On Wed, Oct 18, 2023 at 11:54:30AM +0200, U.Mutlu wrote:
> Pablo Neira Ayuso wrote on 10/18/23 11:36:
> > On Tue, Oct 17, 2023 at 08:00:57PM -0400, imnozi@xxxxxxxxx wrote:
> > > On Wed, 18 Oct 2023 00:36:37 +0200
> > > "U.Mutlu" <um@xxxxxxxxxxx> wrote:
> > >
> > > > ...
> > > > Actualy I need to do this monster: :-)
> > > >
> > > > IP="1.2.3.4"
> > > > ! nft "get element inet mytable myset { $IP }" > /dev/null 2>&1 && \
> > > > ! nft "get element inet mytable myset2 { $IP }" > /dev/null 2>&1 && \
> > > > nft "add element inet mytable myset { $IP }"
> > >
> > > Try using '||', akin to:
> >
> > Please, use 'nft create' for this, no need for an explicit test and
> > then add from command line.
> >
> > The idiom above is an antipattern, because it is not atomic, the
> > 'create' command provides a way to first test if the element exists
> > (if so it fails) then add it.
>
> Pablo, unfortunately your solution with 'create' cannot be used
> in my above said special use-case of testing first in BOTH sets...
'ipset test' also requires a set to be specified.
> I just don't understand why the author cannot simply add a real 'test'
> function to the nft tool...
I just don't understand your usecase :-), why do you need this atomic
check on two different sets?
Could you explain your ruleset in more detail?
> The logic is already in 'get element' and also in your 'create' method.
