testing if a named set exists?

testing if a named set exists?

[Matt Zagrabelny]

Hello,

I'd like to do something like the following:

if exists $named_set
    nft add rule ip filter output ip daddr $named_set accept
else
    nft add rule ip filter output ip daddr $default_set accept

Does anyone know if I can accomplish this with nftables?

Thanks,

-m

Re: testing if a named set exists?

[Duncan Roe]

On Fri, Oct 01, 2021 at 08:16:17PM -0500, Matt Zagrabelny wrote:
> Hello,
>
> I'd like to do something like the following:
>
> if exists $named_set
>     nft add rule ip filter output ip daddr $named_set accept
> else
>     nft add rule ip filter output ip daddr $default_set accept
>
> Does anyone know if I can accomplish this with nftables?
>
> Thanks,
>
> -m
How about

> if nft list ruleset | grep -q "$named_set"; then
>   nft add rule ip filter output ip daddr $named_set accept
> else
>   nft add rule ip filter output ip daddr $default_set accept
> fi

You can restrict the search to a table, e.g. instead of "ruleset"
put "table $my_table"

Cheers ... Duncan.

Re: testing if a named set exists?

[Kerin Millar]

On Fri, 1 Oct 2021 20:16:17 -0500
Matt Zagrabelny <mzagrabe@d.umn.edu> wrote:

> Hello,
> 
> I'd like to do something like the following:
> 
> if exists $named_set
>     nft add rule ip filter output ip daddr $named_set accept
> else
>     nft add rule ip filter output ip daddr $default_set accept
> 
> Does anyone know if I can accomplish this with nftables?
> 
> Thanks,
> 
> -m

The output of nft isn't particularly amenable to parsing unless it is instructed to produce JSON. The simplest way is to act upon the exit status value of a list set command.

if nft --terse list set ip filter "$named_set" >/dev/null 2>&1; then ...

-- 
Kerin Millar

Re: testing if a named set exists?

[Matt Zagrabelny]

Hey Kerin (and Duncan),

Thanks for the replies.

On Fri, Oct 1, 2021 at 9:57 PM Kerin Millar <kfm@plushkava.net> wrote:
>
> On Fri, 1 Oct 2021 20:16:17 -0500
> Matt Zagrabelny <mzagrabe@d.umn.edu> wrote:
>
> > I'd like to do something like the following:
> >
> > if exists $named_set
> >     nft add rule ip filter output ip daddr $named_set accept
> > else
> >     nft add rule ip filter output ip daddr $default_set accept
> >
> > Does anyone know if I can accomplish this with nftables?
> >
>
> The output of nft isn't particularly amenable to parsing unless it is instructed to produce JSON. The simplest way is to act upon the exit status value of a list set command.
>
> if nft --terse list set ip filter "$named_set" >/dev/null 2>&1; then ...

I should have been more specific...

I'm hoping to do this all in nft without hitting the shell. For
example, from "man bash" we have:

       ${parameter:-word}
              Use Default Values.  If parameter is unset or null, the
expansion of word is  substituted.   Otherwise,
              the value of parameter is substituted.

I was hoping for some sort of similar mechanism in nft. Like:

nft add rule ip filter output ip daddr
${named_set_does_not_exist:-default_named_set} accept

Thanks for the help!

-m

Re: testing if a named set exists?

[Kerin Millar]

On Sat, 2 Oct 2021 06:50:35 -0500
Matt Zagrabelny <mzagrabe@d.umn.edu> wrote:

> Hey Kerin (and Duncan),
> 
> Thanks for the replies.
> 
> On Fri, Oct 1, 2021 at 9:57 PM Kerin Millar <kfm@plushkava.net> wrote:
> >
> > On Fri, 1 Oct 2021 20:16:17 -0500
> > Matt Zagrabelny <mzagrabe@d.umn.edu> wrote:
> >
> > > I'd like to do something like the following:
> > >
> > > if exists $named_set
> > >     nft add rule ip filter output ip daddr $named_set accept
> > > else
> > >     nft add rule ip filter output ip daddr $default_set accept
> > >
> > > Does anyone know if I can accomplish this with nftables?
> > >
> >
> > The output of nft isn't particularly amenable to parsing unless it is instructed to produce JSON. The simplest way is to act upon the exit status value of a list set command.
> >
> > if nft --terse list set ip filter "$named_set" >/dev/null 2>&1; then ...
> 
> I should have been more specific...
> 
> I'm hoping to do this all in nft without hitting the shell. For
> example, from "man bash" we have:
> 
>        ${parameter:-word}
>               Use Default Values.  If parameter is unset or null, the
> expansion of word is  substituted.   Otherwise,
>               the value of parameter is substituted.
> 
> I was hoping for some sort of similar mechanism in nft. Like:
> 
> nft add rule ip filter output ip daddr
> ${named_set_does_not_exist:-default_named_set} accept

I see. As far as I'm aware, no such feature exists in nft at the current time.

-- 
Kerin Millar