Creating a map programmatically using the C library libnftnl

Creating a map programmatically using the C library libnftnl

[Kiernan George]

Hello,

I'm not sure how to respond to my post from earlier today, so I'm just
creating a new one.

I do not need help figuring out how to use the nft command line tool.
I need to figure out how to use the libnftnl C library to create a map
of the following type and insert elements into it:

type ipv4_addr . inet_service : ipv4_addr

I see an example for creating a set in nft-set-test.c, but I'm not
sure how to translate this into creating a map and adding elements to
it. Is there documentation somewhere? Could you write an example for
this use case?

Thanks,
Kiernan George

Re: Creating a map programmatically using the C library libnftnl

[Florian Westphal]

Kiernan George <kbg98@vt.edu> wrote:
> Hello,
> 
> I'm not sure how to respond to my post from earlier today, so I'm just
> creating a new one.
> 
> I do not need help figuring out how to use the nft command line tool.
> I need to figure out how to use the libnftnl C library to create a map
> of the following type and insert elements into it:
> 
> type ipv4_addr . inet_service : ipv4_addr
> 
> I see an example for creating a set in nft-set-test.c, but I'm not
> sure how to translate this into creating a map and adding elements to
> it. Is there documentation somewhere? Could you write an example for
> this use case?

Whats missing in examples/nft-map-add.c ?

Re: Creating a map programmatically using the C library libnftnl

[Kiernan George]

> Whats missing in examples/nft-map-add.c ?

I'm not sure how to take that example and modify it to create the type
of map I mentioned in my initial request, or how to work in IPV6 for
example. I could also use an example on how to add an element to a map
programmatically. I see there is the nft-set-add, but it does not work
on a map.

Along those lines, is there more fleshed out documentation on libnftnl
and libmnl other than the examples or the wiki? Unfortunately, those
aren't sufficient for my needs.

Thank you for the help!


On Tue, Mar 28, 2023 at 11:09 AM Florian Westphal <fw@strlen.de> wrote:
>
> Kiernan George <kbg98@vt.edu> wrote:
> > Hello,
> >
> > I'm not sure how to respond to my post from earlier today, so I'm just
> > creating a new one.
> >
> > I do not need help figuring out how to use the nft command line tool.
> > I need to figure out how to use the libnftnl C library to create a map
> > of the following type and insert elements into it:
> >
> > type ipv4_addr . inet_service : ipv4_addr
> >
> > I see an example for creating a set in nft-set-test.c, but I'm not
> > sure how to translate this into creating a map and adding elements to
> > it. Is there documentation somewhere? Could you write an example for
> > this use case?
>
> Whats missing in examples/nft-map-add.c ?

Re: Creating a map programmatically using the C library libnftnl

[Florian Westphal]

Kiernan George <kbg98@vt.edu> wrote:
> I'm not sure how to take that example and modify it to create the type of
> map I mentioned in my initial request, or how to work in IPV6 for example.
> I could also use an example on how to add an element to a map
> programmatically. I see there is the nft-set-add, but it does not work on a
> map.

diff --git a/examples/nft-map-add.c b/examples/nft-map-add.c
--- a/examples/nft-map-add.c
+++ b/examples/nft-map-add.c
@@ -26,6 +26,16 @@
 #include <libmnl/libmnl.h>
 #include <libnftnl/set.h>
 
+/* See nftables/include/datatype.h. We should place these datatypes in
+ * a public header so third party applications still work with nftables.
+ */
+#define TYPE_BITS 6
+
+enum nft_key_types {
+        TYPE_IPADDR        = 7,
+        TYPE_INET_SERVICE  = 13,
+};
+
 static struct nftnl_set *setup_set(uint8_t family, const char *table,
 				 const char *name)
 {
@@ -40,14 +50,11 @@ static struct nftnl_set *setup_set(uint8_t family, const char *table,
 	nftnl_set_set_str(s, NFTNL_SET_TABLE, table);
 	nftnl_set_set_str(s, NFTNL_SET_NAME, name);
 	nftnl_set_set_u32(s, NFTNL_SET_FAMILY, family);
-	nftnl_set_set_u32(s, NFTNL_SET_KEY_LEN, 2);
-	/* See nftables/include/datatype.h, where TYPE_INET_SERVICE is 13. We
-	 * should place these datatypes in a public header so third party
-	 * applications still work with nftables.
-	 */
-	nftnl_set_set_u32(s, NFTNL_SET_KEY_TYPE, 13);
-	nftnl_set_set_u32(s, NFTNL_SET_DATA_LEN, 2);
-	nftnl_set_set_u32(s, NFTNL_SET_DATA_TYPE, 13);
+	nftnl_set_set_u32(s, NFTNL_SET_KEY_LEN, 8); /* two 32bit regs, one for ip address, one for inet_service */
+	/* Next line is ONLY needed so 'nft list ruleset' can pretty-print this */
+	// nftnl_set_set_u32(s, NFTNL_SET_KEY_TYPE, TYPE_IPADDR << TYPE_BITS | TYPE_INET_SERVICE);
+	nftnl_set_set_u32(s, NFTNL_SET_DATA_LEN, 4); /* one 32bit reg */
+	nftnl_set_set_u32(s, NFTNL_SET_DATA_TYPE, TYPE_IPADDR);
 	nftnl_set_set_u32(s, NFTNL_SET_ID, 1);
 	nftnl_set_set_u32(s, NFTNL_SET_FLAGS, NFT_SET_CONSTANT | NFT_SET_MAP);

Re: Creating a map programmatically using the C library libnftnl

[Kiernan George]

That works to create the map, but when I go to add an element through
the command line it fails with this error:

root@laptop:/tmp# nft add element netdev example test2 { 1.1.1.1 .
1111 : 2.2.2.2 }
Error: Could not process rule: File exists
add element netdev example test2 { 1.1.1.1 . 1111 : 2.2.2.2 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Do you have any insight?

