On Wed, Oct 18, 2023 at 12:36:37AM +0200, U.Mutlu wrote:
> Florian Westphal wrote on 10/18/23 00:05:
> > U.Mutlu <um@xxxxxxxxxxx> wrote:
> > > Florian Westphal wrote on 10/17/23 23:35:
> > > > U.Mutlu <um@xxxxxxxxxxx> wrote:
> > > > > The "ipset" commandline tool has the "test" command
> > > > > for testing whether a given item (ie. an IP) is in a given set.
> > > > > Is there an equivalent for the "nft" commandline tool of nftables?
> > > > > I unfortunately couldn't find the answer in the manpage of nft.
> > > >
> > > > nft "get element inet tablename setname { 1.2.3.4 }"
> > >
> > > But isn't that printing the whole item on stdout?
> > > I just need to quickly test it only,
> > > ie. need just a return code of 0 or 1, or so,
> > > for use in a shell script (bash).
> >
> > ?
> >
> > nft "get element inet t s { 1.2.3.4 }" > /dev/null 2>&1; echo $?
> > 1
> > nft "add element inet t s { 1.2.3.4 }"
> > nft "get element inet t s { 1.2.3.4 }" > /dev/null 2>&1; echo $?
> > 0
>
> Actualy I need to do this monster: :-)
>
> IP="1.2.3.4"
> ! nft "get element inet mytable myset { $IP }" > /dev/null 2>&1 && \
> ! nft "get element inet mytable myset2 { $IP }" > /dev/null 2>&1 && \
> nft "add element inet mytable myset { $IP }"
Use 'nft create element' if you want to fail if element already
exists.
> Ie. add it to the set myset only if it's not already present in any of myset
> and myset2.
>
> A true "test" command w/o any output, much like in "ipset test", would be a
> better method, IMO.
>
> I've not switched yet to nftables, just (dry-) evaluating it.
