Programmatically adding Map element into the map/set using libnftnl

Programmatically adding Map element into the map/set using libnftnl

[Khawar Shehzad]

Hi,
I hope everybody is fine.

I want to do following programmatically in C using libnftnl.


_______________________________________________
"nft add element ip6 my_table my_map {fe80::2 : fe80::3 }"
_______________________________________________

My example code is below, and it gives "error: Invalid argument"
error. My question is simple how can I add an IPv6 map into a set/map.
My map type is "type ipv6_addr : ipv6_addr".


#include <stdlib.h>
#include <time.h>
#include <string.h>
#include <netinet/in.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <libmnl/libmnl.h>
#include <libnftnl/set.h>

int main(int argc, char *argv[])
{
        struct mnl_socket *nl;
        char buf[MNL_SOCKET_BUFFER_SIZE];
        struct nlmsghdr *nlh;
        uint32_t portid, seq, family;
        struct nftnl_set *s;
        struct nftnl_set_elem *e;
        int ret;

        s = nftnl_set_alloc();

        seq = time(NULL);
        family = NFPROTO_IPV6;

        nftnl_set_set(s, NFTNL_SET_TABLE, "my_table");
        nftnl_set_set(s, NFTNL_SET_NAME, "my_map");

        e = nftnl_set_elem_alloc();

        nftnl_set_elem_set(e, NFTNL_SET_ELEM_KEY, "fe80::2", 16);

        nftnl_set_elem_set(e, NFTNL_SET_ELEM_DATA, "fe80::3", 16);

        nftnl_set_elem_add(s, e);

        e = nftnl_set_elem_alloc();

        nlh = nftnl_set_nlmsg_build_hdr(buf, NFT_MSG_NEWSETELEM, family,
                                      NLM_F_CREATE|NLM_F_EXCL|NLM_F_ACK, seq);
        nftnl_set_elems_nlmsg_build_payload(nlh, s);
        nftnl_set_free(s);

        nl = mnl_socket_open(NETLINK_NETFILTER);

        if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
                perror("mnl_socket_bind");
                exit(EXIT_FAILURE);
        }
        portid = mnl_socket_get_portid(nl);

        if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
                perror("mnl_socket_send");
                exit(EXIT_FAILURE);
        }

        ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
        while (ret > 0) {
                ret = mnl_cb_run(buf, ret, seq, portid, NULL, NULL);
                if (ret <= 0)
                        break;
                ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
        }
        mnl_socket_close(nl);

        return EXIT_SUCCESS;
}



I get the "error: Invalid argument" error. Any help will be much appreciated.

Cheers,
Khawar

Re: Programmatically adding Map element into the map/set using libnftnl

[Pablo Neira Ayuso]

On Wed, Nov 30, 2016 at 07:16:28PM +0000, Khawar Shehzad wrote:
> Hi,
> I hope everybody is fine.
> 
> I want to do following programmatically in C using libnftnl.
> 
> 
> _______________________________________________
> "nft add element ip6 my_table my_map {fe80::2 : fe80::3 }"
> _______________________________________________
> 
> My example code is below, and it gives "error: Invalid argument"
> error. My question is simple how can I add an IPv6 map into a set/map.
> My map type is "type ipv6_addr : ipv6_addr".

Just added an example for you at:

http://git.netfilter.org/libnftnl/commit/?id=2d894a97c28e6c7c7f064d16bec0167d000e901c

Re: Programmatically adding Map element into the map/set using libnftnl

[Khawar Shehzad]

Thanks. I want to add an element to existing ipv6 map programmatically
in C using libnftnl. From the above example commit, the code specifies
how to add a map (which I assessed by working on the
nft-set-elem-add.c example previously, thanks for the datatypes.c hint
too). I tried

        nftnl_set_elem_set(e, NFTNL_SET_ELEM_KEY, "fe80::2", 16);
        nftnl_set_elem_set(e, NFTNL_SET_ELEM_DATA, "fe80::3", 16);

AND

        nftnl_set_elem_set(e, NFTNL_SET_ELEM_KEY, &(sa1.sin6_addr),
sizeof(sa1.sin6_addr));
        nftnl_set_elem_set(e, NFTNL_SET_ELEM_DATA, &(sa2.sin6_addr),
sizeof(sa2.sin6_addr));

but both didn't work. It showed same error i.e. "error: Invalid argument".

