nftables icon indicating copy to clipboard operation
nftables copied to clipboard
verified publisher icon google

Is there an equivalent method to `nft get element` ?

Open sbs2001 opened this issue 4 years ago • 1 comments

Consider there are some elements in a nft set (some are CIDR ranges). By doing

 nft get element x y { 1.1.1.1 }
 table ip x {
         set m {
                 type ipv4_addr
                 flags interval
                 elements = { 1.1.1.0/24 }
         }
}

we can query whether a single IP is contained within set. This resolves the CIDRs in the set too. Is there a way to mimic this functionality by using this library ?

Background Info https://marc.info/?l=netfilter&m=163360852605801&w=2

sbs2001 avatar Oct 19 '21 09:10 sbs2001

You can obtain the sets using this nftables package, but I think converting a set element to an IP address range (see https://pkg.go.dev/net#ParseCIDR) is not currently implemented.

cc @sbezverk to make sure I’m not missing anything

stapelberg avatar Oct 21 '21 07:10 stapelberg