On 06/01/19 8:33 am, Mikhail Morfikov wrote:
# for i in $(cat list.txt); do nft add element ip raw bt_level1_v4 \{ $i \}; done
But something is wrong with it. I get bunch of errors like these ones:
Error: Range has zero or negative size
add element ip raw bt_level1_v4 { 1.9.96.105-1.9.96.105 }
^^^^^^^^^^^^^^^^^^^^^
Error: Range has zero or negative size
add element ip raw bt_level1_v4 { 1.9.102.251-1.9.102.251 }
^^^^^^^^^^^^^^^^^^^^^^^
And at some point I get:
Error: interval overlaps with an existing one
add element ip raw bt_level1_v4 { 12.9.180.0-12.9.180.127 }
^^^^^^^^^^^^^^^^^^^^^^^
Error: Could not process rule: Resource temporarily unavailable
And processing of the rules slows down dramatically. After some
minutes I just hit ctl+c , but during the process, the CPU was
at 100% all the time.
So what's going on? Why ipset can accept the list without a
problem and nftables has such issues with it?
See this bug report I created: (please add vote to it)
https://bugzilla.netfilter.org/show_bug.cgi?id=1312
Also instead of calling nft to add each element one by one, make use of
nft -f
Your script should create a file and pipe it to "nft -f -"
Script should split and check if start and end range is same then use
only start.
For example - final output would be something like:
#!/usr/bin/nft -f
define foolist = {
41.242.116.0-41.242.119.255,
1.9.96.105,
1.9.102.251,
}
add set ip fooset { type ipv4_addr; flags interval, auto-merge;
elements = $foolist }
Auto-merge should take care of overlapping.
And calling nft only once will save lots of CPU and should be much faster.
Regards,
Amish.