Cheers,
Khawar

On Wed, Nov 30, 2016 at 7:34 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Wed, Nov 30, 2016 at 07:16:28PM +0000, Khawar Shehzad wrote:
>> Hi,
>> I hope everybody is fine.
>>
>> I want to do following programmatically in C using libnftnl.
>>
>>
>> _______________________________________________
>> "nft add element ip6 my_table my_map {fe80::2 : fe80::3 }"
>> _______________________________________________
>>
>> My example code is below, and it gives "error: Invalid argument"
>> error. My question is simple how can I add an IPv6 map into a set/map.
>> My map type is "type ipv6_addr : ipv6_addr".
>
> Just added an example for you at:
>
> http://git.netfilter.org/libnftnl/commit/?id=2d894a97c28e6c7c7f064d16bec0167d000e901c

Re: Programmatically adding Map element into the map/set using libnftnl

[Pablo Neira Ayuso]

On Wed, Nov 30, 2016 at 07:46:05PM +0000, Khawar Shehzad wrote:
> Thanks. I want to add an element to existing ipv6 map programmatically
> in C using libnftnl. From the above example commit, the code specifies
> how to add a map (which I assessed by working on the
> nft-set-elem-add.c example previously, thanks for the datatypes.c hint
> too). I tried
> 
>         nftnl_set_elem_set(e, NFTNL_SET_ELEM_KEY, "fe80::2", 16);
>         nftnl_set_elem_set(e, NFTNL_SET_ELEM_DATA, "fe80::3", 16);
> 
> AND
> 
>         nftnl_set_elem_set(e, NFTNL_SET_ELEM_KEY, &(sa1.sin6_addr),
> sizeof(sa1.sin6_addr));
>         nftnl_set_elem_set(e, NFTNL_SET_ELEM_DATA, &(sa2.sin6_addr),
> sizeof(sa2.sin6_addr));
> 
> but both didn't work. It showed same error i.e. "error: Invalid argument".

Oh, those examples are broken. Batch header and trailing are missing,
I'm going to fix this.

Re: Programmatically adding Map element into the map/set using libnftnl

[Pablo Neira Ayuso]

On Wed, Nov 30, 2016 at 09:14:34PM +0100, Pablo Neira Ayuso wrote:
> On Wed, Nov 30, 2016 at 07:46:05PM +0000, Khawar Shehzad wrote:
> > Thanks. I want to add an element to existing ipv6 map programmatically
> > in C using libnftnl. From the above example commit, the code specifies
> > how to add a map (which I assessed by working on the
> > nft-set-elem-add.c example previously, thanks for the datatypes.c hint
> > too). I tried
> > 
> >         nftnl_set_elem_set(e, NFTNL_SET_ELEM_KEY, "fe80::2", 16);
> >         nftnl_set_elem_set(e, NFTNL_SET_ELEM_DATA, "fe80::3", 16);
> > 
> > AND
> > 
> >         nftnl_set_elem_set(e, NFTNL_SET_ELEM_KEY, &(sa1.sin6_addr),
> > sizeof(sa1.sin6_addr));
> >         nftnl_set_elem_set(e, NFTNL_SET_ELEM_DATA, &(sa2.sin6_addr),
> > sizeof(sa2.sin6_addr));
> > 
> > but both didn't work. It showed same error i.e. "error: Invalid argument".
> 
> Oh, those examples are broken. Batch header and trailing are missing,
> I'm going to fix this.

Just fixed examples to add set element:

http://git.netfilter.org/libnftnl/commit/?id=6a32dbd4cd56c8fede6044a447469fbd0e35c10a
http://git.netfilter.org/libnftnl/commit/?id=cc1b5986f5379c17c97ff9fb7064aceddf0b87ed

Re: Programmatically adding Map element into the map/set using libnftnl

[Khawar Shehzad]

Thanks Pablo, that helped a lot.


