From: Reindl Harald <h.reindl@thelounge.net>
To: marek <cervajs64@gmail.com>, netfilter@vger.kernel.org
Subject: Re: ipset swap to nftables set
Date: Fri, 29 Sep 2023 21:59:42 +0200 [thread overview]
Message-ID: <4af4812d-0b91-5b31-c4aa-e499e18ed65e@thelounge.net> (raw)
In-Reply-To: <37e0df9b-fb90-c085-1b09-c35fc839e901@gmail.com>
Am 29.09.23 um 21:47 schrieb marek:
>
> Dne 2023-09-29 v 16:41 Kerin Millar napsal(a):
>> On Fri, 29 Sep 2023, at 2:44 PM, marek wrote:
>>> hi,
>>>
>>> i'm using in production ipset swap with ~3000 ip addr
>>>
>>> i.e.
>>>
>>> - change coming from customer (new ips, old ips deprecated)
>>>
>>> - generation of new list /etc/sysconfig/ipset-new
>>>
>>> - swap ipset-new with ipset
>>>
>>> transaction is near real-time
>>>
>>>
>>> now i'm moving from RHEL7 to RHEL9 (rocky, kernel 5.14, nftables 1.0.4)
>>> and trying move from ipset to nftables sets
>>>
>>> nft add set ip filter blackhole { type ipv4_addr\; comment \"drop all
>>> packets from these hosts\" \; }
>>> fill the set
>>>
>>> now the new flow is
>>>
>>> - change coming from customer (new ips, old ips deprecated)
>>>
>>> - nft flush set ip filter blackhole
>>>
>>> - nft add element ip filter blackhole { X } (bash for loop)
>> Executing nft repeatedly will certainly be slow, if that is what you
>> are currently doing. I'd be interested to know what you are using for
>> to iterate over precisely because there's a fair chance that your use
>> of for is an anti-pattern to begin with.
>>
>>>
>>> it tooks 10sec
>>>
>>> can you recommend better way? (performance similar to ipset swap)
>> Yes, definitely. However, I would prefer to see some of the existing
>> code first. This will make it easier to provide clear guidance as to
>> how to modify your script. In particular, please make it clear where
>> the input data comes from, and the precise format of this data.
>
>
> i'll try tip from previous mail
>
> current version is very simple loop like
>
> cat file | while read i
>
> do
>
> nft add element ip filter blackhole { $i }
>
> done
>
> "i" is ipv4 /32 ip address
this is always a problem - with a list of 10k records you call a binary
10k times - you have the same difference between "iptables restore" and
call iptables thousands of times
i disklike nftables in general and especially because oyu can't have you
ipsets completly seperate and load the atomically at every point in time
hopefully iptables-nft will last forever
prev parent reply other threads:[~2023-09-29 19:59 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-29 13:44 ipset swap to nftables set marek
2023-09-29 14:30 ` Eric
2023-09-29 14:36 ` Reindl Harald
2023-09-29 14:59 ` Kerin Millar
2023-09-29 14:41 ` Kerin Millar
2023-09-29 19:47 ` marek
2023-09-29 19:59 ` Reindl Harald [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4af4812d-0b91-5b31-c4aa-e499e18ed65e@thelounge.net \
--to=h.reindl@thelounge.net \
--cc=cervajs64@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).