diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-03-06 18:58:29 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-03-07 12:48:03 +0100 |
commit | a43cc8d53096de069fab5d9bf1a2cc7b655c21c7 (patch) | |
tree | e92be32ae5a89481c3861d671796c658104ad127 /src/rule.c | |
parent | 783e853198b33576c3de23eeb0c03f9711e1fd4b (diff) |
src: support for get element command
You need a Linux kernel >= 4.15 to use this feature.
This patch allows us to dump the content of an existing set.
# nft list ruleset
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2, 3.3.3.3,
5.5.5.5-6.6.6.6 }
}
}
You check if a single element exists in the set:
# nft get element x x { 1.1.1.5 }
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2 }
}
}
Output means '1.1.1.5' belongs to the '1.1.1.1-2.2.2.2' interval.
You can also check for intervals:
# nft get element x x { 1.1.1.1-2.2.2.2 }
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2 }
}
}
If you try to check for an element that doesn't exist, an error is
displayed.
# nft get element x x { 1.1.1.0 }
Error: Could not receive set elements: No such file or directory
get element x x { 1.1.1.0 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You can also check for multiple elements in one go:
# nft get element x x { 1.1.1.5, 5.5.5.10 }
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2, 5.5.5.5-6.6.6.6 }
}
}
You can also use this to fetch the existing timeout for specific
elements, in case you have a set with timeouts in place:
# nft get element w z { 2.2.2.2 }
table ip w {
set z {
type ipv4_addr
timeout 30s
elements = { 2.2.2.2 expires 17s }
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/rule.c')
-rw-r--r-- | src/rule.c | 84 |
1 files changed, 81 insertions, 3 deletions
@@ -210,6 +210,26 @@ struct set *set_alloc(const struct location *loc) return set; } +struct set *set_clone(const struct set *set) +{ + struct set *new_set; + + new_set = set_alloc(NULL); + handle_merge(&new_set->handle, &set->handle); + new_set->flags = set->flags; + new_set->gc_int = set->gc_int; + new_set->timeout = set->timeout; + new_set->key = expr_clone(set->key); + new_set->datatype = set->datatype; + new_set->datalen = set->datalen; + new_set->objtype = set->objtype; + new_set->policy = set->policy; + new_set->automerge = set->automerge; + new_set->desc.size = set->desc.size; + + return new_set; +} + struct set *set_get(struct set *set) { set->refcnt++; @@ -1772,6 +1792,14 @@ static int do_list_chains(struct netlink_ctx *ctx, struct cmd *cmd) return 0; } +static void __do_list_set(struct netlink_ctx *ctx, struct cmd *cmd, + struct table *table, struct set *set) +{ + table_print_declaration(table, ctx->octx); + set_print(set, ctx->octx); + nft_print(ctx->octx, "}\n"); +} + static int do_list_set(struct netlink_ctx *ctx, struct cmd *cmd, struct table *table) { @@ -1781,9 +1809,7 @@ static int do_list_set(struct netlink_ctx *ctx, struct cmd *cmd, if (set == NULL) return -1; - table_print_declaration(table, ctx->octx); - set_print(set, ctx->octx); - nft_print(ctx->octx, "}\n"); + __do_list_set(ctx, cmd, table, set); return 0; } @@ -1839,6 +1865,56 @@ static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd) return 0; } +static int do_get_setelems(struct netlink_ctx *ctx, struct cmd *cmd, + struct table *table) +{ + struct set *set, *new_set; + struct expr *init; + int err; + + set = set_lookup(table, cmd->handle.set); + + /* Create a list of elements based of what we got from command line. */ + if (set->flags & NFT_SET_INTERVAL) + init = get_set_intervals(set, cmd->expr); + else + init = cmd->expr; + + new_set = set_clone(set); + + /* Fetch from kernel the elements that have been requested .*/ + err = netlink_get_setelem(ctx, &cmd->handle, &cmd->location, + table, new_set, init); + if (err < 0) + return err; + + __do_list_set(ctx, cmd, table, new_set); + + if (set->flags & NFT_SET_INTERVAL) + expr_free(init); + + set_free(new_set); + + return 0; +} + +static int do_command_get(struct netlink_ctx *ctx, struct cmd *cmd) +{ + struct table *table = NULL; + + if (cmd->handle.table != NULL) + table = table_lookup(&cmd->handle, ctx->cache); + + switch (cmd->obj) { + case CMD_OBJ_SETELEM: + return do_get_setelems(ctx, cmd, table); + default: + BUG("invalid command object type %u\n", cmd->obj); + } + + return 0; +} + static int do_command_reset(struct netlink_ctx *ctx, struct cmd *cmd) { struct obj *obj, *next; @@ -2017,6 +2093,8 @@ int do_command(struct netlink_ctx *ctx, struct cmd *cmd) return do_command_replace(ctx, cmd); case CMD_DELETE: return do_command_delete(ctx, cmd); + case CMD_GET: + return do_command_get(ctx, cmd); case CMD_LIST: return do_command_list(ctx, cmd); case CMD_RESET: |