On 1/26/20 1:36 PM, kfm wrote:
> On 26/01/2020 04:18, Lars Noodén wrote:
>> In nftables, I'd like to apply a rule or set of rules to a very large
>> number of IP addresses and subne> [snip]
> It matters. Rather than individual rules, you should definitely use a
> set if you can.
> [snip]
Thanks for the details. That helped and now I have a working filter
based on a set. It needed "flags interval;" as you said. Since I fed
it the output from a whois search on an AS number, I also had to use
"auto-merge" to fold overlapping subnets onto each other.
set foo4 {
type ipv4_addr
flags interval
auto-merge
elements = { ..., ..., ... }
}
There were a lot of warnings about overlap as the subnets were fed in
but the result seemed that the minimum had been calculated (I think).
whois -h whois.radb.net '!gAS.....' \
| tr ' ' '\n' \
| grep -E '([0-9]{1,3}\.){3}' \
| sort -t . -k1,1n -k2,2n -k3,3 -k4,4 \
| xargs -I% nft element ip filter foo4 { % }
/Lars
