Dne 2023-09-29 v 16:41 Kerin Millar napsal(a):
On Fri, 29 Sep 2023, at 2:44 PM, marek wrote:
hi,
i'm using in production ipset swap with ~3000 ip addr
i.e.
- change coming from customer (new ips, old ips deprecated)
- generation of new list /etc/sysconfig/ipset-new
- swap ipset-new with ipset
transaction is near real-time
now i'm moving from RHEL7 to RHEL9 (rocky, kernel 5.14, nftables 1.0.4)
and trying move from ipset to nftables sets
nft add set ip filter blackhole { type ipv4_addr\; comment \"drop all
packets from these hosts\" \; }
fill the set
now the new flow is
- change coming from customer (new ips, old ips deprecated)
- nft flush set ip filter blackhole
- nft add element ip filter blackhole { X } (bash for loop)
Executing nft repeatedly will certainly be slow, if that is what you are currently doing. I'd be interested to know what you are using for to iterate over precisely because there's a fair chance that your use of for is an anti-pattern to begin with.
it tooks 10sec
can you recommend better way? (performance similar to ipset swap)
Yes, definitely. However, I would prefer to see some of the existing code first. This will make it easier to provide clear guidance as to how to modify your script. In particular, please make it clear where the input data comes from, and the precise format of this data.
i'll try tip from previous mail
current version is very simple loop like
cat file | while read i
do
nft add element ip filter blackhole { $i }
done
"i" is ipv4 /32 ip address
Marek
