src: support for get element command

You need a Linux kernel >= 4.15 to use this feature.

This patch allows us to dump the content of an existing set.

 # nft list ruleset
 table ip x {
        set x {
                type ipv4_addr
                flags interval
                elements = { 1.1.1.1-2.2.2.2, 3.3.3.3,
                             5.5.5.5-6.6.6.6 }
        }
 }

You check if a single element exists in the set:

 # nft get element x x { 1.1.1.5 }
 table ip x {
        set x {
                type ipv4_addr
                flags interval
                elements = { 1.1.1.1-2.2.2.2 }
        }
 }

Output means '1.1.1.5' belongs to the '1.1.1.1-2.2.2.2' interval.

You can also check for intervals:

 # nft get element x x { 1.1.1.1-2.2.2.2 }
 table ip x {
        set x {
                type ipv4_addr
                flags interval
                elements = { 1.1.1.1-2.2.2.2 }
        }
 }

If you try to check for an element that doesn't exist, an error is
displayed.

 # nft get element x x { 1.1.1.0 }
 Error: Could not receive set elements: No such file or directory
 get element x x { 1.1.1.0 }
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

You can also check for multiple elements in one go:

 # nft get element x x { 1.1.1.5, 5.5.5.10 }
 table ip x {
        set x {
                type ipv4_addr
                flags interval
                elements = { 1.1.1.1-2.2.2.2, 5.5.5.5-6.6.6.6 }
        }
 }

You can also use this to fetch the existing timeout for specific
elements, in case you have a set with timeouts in place:

 # nft get element w z { 2.2.2.2 }
 table ip w {
        set z {
                type ipv4_addr
                timeout 30s
                elements = { 2.2.2.2 expires 17s }
        }
 }

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 10 insertions, 2 deletions

diff --git a/src/parser_bison.y b/src/parser_bison.y
index e96340d9..2ccaf9ab 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -219,6 +219,7 @@ int nft_lex(void *, void *, void *);
 %token CREATE			"create"
 %token INSERT			"insert"
 %token DELETE			"delete"
+%token GET			"get"
 %token LIST			"list"
 %token RESET			"reset"
 %token FLUSH			"flush"
@@ -504,8 +505,8 @@ int nft_lex(void *, void *, void *);
 %type <cmd>			line
 %destructor { cmd_free($$); }	line
 
-%type <cmd>			base_cmd add_cmd replace_cmd create_cmd insert_cmd delete_cmd list_cmd reset_cmd flush_cmd rename_cmd export_cmd monitor_cmd describe_cmd import_cmd
-%destructor { cmd_free($$); }	base_cmd add_cmd replace_cmd create_cmd insert_cmd delete_cmd list_cmd reset_cmd flush_cmd rename_cmd export_cmd monitor_cmd describe_cmd import_cmd
+%type <cmd>			base_cmd add_cmd replace_cmd create_cmd insert_cmd delete_cmd get_cmd list_cmd reset_cmd flush_cmd rename_cmd export_cmd monitor_cmd describe_cmd import_cmd
+%destructor { cmd_free($$); }	base_cmd add_cmd replace_cmd create_cmd insert_cmd delete_cmd get_cmd list_cmd reset_cmd flush_cmd rename_cmd export_cmd monitor_cmd describe_cmd import_cmd
 
 %type <handle>			table_spec tableid_spec chain_spec chainid_spec flowtable_spec chain_identifier ruleid_spec handle_spec position_spec rule_position ruleset_spec
 %destructor { handle_free(&$$); } table_spec tableid_spec chain_spec chainid_spec flowtable_spec chain_identifier ruleid_spec handle_spec position_spec rule_position ruleset_spec
@@ -843,6 +844,7 @@ base_cmd		:	/* empty */	add_cmd		{ $$ = $1; }
 			|	CREATE		create_cmd	{ $$ = $2; }
 			|	INSERT		insert_cmd	{ $$ = $2; }
 			|	DELETE		delete_cmd	{ $$ = $2; }
+			|	GET		get_cmd		{ $$ = $2; }
 			|	LIST		list_cmd	{ $$ = $2; }
 			|	RESET		reset_cmd	{ $$ = $2; }
 			|	FLUSH		flush_cmd	{ $$ = $2; }
@@ -1094,6 +1096,12 @@ delete_cmd		:	TABLE		table_spec
 			}
 			;
 
+get_cmd			:	ELEMENT		set_spec	set_block_expr
+			{
+				$$ = cmd_alloc(CMD_GET, CMD_OBJ_SETELEM, &$2, &@$, $3);
+			}
+			;
+
 list_cmd		:	TABLE		table_spec
 			{
 				$$ = cmd_alloc(CMD_LIST, CMD_OBJ_TABLE, &$2, &@$, NULL);