From a43cc8d53096de069fab5d9bf1a2cc7b655c21c7 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 6 Mar 2018 18:58:29 +0100
Subject: src: support for get element command

You need a Linux kernel >= 4.15 to use this feature.

This patch allows us to dump the content of an existing set.

 # nft list ruleset
 table ip x {
        set x {
                type ipv4_addr
                flags interval
                elements = { 1.1.1.1-2.2.2.2, 3.3.3.3,
                             5.5.5.5-6.6.6.6 }
        }
 }

You check if a single element exists in the set:

 # nft get element x x { 1.1.1.5 }
 table ip x {
        set x {
                type ipv4_addr
                flags interval
                elements = { 1.1.1.1-2.2.2.2 }
        }
 }

Output means '1.1.1.5' belongs to the '1.1.1.1-2.2.2.2' interval.

You can also check for intervals:

 # nft get element x x { 1.1.1.1-2.2.2.2 }
 table ip x {
        set x {
                type ipv4_addr
                flags interval
                elements = { 1.1.1.1-2.2.2.2 }
        }
 }

If you try to check for an element that doesn't exist, an error is
displayed.

 # nft get element x x { 1.1.1.0 }
 Error: Could not receive set elements: No such file or directory
 get element x x { 1.1.1.0 }
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

You can also check for multiple elements in one go:

 # nft get element x x { 1.1.1.5, 5.5.5.10 }
 table ip x {
        set x {
                type ipv4_addr
                flags interval
                elements = { 1.1.1.1-2.2.2.2, 5.5.5.5-6.6.6.6 }
        }
 }

You can also use this to fetch the existing timeout for specific
elements, in case you have a set with timeouts in place:

 # nft get element w z { 2.2.2.2 }
 table ip w {
        set z {
                type ipv4_addr
                timeout 30s
                elements = { 2.2.2.2 expires 17s }
        }
 }

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/rule.h | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'include/rule.h')

diff --git a/include/rule.h b/include/rule.h
index 262814ea..86f72814 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -255,6 +255,7 @@ struct set {
 extern struct set *set_alloc(const struct location *loc);
 extern struct set *set_get(struct set *set);
 extern void set_free(struct set *set);
+extern struct set *set_clone(const struct set *set);
 extern void set_add_hash(struct set *set, struct table *table);
 extern struct set *set_lookup(const struct table *table, const char *name);
 extern struct set *set_lookup_global(uint32_t family, const char *table,
@@ -353,6 +354,7 @@ void flowtable_print(const struct flowtable *n, struct output_ctx *octx);
  * @CMD_CREATE:		create object (exclusive)
  * @CMD_INSERT:		insert object
  * @CMD_DELETE:		delete object
+ * @CMD_GET:		get object
  * @CMD_LIST:		list container
  * @CMD_RESET:		reset container
  * @CMD_FLUSH:		flush container
@@ -369,6 +371,7 @@ enum cmd_ops {
 	CMD_CREATE,
 	CMD_INSERT,
 	CMD_DELETE,
+	CMD_GET,
 	CMD_LIST,
 	CMD_RESET,
 	CMD_FLUSH,
-- 
cgit v1.2.3