On 06/01/2019 07:00, Amish wrote:
> Also instead of calling nft to add each element one by one, make use of nft -f
>
> Your script should create a file and pipe it to "nft -f -"
>
> Script should split and check if start and end range is same then use only start.
>
> For example - final output would be something like:
>
> #!/usr/bin/nft -f
> define foolist = {
> 41.242.116.0-41.242.119.255,
> 1.9.96.105,
> 1.9.102.251,
> }
> add set ip fooset { type ipv4_addr; flags interval, auto-merge; elements = $foolist }
>
>
> Auto-merge should take care of overlapping.
>
> And calling nft only once will save lots of CPU and should be much faster.
>
Yes, I just fixed the script, and adding IPs to the set works well now.
But still, is there a way to get rid of the set rules from the "nft list ruleset"
output? Because having 100K+ IPs :
# nft list ruleset | wc -l
104153
in the set makes the output really unreadable, and each "nft list" command,
even those that list other tables, takes 5-10s to return some output.
Attachment:
signature.asc
Description: OpenPGP digital signature
