Moving from ipset to nftables

Mikhail Morfikov <mmorfikov@xxxxxxxxx> · Sun, 6 Jan 2019 04:03:36 +0100

I've been using iptables for a long time, and I thought it's finally 
the time to migrate it to nftables. There's no problem with basic 
rules, but the ipset ones cause some issues. 

First of all, I have several ipset sets. Here's the example rule to 
create a set in nftables I found in some HowTo/manual:

    nft add set raw bt_level1_v4 { type ipv4_addr; flags interval; }

I have a script that creates an ip address lists from some other 
list and converts it to the following format:

    ...
    65.82.100.192-65.82.100.223
    65.82.108.32-65.82.108.63
    65.82.120.160-65.82.120.167
    65.82.121.192-65.82.121.223
    65.82.121.224-65.82.121.255
    65.82.125.64-65.82.125.71
    ...

One of the list has 236.804 entries. To import the list to ipset,
I needed just the following command

        cat $set.gz |
        gunzip |
        cut -d: -f2 |
        grep -E "^[-0-9.]+$" |
        gawk -v my_set=$set '{print "add " my_set " " $1}' |
        $ips --restore -exist;

In a matter of seconds, the task was done. But in the case of nftables
I couldn't really find any way to add a file full of IPs to the filter.
So the only thing I came up with was the following command:

    # for i in $(cat list.txt); do nft add element ip raw bt_level1_v4 \{ $i \}; done

But something is wrong with it. I get bunch of errors like these ones:

    Error: Range has zero or negative size
    add element ip raw bt_level1_v4 { 1.9.96.105-1.9.96.105 }
                                  ^^^^^^^^^^^^^^^^^^^^^
    Error: Range has zero or negative size
    add element ip raw bt_level1_v4 { 1.9.102.251-1.9.102.251 }
                                  ^^^^^^^^^^^^^^^^^^^^^^^
And at some point I get:

Error: interval overlaps with an existing one
add element ip raw bt_level1_v4 { 12.9.180.0-12.9.180.127 }
                                  ^^^^^^^^^^^^^^^^^^^^^^^
Error: Could not process rule: Resource temporarily unavailable

And processing of the rules slows down dramatically. After some 
minutes I just hit ctl+c , but during the process, the CPU was 
at 100% all the time.

So what's going on? Why ipset can accept the list without a 
problem and nftables has such issues with it?

Also, some of the IPs were added to the nftables set, but is
there a way to cut the set config out of the output of the
following command?

# nft list table ip raw 

Because having several hundreds of thousands IPs there isn't 
really user friendly when you want to see the filter config,
i.e. all the other rules.

Attachment:
signature.asc

Description: OpenPGP digital signature