diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-03-06 18:58:29 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-03-07 12:48:03 +0100 |
commit | a43cc8d53096de069fab5d9bf1a2cc7b655c21c7 (patch) | |
tree | e92be32ae5a89481c3861d671796c658104ad127 /src/netlink.c | |
parent | 783e853198b33576c3de23eeb0c03f9711e1fd4b (diff) |
src: support for get element command
You need a Linux kernel >= 4.15 to use this feature.
This patch allows us to dump the content of an existing set.
# nft list ruleset
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2, 3.3.3.3,
5.5.5.5-6.6.6.6 }
}
}
You check if a single element exists in the set:
# nft get element x x { 1.1.1.5 }
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2 }
}
}
Output means '1.1.1.5' belongs to the '1.1.1.1-2.2.2.2' interval.
You can also check for intervals:
# nft get element x x { 1.1.1.1-2.2.2.2 }
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2 }
}
}
If you try to check for an element that doesn't exist, an error is
displayed.
# nft get element x x { 1.1.1.0 }
Error: Could not receive set elements: No such file or directory
get element x x { 1.1.1.0 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You can also check for multiple elements in one go:
# nft get element x x { 1.1.1.5, 5.5.5.10 }
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2, 5.5.5.5-6.6.6.6 }
}
}
You can also use this to fetch the existing timeout for specific
elements, in case you have a set with timeouts in place:
# nft get element w z { 2.2.2.2 }
table ip w {
set z {
type ipv4_addr
timeout 30s
elements = { 2.2.2.2 expires 17s }
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/netlink.c')
-rw-r--r-- | src/netlink.c | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/src/netlink.c b/src/netlink.c index 906568fe..526ec9c1 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -1371,6 +1371,7 @@ int netlink_get_setelems(struct netlink_ctx *ctx, const struct handle *h, int err; nls = alloc_nftnl_set(h); + netlink_dump_set(nls, ctx); err = mnl_nft_setelem_get(ctx, nls); if (err < 0) { @@ -1400,6 +1401,48 @@ out: return err; } +int netlink_get_setelem(struct netlink_ctx *ctx, const struct handle *h, + const struct location *loc, struct table *table, + struct set *set, struct expr *init) +{ + struct nftnl_set *nls, *nls_out = NULL; + int err = 0; + + nls = alloc_nftnl_set(h); + alloc_setelem_cache(init, nls); + + netlink_dump_set(nls, ctx); + + nls_out = mnl_nft_setelem_get_one(ctx, nls); + if (!nls_out) { + nftnl_set_free(nls); + if (errno == EINTR) + return -1; + + err = -1; + goto out; + } + + ctx->set = set; + set->init = set_expr_alloc(loc, set); + nftnl_set_elem_foreach(nls_out, list_setelem_cb, ctx); + + if (!(set->flags & NFT_SET_INTERVAL)) + list_expr_sort(&ctx->set->init->expressions); + + nftnl_set_free(nls); + nftnl_set_free(nls_out); + ctx->set = NULL; + + if (set->flags & NFT_SET_INTERVAL) + get_set_decompose(table, set); +out: + if (err < 0) + netlink_io_error(ctx, loc, "Could not receive set elements: %s", + strerror(errno)); + return err; +} + void netlink_dump_obj(struct nftnl_obj *nln, struct netlink_ctx *ctx) { FILE *fp = ctx->octx->output_fp; |