nftables equivalent of "ipset test"?

nftables equivalent of "ipset test"?

[Frank Myhr]

Is there a recommended way to test whether an element is a member of an 
nftables set?

Thanks,
Frank

Re: nftables equivalent of "ipset test"?

[kfm]

On 09/03/2020 17:53, Frank Myhr wrote:
> Is there a recommended way to test whether an element is a member of an 
> nftables set?

Unfortunately, there doesn't appear to be a straightforward way to 
efficiently look up an element in a set from without the ruleset.

One option would be to use the JSON output format. Here is an example of 
how it might be done with jshon [1] for a set whose elements contain 
just a single data type:-

nft_set_test() {
     local val=$1
     shift
     nft -j list set "$@" |
         jshon -e nftables -e 1 -a -e elem -a -u |
         grep -qxF "$val"
}

if nft_set_test 1.2.3.4 ip filter myset; then
     echo "matched 1.2.3.4"
fi

Where jshon isn't available, jq [2] could be another option.

[1] http://kmkeen.com/jshon/
[2] https://stedolan.github.io/jq/

-- 
Kerin Millar

Re: nftables equivalent of "ipset test"?

[Florian Westphal]

Frank Myhr <fmyhr@fhmtech.com> wrote:
> Is there a recommended way to test whether an element is a member of an
> nftables set?

nft get element inet filter foo "{ 1.2.3.4 }"

Re: nftables equivalent of "ipset test"?

[Frank Myhr]

On 2020/03/09 14:56, kfm@plushkava.net wrote:
> One option would be to use the JSON output format. Here is an example of 
> how it might be done with jshon [1] for a set whose elements contain 
> just a single data type:-
> 
> nft_set_test() {
>      local val=$1
>      shift
>      nft -j list set "$@" |
>          jshon -e nftables -e 1 -a -e elem -a -u |
>          grep -qxF "$val"
> }
> 
> if nft_set_test 1.2.3.4 ip filter myset; then
>      echo "matched 1.2.3.4"
> fi
> 
> Where jshon isn't available, jq [2] could be another option.
> 
> [1] http://kmkeen.com/jshon/
> [2] https://stedolan.github.io/jq/

Kerin,

Thank you very much for the link to jshon and even including a sample 
script! Debian does have a jshon package available, I imagine I'll find 
many uses for it. In this case, I think jshon approach fails for 
interval sets when testing for a single element. (Say, test for 10.0.0.7 
in set containing 10.0.0.0/8.) Right?

Thanks,
Frank

Re: nftables equivalent of "ipset test"?

[Frank Myhr]

On 2020/03/09 15:14, Florian Westphal wrote:
> Frank Myhr <fmyhr@fhmtech.com> wrote:
>> Is there a recommended way to test whether an element is a member of an
>> nftables set?
> 
> nft get element inet filter foo "{ 1.2.3.4 }"

Florian,

Fantastic! Just what I was looking for but didn't find in the man page. 
Just searched wiki, found a reference to it here:
https://wiki.nftables.org/wiki-nftables/index.php/List_of_updates_since_Linux_kernel_3.13

So kernel >= 4.15 is needed. Debian buster or stretch-backports will do. 
I tested, and it works properly for interval sets (at least with type 
ipv4_addr, don't see why others would be different).

Thanks!
Frank

Re: nftables equivalent of "ipset test"?

[kfm]

On 09/03/2020 19:14, Florian Westphal wrote:
> Frank Myhr <fmyhr@fhmtech.com> wrote:
>> Is there a recommended way to test whether an element is a member of an
>> nftables set?
> 
> nft get element inet filter foo "{ 1.2.3.4 }"

Excellent. Thanks.

-- 
Kerin Millar