src: support for get element command

You need a Linux kernel >= 4.15 to use this feature.

This patch allows us to dump the content of an existing set.

 # nft list ruleset
 table ip x {
        set x {
                type ipv4_addr
                flags interval
                elements = { 1.1.1.1-2.2.2.2, 3.3.3.3,
                             5.5.5.5-6.6.6.6 }
        }
 }

You check if a single element exists in the set:

 # nft get element x x { 1.1.1.5 }
 table ip x {
        set x {
                type ipv4_addr
                flags interval
                elements = { 1.1.1.1-2.2.2.2 }
        }
 }

Output means '1.1.1.5' belongs to the '1.1.1.1-2.2.2.2' interval.

You can also check for intervals:

 # nft get element x x { 1.1.1.1-2.2.2.2 }
 table ip x {
        set x {
                type ipv4_addr
                flags interval
                elements = { 1.1.1.1-2.2.2.2 }
        }
 }

If you try to check for an element that doesn't exist, an error is
displayed.

 # nft get element x x { 1.1.1.0 }
 Error: Could not receive set elements: No such file or directory
 get element x x { 1.1.1.0 }
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

You can also check for multiple elements in one go:

 # nft get element x x { 1.1.1.5, 5.5.5.10 }
 table ip x {
        set x {
                type ipv4_addr
                flags interval
                elements = { 1.1.1.1-2.2.2.2, 5.5.5.5-6.6.6.6 }
        }
 }

You can also use this to fetch the existing timeout for specific
elements, in case you have a set with timeouts in place:

 # nft get element w z { 2.2.2.2 }
 table ip w {
        set z {
                type ipv4_addr
                timeout 30s
                elements = { 2.2.2.2 expires 17s }
        }
 }

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 43 insertions, 0 deletions

diff --git a/src/netlink.c b/src/netlink.c
index 906568fe..526ec9c1 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1371,6 +1371,7 @@ int netlink_get_setelems(struct netlink_ctx *ctx, const struct handle *h,
 	int err;
 
 	nls = alloc_nftnl_set(h);
+	netlink_dump_set(nls, ctx);
 
 	err = mnl_nft_setelem_get(ctx, nls);
 	if (err < 0) {
@@ -1400,6 +1401,48 @@ out:
 	return err;
 }
 
+int netlink_get_setelem(struct netlink_ctx *ctx, const struct handle *h,
+			const struct location *loc, struct table *table,
+			struct set *set, struct expr *init)
+{
+	struct nftnl_set *nls, *nls_out = NULL;
+	int err = 0;
+
+	nls = alloc_nftnl_set(h);
+	alloc_setelem_cache(init, nls);
+
+	netlink_dump_set(nls, ctx);
+
+	nls_out = mnl_nft_setelem_get_one(ctx, nls);
+	if (!nls_out) {
+		nftnl_set_free(nls);
+		if (errno == EINTR)
+			return -1;
+
+		err = -1;
+		goto out;
+	}
+
+	ctx->set = set;
+	set->init = set_expr_alloc(loc, set);
+	nftnl_set_elem_foreach(nls_out, list_setelem_cb, ctx);
+
+	if (!(set->flags & NFT_SET_INTERVAL))
+		list_expr_sort(&ctx->set->init->expressions);
+
+	nftnl_set_free(nls);
+	nftnl_set_free(nls_out);
+	ctx->set = NULL;
+
+	if (set->flags & NFT_SET_INTERVAL)
+		get_set_decompose(table, set);
+out:
+	if (err < 0)
+		netlink_io_error(ctx, loc, "Could not receive set elements: %s",
+				 strerror(errno));
+	return err;
+}
+
 void netlink_dump_obj(struct nftnl_obj *nln, struct netlink_ctx *ctx)
 {
 	FILE *fp = ctx->octx->output_fp;