On Fri, 29 Sep 2023, at 2:44 PM, marek wrote:
> hi,
>
> i'm using in production ipset swap with ~3000 ip addr
>
> i.e.
>
> - change coming from customer (new ips, old ips deprecated)
>
> - generation of new list /etc/sysconfig/ipset-new
>
> - swap ipset-new with ipset
>
> transaction is near real-time
>
>
> now i'm moving from RHEL7 to RHEL9 (rocky, kernel 5.14, nftables 1.0.4)
> and trying move from ipset to nftables sets
>
> nft add set ip filter blackhole { type ipv4_addr\; comment \"drop all
> packets from these hosts\" \; }
> fill the set
>
> now the new flow is
>
> - change coming from customer (new ips, old ips deprecated)
>
> - nft flush set ip filter blackhole
>
> - nft add element ip filter blackhole { X } (bash for loop)
Executing nft repeatedly will certainly be slow, if that is what you are currently doing. I'd be interested to know what you are using for to iterate over precisely because there's a fair chance that your use of for is an anti-pattern to begin with.
>
>
> it tooks 10sec
>
> can you recommend better way? (performance similar to ipset swap)
Yes, definitely. However, I would prefer to see some of the existing code first. This will make it easier to provide clear guidance as to how to modify your script. In particular, please make it clear where the input data comes from, and the precise format of this data.
--
Kerin Millar
