Re: How to determine type of nftables set

[Florian Westphal <fw@strlen.de>]

Ian Pilcher <arequipeno@gmail.com> wrote:
> I am working on an application that will be working with pre-existing
> (created by the system administrator) netfilter sets.  These sets should
> contain either IPv4 of IPv6 addresses.
> 
> How can my application determine what type of address a particular set
> holds?  I can query the set and get a NFT_MSG_GETSET message back, but
> it's murky after that.
> 
> The message contains a NFTA_SET_KEY_TYPE attribute, which looks
> promising, but I can't find anything telling me how to interpret it.

See 'enum datatypes' in include/datatype.h in nftables for existing
types.

> ChatGPT says that I should just look at the NFTA_SET_KEY_LEN attribute,
> but that doesn't seem reliable; how would I distinguish a 32-bit IPv4
> address from 2 16-bit ports?

2 16 bit ports in a concatenation need 8 bytes; each subkey is padded to
next register boundary.

> Short of digging through the source code of nft, how am I supposed to do
> this?

Its complicated, for simple keys ('type ipv4_addr') is easy, see answer
above.  For concatenations NFTA_SET_KEY_TYPE holds a bitmask of types,
for more complicated cases ('typeof meta iifname . ip6 daddr . meta mark')
and the like) you need to dissect the udata /
NFTNL_UDATA_SET_KEY_TYPEOF.  But as long as you only need to handle ipv4
vs ipv6 the simple answer should do.