mnl_nft_setelem_batch_del(struct nftnl_set *nls, struct nftnl_batch *batch,
 				     seqnum);
 }
 
+struct nftnl_set *mnl_nft_setelem_get_one(struct netlink_ctx *ctx,
+					  struct nftnl_set *nls_in)
+{
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct nftnl_set *nls_out;
+	struct nlmsghdr *nlh;
+	int err;
+
+	nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETSETELEM,
+				    nftnl_set_get_u32(nls_in, NFTNL_SET_FAMILY),
+				    NLM_F_ACK, ctx->seqnum);
+	nftnl_set_elems_nlmsg_build_payload(nlh, nls_in);
+
+	nls_out = nftnl_set_alloc();
+	if (!nls_out)
+		return NULL;
+
+	nftnl_set_set_str(nls_out, NFTNL_SET_TABLE,
+			  nftnl_set_get_str(nls_in, NFTNL_SET_TABLE));
+	nftnl_set_set_str(nls_out, NFTNL_SET_NAME,
+			  nftnl_set_get_str(nls_in, NFTNL_SET_NAME));
+
+	err = nft_mnl_talk(ctx, nlh, nlh->nlmsg_len, set_elem_cb, nls_out);
+	if (err < 0) {
+		nftnl_set_free(nls_out);
+		return NULL;
+	}
+
+	return nls_out;
+}
+
 int mnl_nft_setelem_get(struct netlink_ctx *ctx, struct nftnl_set *nls)
 {
 	char buf[MNL_SOCKET_BUFFER_SIZE];
@@ -948,8 +979,8 @@ int mnl_nft_setelem_get(struct netlink_ctx *ctx, struct nftnl_set *nls)
 
 	nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETSETELEM,
 				    nftnl_set_get_u32(nls, NFTNL_SET_FAMILY),
-				    NLM_F_DUMP|NLM_F_ACK, ctx->seqnum);
-	nftnl_set_nlmsg_build_payload(nlh, nls);
+				    NLM_F_DUMP | NLM_F_ACK, ctx->seqnum);
+	nftnl_set_elems_nlmsg_build_payload(nlh, nls);
 
 	return nft_mnl_talk(ctx, nlh, nlh->nlmsg_len, set_elem_cb, nls);
 }