Florian Westphal wrote on 10/18/23 00:05:
U.Mutlu <um@xxxxxxxxxxx> wrote:
Florian Westphal wrote on 10/17/23 23:35:
U.Mutlu <um@xxxxxxxxxxx> wrote:
The "ipset" commandline tool has the "test" command
for testing whether a given item (ie. an IP) is in a given set.
Is there an equivalent for the "nft" commandline tool of nftables?
I unfortunately couldn't find the answer in the manpage of nft.
nft "get element inet tablename setname { 1.2.3.4 }"
But isn't that printing the whole item on stdout?
I just need to quickly test it only,
ie. need just a return code of 0 or 1, or so,
for use in a shell script (bash).
?
nft "get element inet t s { 1.2.3.4 }" > /dev/null 2>&1; echo $?
1
nft "add element inet t s { 1.2.3.4 }"
nft "get element inet t s { 1.2.3.4 }" > /dev/null 2>&1; echo $?
0
Actualy I need to do this monster: :-)
IP="1.2.3.4"
! nft "get element inet mytable myset { $IP }" > /dev/null 2>&1 && \
! nft "get element inet mytable myset2 { $IP }" > /dev/null 2>&1 && \
nft "add element inet mytable myset { $IP }"
Ie. add it to the set myset only if it's not already present in any of myset
and myset2.
A true "test" command w/o any output, much like in "ipset test", would be a
better method, IMO.
I've not switched yet to nftables, just (dry-) evaluating it.