On Wed, Nov 30, 2016 at 9:27 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Wed, Nov 30, 2016 at 09:14:34PM +0100, Pablo Neira Ayuso wrote:
>> On Wed, Nov 30, 2016 at 07:46:05PM +0000, Khawar Shehzad wrote:
>> > Thanks. I want to add an element to existing ipv6 map programmatically
>> > in C using libnftnl. From the above example commit, the code specifies
>> > how to add a map (which I assessed by working on the
>> > nft-set-elem-add.c example previously, thanks for the datatypes.c hint
>> > too). I tried
>> >
>> >         nftnl_set_elem_set(e, NFTNL_SET_ELEM_KEY, "fe80::2", 16);
>> >         nftnl_set_elem_set(e, NFTNL_SET_ELEM_DATA, "fe80::3", 16);
>> >
>> > AND
>> >
>> >         nftnl_set_elem_set(e, NFTNL_SET_ELEM_KEY, &(sa1.sin6_addr),
>> > sizeof(sa1.sin6_addr));
>> >         nftnl_set_elem_set(e, NFTNL_SET_ELEM_DATA, &(sa2.sin6_addr),
>> > sizeof(sa2.sin6_addr));
>> >
>> > but both didn't work. It showed same error i.e. "error: Invalid argument".
>>
>> Oh, those examples are broken. Batch header and trailing are missing,
>> I'm going to fix this.
>
> Just fixed examples to add set element:
>
> http://git.netfilter.org/libnftnl/commit/?id=6a32dbd4cd56c8fede6044a447469fbd0e35c10a
> http://git.netfilter.org/libnftnl/commit/?id=cc1b5986f5379c17c97ff9fb7064aceddf0b87ed

Re: Programmatically adding Map element into the map/set using libnftnl

[Khawar Shehzad]

Is there a way to flush all the elements in a set through command
line? e.g. using command line as

___________________________
nft flush set ip6 my_table my_set
___________________________


just like it can be done with rules in the chain etc.

When I try the above I get the following error:

BUG: invalid command object type 2
nft: rule.c:1245: do_command_flush: Assertion `0' failed.
Aborted (core dumped)



On Wed, Nov 30, 2016 at 10:17 PM, Khawar Shehzad
<shehzad.khawar@gmail.com> wrote:
> Thanks Pablo, that helped a lot.
>
>
> On Wed, Nov 30, 2016 at 9:27 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>> On Wed, Nov 30, 2016 at 09:14:34PM +0100, Pablo Neira Ayuso wrote:
>>> On Wed, Nov 30, 2016 at 07:46:05PM +0000, Khawar Shehzad wrote:
>>> > Thanks. I want to add an element to existing ipv6 map programmatically
>>> > in C using libnftnl. From the above example commit, the code specifies
>>> > how to add a map (which I assessed by working on the
>>> > nft-set-elem-add.c example previously, thanks for the datatypes.c hint
>>> > too). I tried
>>> >
>>> >         nftnl_set_elem_set(e, NFTNL_SET_ELEM_KEY, "fe80::2", 16);
>>> >         nftnl_set_elem_set(e, NFTNL_SET_ELEM_DATA, "fe80::3", 16);
>>> >
>>> > AND
>>> >
>>> >         nftnl_set_elem_set(e, NFTNL_SET_ELEM_KEY, &(sa1.sin6_addr),
>>> > sizeof(sa1.sin6_addr));
>>> >         nftnl_set_elem_set(e, NFTNL_SET_ELEM_DATA, &(sa2.sin6_addr),
>>> > sizeof(sa2.sin6_addr));
>>> >
>>> > but both didn't work. It showed same error i.e. "error: Invalid argument".
>>>
>>> Oh, those examples are broken. Batch header and trailing are missing,
>>> I'm going to fix this.
>>
>> Just fixed examples to add set element:
>>
>> http://git.netfilter.org/libnftnl/commit/?id=6a32dbd4cd56c8fede6044a447469fbd0e35c10a
>> http://git.netfilter.org/libnftnl/commit/?id=cc1b5986f5379c17c97ff9fb7064aceddf0b87ed

Re: Programmatically adding Map element into the map/set using libnftnl

[Pablo Neira Ayuso]

On Wed, Nov 30, 2016 at 10:28:04PM +0000, Khawar Shehzad wrote:
> Is there a way to flush all the elements in a set through command
> line? e.g. using command line as
> 
> ___________________________
> nft flush set ip6 my_table my_set

Not yet, I'm preparing a patchset for this. This has been requested
several time already. Will Cc you once they are ready.