Re: Migrate ipsets to nftables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

On Wed, 2021-01-20 at 21:26 +0000, kfm@xxxxxxxxxxxxx wrote:
> On 20/01/2021 10:41, Nikolai Lusan wrote:
> > Hi all,
> > 
> > I am in the process of migrating from iptables+ipsets to nftables.
> > Is
> > there an easy way to migrate exisiting ipsets to nftables sets.
> > 
>  >
> 
> Assuming that you are alluding to the prospect of having a utility that 
> can act as a stand-in for ipset(8) then, to the best of my knowledge, 
> the answer is no. At least, not yet.
> 
> That said, if you were to go into more detail regarding the aspects of 
> migration that you are having difficulty with in the absence of tooling, 
> it should be possible to provide some guidance.

Basically I have a handfull of custom sets, the small ones are easy
enough to transition in nft - and they remain fairly static - the
larger ones (some contain networks, some IPv4/6 hashes) are cumbersome
at best to re-create ... currently I have been using ipset-save to put
all the sets into a file which is used to rebuild the sets when needed,
or on reboot. Some of the larger sets have thousands of IP addresses in
them, so sticking them in the standard nftables.conf file is unsightly
and unreadable at best.


Thanks

- -- 
Nikolai Lusan <nikolai@xxxxxxxxxxx>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAmAJVNoACgkQ4ZaDRV2V
L6TdLQ/+JGk3aJPF05g9EruLg8zvdod2Y15r26JnU4PR/irx03AL0Fm/dxrmQX33
NAYlbBAXmeUAoy72KI2whkCLjLb95coET26dMiLKV2Oal+XpCzl3OMtI08Bx+bxm
LNOm1CcnxJ0LqNr2Uhw1ilfTbkLwD7i2s3r2wnXKYy1TTqB5In7eQZ7XKGKACpQV
qj8lHe6eNEX93SxEYvagAUzELePT7eRCWT7GigCJW3CdkztVVm7+b4cSI5BELvau
ZervzYjcHhJKRR6zZS6lkVjOrj/ImKRhZxpg4BBJHDVBmkoEV1b4ezc5ZL21KjkG
bguYeECc0EgwQkbgS3FCVinLiFZfdVqlIg3/7RcBXmqCTDqLpbVMdKs/kJV+vBJE
D5k8urMcWBDKGU9hdxtQNbKDXYDiIZhXBaV2Dh0nXie1C9cGwrz89z+OIHd3xhWU
NUUs7Z0H/+NefdoYVNvv2vwdnDnRhIrISB8FyL7WEL1lyVogttKCWf+nPcDy8XxS
i7zF77Z845zBYx4O4JrnGDrZJCeRpiV6XwsEoJGwlk6RNsFtOtS1hgBrfMwADd/k
WQ/J4Nh1D9BdxmWksPTY7YgMgZfWNgAebB8PxnYJFSlKc08v6Smj7xYp14sJb1Pp
P+3L8aSfDS6v7RHCZTt8YLRSI9nzSNV7UySHQ24KASmG0pphXlA=
=L6+H
-----END PGP SIGNATURE-----
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux