src: support for get element command

You need a Linux kernel >= 4.15 to use this feature. This patch allows us to dump the content of an existing set. # nft list ruleset table ip x { set x { type ipv4_addr flags interval elements = { 1.1.1.1-2.2.2.2, 3.3.3.3, 5.5.5.5-6.6.6.6 } } } You check if a single element exists in the set: # nft get element x x { 1.1.1.5 } table ip x { set x { type ipv4_addr flags interval elements = { 1.1.1.1-2.2.2.2 } } } Output means '1.1.1.5' belongs to the '1.1.1.1-2.2.2.2' interval. You can also check for intervals: # nft get element x x { 1.1.1.1-2.2.2.2 } table ip x { set x { type ipv4_addr flags interval elements = { 1.1.1.1-2.2.2.2 } } } If you try to check for an element that doesn't exist, an error is displayed. # nft get element x x { 1.1.1.0 } Error: Could not receive set elements: No such file or directory get element x x { 1.1.1.0 } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You can also check for multiple elements in one go: # nft get element x x { 1.1.1.5, 5.5.5.10 } table ip x { set x { type ipv4_addr flags interval elements = { 1.1.1.1-2.2.2.2, 5.5.5.5-6.6.6.6 } } } You can also use this to fetch the existing timeout for specific elements, in case you have a set with timeouts in place: # nft get element w z { 2.2.2.2 } table ip w { set z { type ipv4_addr timeout 30s elements = { 2.2.2.2 expires 17s } } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2018-03-06 18:58:29 +0100
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2018-03-07 12:48:03 +0100
commit: a43cc8d53096de069fab5d9bf1a2cc7b655c21c7 (patch)
tree: e92be32ae5a89481c3861d671796c658104ad127 /src/segtree.c
parent: 783e853198b33576c3de23eeb0c03f9711e1fd4b (diff)
1 files changed, 114 insertions, 0 deletions
diff --git a/src/segtree.c b/src/segtree.c
index 1c23d4b8..de68071c 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -578,6 +578,120 @@ int set_to_intervals(struct list_head *errs, struct set *set,
 	return 0;
 }
 
+static void set_elem_add(const struct set *set, struct expr *init, mpz_t value,
+			 uint32_t flags)
+{
+	struct expr *expr;
+
+	expr = constant_expr_alloc(&internal_location, set->key->dtype,
+				   set->key->byteorder, set->key->len, NULL);
+	mpz_set(expr->value, value);
+	expr = set_elem_expr_alloc(&internal_location, expr);
+	expr->flags = flags;
+
+	compound_expr_add(init, expr);
+}
+
+struct expr *get_set_intervals(const struct set *set, const struct expr *init)
+{
+	struct expr *new_init;
+	mpz_t low, high;
+	struct expr *i;
+
+	mpz_init2(low, set->key->len);
+	mpz_init2(high, set->key->len);
+
+	new_init = list_expr_alloc(&internal_location);
+
+	list_for_each_entry(i, &init->expressions, list) {
+		switch (i->key->ops->type) {
+		case EXPR_VALUE:
+			set_elem_add(set, new_init, i->key->value, i->flags);
+			break;
+		default:
+			range_expr_value_low(low, i);
+			set_elem_add(set, new_init, low, 0);
+			range_expr_value_high(high, i);
+			mpz_add_ui(high, high, 1);
+			set_elem_add(set, new_init, high, EXPR_F_INTERVAL_END);
+			break;
+		}
+	}
+
+	mpz_clear(low);
+	mpz_clear(high);
+
+	return new_init;
+}
+
+static struct expr *get_set_interval_end(const struct table *table,
+					 const char *set_name,
+					 struct expr *left)
+{
+	struct set *set;
+	mpz_t low, high;
+	struct expr *i;
+
+	set = set_lookup(table, set_name);
+	mpz_init2(low, set->key->len);
+	mpz_init2(high, set->key->len);
+
+	list_for_each_entry(i, &set->init->expressions, list) {
+		switch (i->key->ops->type) {
+		case EXPR_RANGE:
+			range_expr_value_low(low, i);
+			if (mpz_cmp(low, left->key->value) == 0) {
+				left = range_expr_alloc(&internal_location,
+							expr_clone(left->key),
+							expr_clone(i->key->right));
+				break;
+			}
+			break;
+		default:
+			break;
+		}
+	}
+
+	mpz_clear(low);
+	mpz_clear(high);
+
+	return left;
+}
+
+void get_set_decompose(struct table *table, struct set *set)
+{
+	struct expr *i, *next, *new;
+	struct expr *left = NULL;
+	struct expr *new_init;
+
+	new_init = set_expr_alloc(&internal_location, set);
+
+	list_for_each_entry_safe(i, next, &set->init->expressions, list) {
+		if (i->flags & EXPR_F_INTERVAL_END && left) {
+			list_del(&left->list);
+			list_del(&i->list);
+			mpz_sub_ui(i->key->value, i->key->value, 1);
+			new = range_expr_alloc(&internal_location, left, i);
+			compound_expr_add(new_init, new);
+			left = NULL;
+		} else {
+			if (left) {
+				left = get_set_interval_end(table,
+							    set->handle.set,
+							    left);
+				compound_expr_add(new_init, left);
+			}
+			left = i;
+		}
+	}
+	if (left) {
+		left = get_set_interval_end(table, set->handle.set, left);
+		compound_expr_add(new_init, left);
+	}
+
+	set->init = new_init;
+}
+
 static bool range_is_prefix(const mpz_t range)
 {
 	mpz_t tmp;
author	Pablo Neira Ayuso <pablo@netfilter.org>	2018-03-06 18:58:29 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2018-03-07 12:48:03 +0100
commit	a43cc8d53096de069fab5d9bf1a2cc7b655c21c7 (patch)
tree	e92be32ae5a89481c3861d671796c658104ad127 /src/segtree.c
parent	783e853198b33576c3de23eeb0c03f9711e1fd4b (diff)