Syntax for nft list sets ... ?

Turbocapitalist · 07-29-2022, 02:48 PM

I have named set in nftables:

Code:

# nft get element inet filter myset { 159.203.2.200 }
table inet filter {
        set myset {
                type ipv4_addr
                flags interval
                auto-merge
                elements = { 159.203.2.200 }
        }
}

What is the generic way to list all the elements in the set?

I've tried the following but neither are accepted?

Code:

nft list sets ip filter myset

nft list sets inet myset

What is the correct syntax, given the set described above?

boughtonp · 07-30-2022, 09:05 AM

Quote:

Originally Posted by Turbocapitalist

What is the generic way to list all the elements in the set?

Dunno, but in the absence of responses I looked at SETS in man nft, and from the convoluted syntax description, I think the relevant accepted list syntax would seem to be:

Code:

list set [family] table set
list sets [family]

So the commands you typed (which appear to include both family and table set) should use the singular "nft list set ..." to be valid?

And, based on the description of "list" below the syntax - maybe to get all elements back might just be "nft list sets" and/or "nft list sets inet" ?

Turbocapitalist · 07-30-2022, 09:47 AM

Thanks. The former doesn't seem to be accepted by nft and the latter only lists the structure of the blacklist set:

Code:

# nft list sets inet
table inet filter {
        set myset {
                type ipv4_addr
                flags interval
                auto-merge
        }
}

I'm trying to get the full list of addresses and networks which have been stored in the set.

boughtonp · 07-30-2022, 03:11 PM

What version of nftables?

Debian Buster has nftables 0.9.0-2 which supports "nft export json" - so a hacky workaround might be to do that and filter with jq.

Debian Bullseye has nftables 0.9.8-3.1 where "export" command has been removed; not sure if equivalent is "nft --json list ruleset" or something else.

Turbocapitalist · 07-31-2022, 03:10 AM

Alpine seems to have nftables-1.0.4

The new syntax for JSON seems to be nft -j list ruleset so jq can work like this:

Code:

nft -j list ruleset \
| jq '.nftables[2].set | select(.name=="myset")| .elem'

Unfortunately, the CIDR networks in the blacklist are written out like this:

Code:

...
  {
    "prefix": {
      "addr": "31.13.24.0",
      "len": 21
    }
  },
  {
    "range": [
      "31.13.103.6",
      "31.13.103.8"
    ]
  },
...

So while it's close, it would require a lot of additional processing and thus not an option.

Perhaps the syntax error in nft is a bug, since of the line shown in the wiki doesn't actually work.

boughtonp · 07-31-2022, 06:20 AM

Yep, a mismatch between documented behaviour and observed behaviour is a bug, since at least one of the two needs correcting.

Probably asking on the nftables mailing list is the best way to find out which.