On Thu, Mar 30, 2023 at 12:09 PM Florian Westphal <fw@strlen.de> wrote:
>
> Kiernan George <kbg98@vt.edu> wrote:
> > I'm not sure how to take that example and modify it to create the type of
> > map I mentioned in my initial request, or how to work in IPV6 for example.
> > I could also use an example on how to add an element to a map
> > programmatically. I see there is the nft-set-add, but it does not work on a
> > map.
>
> diff --git a/examples/nft-map-add.c b/examples/nft-map-add.c
> --- a/examples/nft-map-add.c
> +++ b/examples/nft-map-add.c
> @@ -26,6 +26,16 @@
>  #include <libmnl/libmnl.h>
>  #include <libnftnl/set.h>
>
> +/* See nftables/include/datatype.h. We should place these datatypes in
> + * a public header so third party applications still work with nftables.
> + */
> +#define TYPE_BITS 6
> +
> +enum nft_key_types {
> +        TYPE_IPADDR        = 7,
> +        TYPE_INET_SERVICE  = 13,
> +};
> +
>  static struct nftnl_set *setup_set(uint8_t family, const char *table,
>                                  const char *name)
>  {
> @@ -40,14 +50,11 @@ static struct nftnl_set *setup_set(uint8_t family, const char *table,
>         nftnl_set_set_str(s, NFTNL_SET_TABLE, table);
>         nftnl_set_set_str(s, NFTNL_SET_NAME, name);
>         nftnl_set_set_u32(s, NFTNL_SET_FAMILY, family);
> -       nftnl_set_set_u32(s, NFTNL_SET_KEY_LEN, 2);
> -       /* See nftables/include/datatype.h, where TYPE_INET_SERVICE is 13. We
> -        * should place these datatypes in a public header so third party
> -        * applications still work with nftables.
> -        */
> -       nftnl_set_set_u32(s, NFTNL_SET_KEY_TYPE, 13);
> -       nftnl_set_set_u32(s, NFTNL_SET_DATA_LEN, 2);
> -       nftnl_set_set_u32(s, NFTNL_SET_DATA_TYPE, 13);
> +       nftnl_set_set_u32(s, NFTNL_SET_KEY_LEN, 8); /* two 32bit regs, one for ip address, one for inet_service */
> +       /* Next line is ONLY needed so 'nft list ruleset' can pretty-print this */
> +       // nftnl_set_set_u32(s, NFTNL_SET_KEY_TYPE, TYPE_IPADDR << TYPE_BITS | TYPE_INET_SERVICE);
> +       nftnl_set_set_u32(s, NFTNL_SET_DATA_LEN, 4); /* one 32bit reg */
> +       nftnl_set_set_u32(s, NFTNL_SET_DATA_TYPE, TYPE_IPADDR);
>         nftnl_set_set_u32(s, NFTNL_SET_ID, 1);
>         nftnl_set_set_u32(s, NFTNL_SET_FLAGS, NFT_SET_CONSTANT | NFT_SET_MAP);

Re: Creating a map programmatically using the C library libnftnl

[Florian Westphal]

Kiernan George <kbg98@vt.edu> wrote:
> That works to create the map, but when I go to add an element through
> the command line it fails with this error:
> 
> root@laptop:/tmp# nft add element netdev example test2 { 1.1.1.1 .
> 1111 : 2.2.2.2 }
> Error: Could not process rule: File exists 
> add element netdev example test2 { 1.1.1.1 . 1111 : 2.2.2.2 }
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
> Do you have any insight?

Worksforme.  'File exists' hints that you are adding the same element
again.  The key has to be unique, so:

add element netdev example test2 { 1.1.1.1 . 1111 : 2.2.2.2 }
add element netdev example test2 { 1.1.1.1 . 1111 : 2.2.2.3 } // Fails even if value is different

Re: Creating a map programmatically using the C library libnftnl

[Pablo Neira Ayuso]

On Thu, Mar 30, 2023 at 09:55:53PM +0200, Florian Westphal wrote:
> Kiernan George <kbg98@vt.edu> wrote:
> > That works to create the map, but when I go to add an element through
> > the command line it fails with this error:
> > 
> > root@laptop:/tmp# nft add element netdev example test2 { 1.1.1.1 .
> > 1111 : 2.2.2.2 }
> > Error: Could not process rule: File exists 
> > add element netdev example test2 { 1.1.1.1 . 1111 : 2.2.2.2 }
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>  
> > Do you have any insight?
> 
> Worksforme.  'File exists' hints that you are adding the same element
> again.  The key has to be unique, so:
> 
> add element netdev example test2 { 1.1.1.1 . 1111 : 2.2.2.2 }
> add element netdev example test2 { 1.1.1.1 . 1111 : 2.2.2.3 } // Fails even if value is different

For the record: error reporting for slightly better with recent kernels and
nft userspace.

# nft add element x y { 1.1.1.1 : 20 }
# nft add element x y { 1.1.1.1 : 21 }
Error: Could not process rule: File exists
add element x y { 1.1.1.1 : 21 }
                  ^^^^^^^