On Fri, 29 Sep 2023, at 3:36 PM, Reindl Harald wrote:
> Am 29.09.23 um 16:30 schrieb Eric:
>> On Friday, September 29th, 2023 at 06:44, marek <cervajs64@xxxxxxxxx> wrote:
>>> - nft flush set ip filter blackhole
>>>
>>> - nft add element ip filter blackhole { X } (bash for loop)
>>
>> Hi Marek,
>>
>> Do that last step atomically and it should be plenty fast.
>>
>> nft flush set ip filter blackhole
>> nft add element ip filter blackhole {\
>> 1.0.0.1, \
>> 1.0.0.2, \
>> 1.0.0.3, \
>> 1.1.1.1, \
>> 1.1.1.2, \
>> 1.1.1.3, \
>> 1.193.146.35, \
>> ...
>> 99.99.99.99, \
>> }
>
> still horrible ciomoared to ipset swap beause it is *not* atomically
It should be atomic, provided that the command stream conveyed to a single invocation of nft includes both the flush and add command. That's how I've been going about it for years now.
Here is an example, in which a list of newline-delimited IPv4 addresses is consumed from a file named "ipv4-list.txt".
{
set="ip filter blackhole"
echo "flush set $set"
echo "add element $set {"
sed -e 's/$/,/'
echo "}"
} < ipv4-list.txt | nft -f -
--
Kerin Millar
