Hello, I've been experimenting with nftables sets for the purpose of
geoip blocking. Let's say I'd like to add ip blocks for multiple
countries to a blacklist or to a whitelist. Perhaps the most efficient
way to do that would be by combining all required ip blocks in one set
(for each family). However since country ip blocks are a moving
target, I would need to regularly refresh parts of that set. My idea
was to delete all ip addresses corresponding to an ip block from the
set and then add the updated ip block. The problem is, this is very
slow. While adding an ip block takes (in my VM) 0.09s, deleting all
ip's from that same block takes 14.5s.
This is how I'm doing the deletion and the time measurement:
printf '%s\n' "delete element inet test testset { $(cat test.set) };"
| /usr/bin/time -f %es nft -f -
(the test.set file stores a comma-separated list of subnets)
Is there a more efficient way to do this? I could of course flush the
set and rebuild it every time I need to update some part of it, but I
thought I'd ask before deciding to implement that.
