hi,
i'm using in production ipset swap with ~3000 ip addr
i.e.
- change coming from customer (new ips, old ips deprecated)
- generation of new list /etc/sysconfig/ipset-new
- swap ipset-new with ipset
transaction is near real-time
now i'm moving from RHEL7 to RHEL9 (rocky, kernel 5.14, nftables 1.0.4)
and trying move from ipset to nftables sets
nft add set ip filter blackhole { type ipv4_addr\; comment \"drop all
packets from these hosts\" \; }
fill the set
now the new flow is
- change coming from customer (new ips, old ips deprecated)
- nft flush set ip filter blackhole
- nft add element ip filter blackhole { X } (bash for loop)
it tooks 10sec
can you recommend better way? (performance similar to ipset swap)
thanks
Marek
