* How to determine type of nftables set
@ 2025-12-08 23:32 Ian Pilcher
2025-12-11 12:55 ` Florian Westphal
0 siblings, 1 reply; 2+ messages in thread
From: Ian Pilcher @ 2025-12-08 23:32 UTC (permalink / raw)
To: netfilter@vger.kernel.org
I am working on an application that will be working with pre-existing
(created by the system administrator) netfilter sets. These sets should
contain either IPv4 of IPv6 addresses.
How can my application determine what type of address a particular set
holds? I can query the set and get a NFT_MSG_GETSET message back, but
it's murky after that.
The message contains a NFTA_SET_KEY_TYPE attribute, which looks
promising, but I can't find anything telling me how to interpret it.
ChatGPT says that I should just look at the NFTA_SET_KEY_LEN attribute,
but that doesn't seem reliable; how would I distinguish a 32-bit IPv4
address from 2 16-bit ports?
Short of digging through the source code of nft, how am I supposed to do
this?
TIA!
--
========================================================================
If your user interface is intuitive in retrospect ... it isn't intuitive
========================================================================
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: How to determine type of nftables set
2025-12-08 23:32 How to determine type of nftables set Ian Pilcher
@ 2025-12-11 12:55 ` Florian Westphal
0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2025-12-11 12:55 UTC (permalink / raw)
To: Ian Pilcher; +Cc: netfilter@vger.kernel.org
Ian Pilcher <arequipeno@gmail.com> wrote:
> I am working on an application that will be working with pre-existing
> (created by the system administrator) netfilter sets. These sets should
> contain either IPv4 of IPv6 addresses.
>
> How can my application determine what type of address a particular set
> holds? I can query the set and get a NFT_MSG_GETSET message back, but
> it's murky after that.
>
> The message contains a NFTA_SET_KEY_TYPE attribute, which looks
> promising, but I can't find anything telling me how to interpret it.
See 'enum datatypes' in include/datatype.h in nftables for existing
types.
> ChatGPT says that I should just look at the NFTA_SET_KEY_LEN attribute,
> but that doesn't seem reliable; how would I distinguish a 32-bit IPv4
> address from 2 16-bit ports?
2 16 bit ports in a concatenation need 8 bytes; each subkey is padded to
next register boundary.
> Short of digging through the source code of nft, how am I supposed to do
> this?
Its complicated, for simple keys ('type ipv4_addr') is easy, see answer
above. For concatenations NFTA_SET_KEY_TYPE holds a bitmask of types,
for more complicated cases ('typeof meta iifname . ip6 daddr . meta mark')
and the like) you need to dissect the udata /
NFTNL_UDATA_SET_KEY_TYPEOF. But as long as you only need to handle ipv4
vs ipv6 the simple answer should do.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-12-11 12:55 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-08 23:32 How to determine type of nftables set Ian Pilcher
2025-12-11 12:55 ` Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox