diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-03-06 18:58:29 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-03-07 12:48:03 +0100 |
commit | a43cc8d53096de069fab5d9bf1a2cc7b655c21c7 (patch) | |
tree | e92be32ae5a89481c3861d671796c658104ad127 /src/segtree.c | |
parent | 783e853198b33576c3de23eeb0c03f9711e1fd4b (diff) |
src: support for get element command
You need a Linux kernel >= 4.15 to use this feature.
This patch allows us to dump the content of an existing set.
# nft list ruleset
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2, 3.3.3.3,
5.5.5.5-6.6.6.6 }
}
}
You check if a single element exists in the set:
# nft get element x x { 1.1.1.5 }
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2 }
}
}
Output means '1.1.1.5' belongs to the '1.1.1.1-2.2.2.2' interval.
You can also check for intervals:
# nft get element x x { 1.1.1.1-2.2.2.2 }
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2 }
}
}
If you try to check for an element that doesn't exist, an error is
displayed.
# nft get element x x { 1.1.1.0 }
Error: Could not receive set elements: No such file or directory
get element x x { 1.1.1.0 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You can also check for multiple elements in one go:
# nft get element x x { 1.1.1.5, 5.5.5.10 }
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2, 5.5.5.5-6.6.6.6 }
}
}
You can also use this to fetch the existing timeout for specific
elements, in case you have a set with timeouts in place:
# nft get element w z { 2.2.2.2 }
table ip w {
set z {
type ipv4_addr
timeout 30s
elements = { 2.2.2.2 expires 17s }
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/segtree.c')
-rw-r--r-- | src/segtree.c | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/src/segtree.c b/src/segtree.c index 1c23d4b8..de68071c 100644 --- a/src/segtree.c +++ b/src/segtree.c @@ -578,6 +578,120 @@ int set_to_intervals(struct list_head *errs, struct set *set, return 0; } +static void set_elem_add(const struct set *set, struct expr *init, mpz_t value, + uint32_t flags) +{ + struct expr *expr; + + expr = constant_expr_alloc(&internal_location, set->key->dtype, + set->key->byteorder, set->key->len, NULL); + mpz_set(expr->value, value); + expr = set_elem_expr_alloc(&internal_location, expr); + expr->flags = flags; + + compound_expr_add(init, expr); +} + +struct expr *get_set_intervals(const struct set *set, const struct expr *init) +{ + struct expr *new_init; + mpz_t low, high; + struct expr *i; + + mpz_init2(low, set->key->len); + mpz_init2(high, set->key->len); + + new_init = list_expr_alloc(&internal_location); + + list_for_each_entry(i, &init->expressions, list) { + switch (i->key->ops->type) { + case EXPR_VALUE: + set_elem_add(set, new_init, i->key->value, i->flags); + break; + default: + range_expr_value_low(low, i); + set_elem_add(set, new_init, low, 0); + range_expr_value_high(high, i); + mpz_add_ui(high, high, 1); + set_elem_add(set, new_init, high, EXPR_F_INTERVAL_END); + break; + } + } + + mpz_clear(low); + mpz_clear(high); + + return new_init; +} + +static struct expr *get_set_interval_end(const struct table *table, + const char *set_name, + struct expr *left) +{ + struct set *set; + mpz_t low, high; + struct expr *i; + + set = set_lookup(table, set_name); + mpz_init2(low, set->key->len); + mpz_init2(high, set->key->len); + + list_for_each_entry(i, &set->init->expressions, list) { + switch (i->key->ops->type) { + case EXPR_RANGE: + range_expr_value_low(low, i); + if (mpz_cmp(low, left->key->value) == 0) { + left = range_expr_alloc(&internal_location, + expr_clone(left->key), + expr_clone(i->key->right)); + break; + } + break; + default: + break; + } + } + + mpz_clear(low); + mpz_clear(high); + + return left; +} + +void get_set_decompose(struct table *table, struct set *set) +{ + struct expr *i, *next, *new; + struct expr *left = NULL; + struct expr *new_init; + + new_init = set_expr_alloc(&internal_location, set); + + list_for_each_entry_safe(i, next, &set->init->expressions, list) { + if (i->flags & EXPR_F_INTERVAL_END && left) { + list_del(&left->list); + list_del(&i->list); + mpz_sub_ui(i->key->value, i->key->value, 1); + new = range_expr_alloc(&internal_location, left, i); + compound_expr_add(new_init, new); + left = NULL; + } else { + if (left) { + left = get_set_interval_end(table, + set->handle.set, + left); + compound_expr_add(new_init, left); + } + left = i; + } + } + if (left) { + left = get_set_interval_end(table, set->handle.set, left); + compound_expr_add(new_init, left); + } + + set->init = new_init; +} + static bool range_is_prefix(const mpz_t range) { mpz_t tmp; |