src: support for get element command

You need a Linux kernel >= 4.15 to use this feature.

This patch allows us to dump the content of an existing set.

 # nft list ruleset
 table ip x {
        set x {
                type ipv4_addr
                flags interval
                elements = { 1.1.1.1-2.2.2.2, 3.3.3.3,
                             5.5.5.5-6.6.6.6 }
        }
 }

You check if a single element exists in the set:

 # nft get element x x { 1.1.1.5 }
 table ip x {
        set x {
                type ipv4_addr
                flags interval
                elements = { 1.1.1.1-2.2.2.2 }
        }
 }

Output means '1.1.1.5' belongs to the '1.1.1.1-2.2.2.2' interval.

You can also check for intervals:

 # nft get element x x { 1.1.1.1-2.2.2.2 }
 table ip x {
        set x {
                type ipv4_addr
                flags interval
                elements = { 1.1.1.1-2.2.2.2 }
        }
 }

If you try to check for an element that doesn't exist, an error is
displayed.

 # nft get element x x { 1.1.1.0 }
 Error: Could not receive set elements: No such file or directory
 get element x x { 1.1.1.0 }
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

You can also check for multiple elements in one go:

 # nft get element x x { 1.1.1.5, 5.5.5.10 }
 table ip x {
        set x {
                type ipv4_addr
                flags interval
                elements = { 1.1.1.1-2.2.2.2, 5.5.5.5-6.6.6.6 }
        }
 }

You can also use this to fetch the existing timeout for specific
elements, in case you have a set with timeouts in place:

 # nft get element w z { 2.2.2.2 }
 table ip w {
        set z {
                type ipv4_addr
                timeout 30s
                elements = { 2.2.2.2 expires 17s }
        }
 }

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 81 insertions, 3 deletions

diff --git a/src/rule.c b/src/rule.c
index 99b12e97..72dd76da 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -210,6 +210,26 @@ struct set *set_alloc(const struct location *loc)
 	return set;
 }
 
+struct set *set_clone(const struct set *set)
+{
+	struct set *new_set;
+
+	new_set			= set_alloc(NULL);
+	handle_merge(&new_set->handle, &set->handle);
+	new_set->flags		= set->flags;
+	new_set->gc_int		= set->gc_int;
+	new_set->timeout	= set->timeout;
+	new_set->key		= expr_clone(set->key);
+	new_set->datatype	= set->datatype;
+	new_set->datalen	= set->datalen;
+	new_set->objtype	= set->objtype;
+	new_set->policy		= set->policy;
+	new_set->automerge	= set->automerge;
+	new_set->desc.size	= set->desc.size;
+
+	return new_set;
+}
+
 struct set *set_get(struct set *set)
 {
 	set->refcnt++;
@@ -1772,6 +1792,14 @@ static int do_list_chains(struct netlink_ctx *ctx, struct cmd *cmd)
 	return 0;
 }
 
+static void __do_list_set(struct netlink_ctx *ctx, struct cmd *cmd,
+			  struct table *table, struct set *set)
+{
+	table_print_declaration(table, ctx->octx);
+	set_print(set, ctx->octx);
+	nft_print(ctx->octx, "}\n");
+}
+
 static int do_list_set(struct netlink_ctx *ctx, struct cmd *cmd,
 		       struct table *table)
 {
@@ -1781,9 +1809,7 @@ static int do_list_set(struct netlink_ctx *ctx, struct cmd *cmd,
 	if (set == NULL)
 		return -1;
 
-	table_print_declaration(table, ctx->octx);
-	set_print(set, ctx->octx);
-	nft_print(ctx->octx, "}\n");
+	__do_list_set(ctx, cmd, table, set);
 
 	return 0;
 }
@@ -1839,6 +1865,56 @@ static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd)
 	return 0;
 }
 
+static int do_get_setelems(struct netlink_ctx *ctx, struct cmd *cmd,
+			   struct table *table)
+{
+	struct set *set, *new_set;
+	struct expr *init;
+	int err;
+
+	set = set_lookup(table, cmd->handle.set);
+
+	/* Create a list of elements based of what we got from command line. */
+	if (set->flags & NFT_SET_INTERVAL)
+		init = get_set_intervals(set, cmd->expr);
+	else
+		init = cmd->expr;
+
+	new_set = set_clone(set);
+
+	/* Fetch from kernel the elements that have been requested .*/
+	err = netlink_get_setelem(ctx, &cmd->handle, &cmd->location,
+				  table, new_set, init);
+	if (err < 0)
+		return err;
+
+	__do_list_set(ctx, cmd, table, new_set);
+
+	if (set->flags & NFT_SET_INTERVAL)
+		expr_free(init);
+
+	set_free(new_set);
+
+	return 0;
+}
+
+static int do_command_get(struct netlink_ctx *ctx, struct cmd *cmd)
+{
+	struct table *table = NULL;
+
+	if (cmd->handle.table != NULL)
+		table = table_lookup(&cmd->handle, ctx->cache);
+
+	switch (cmd->obj) {
+	case CMD_OBJ_SETELEM:
+		return do_get_setelems(ctx, cmd, table);
+	default:
+		BUG("invalid command object type %u\n", cmd->obj);
+	}
+
+	return 0;
+}
+
 static int do_command_reset(struct netlink_ctx *ctx, struct cmd *cmd)
 {
 	struct obj *obj, *next;
@@ -2017,6 +2093,8 @@ int do_command(struct netlink_ctx *ctx, struct cmd *cmd)
 		return do_command_replace(ctx, cmd);
 	case CMD_DELETE:
 		return do_command_delete(ctx, cmd);
+	case CMD_GET:
+		return do_command_get(ctx, cmd);
 	case CMD_LIST:
 		return do_command_list(ctx, cmd);
 	case CMD_RESET: