Re: Is there an efficient way to delete multiple elements from a set?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am 31.01.24 um 09:14 schrieb Anton:

Hello, I've been experimenting with nftables sets for the purpose of
geoip blocking. Let's say I'd like to add ip blocks for multiple
countries to a blacklist or to a whitelist. Perhaps the most efficient
way to do that would be by combining all required ip blocks in one set
(for each family). However since country ip blocks are a moving
target, I would need to regularly refresh parts of that set. My idea
was to delete all ip addresses corresponding to an ip block from the
set and then add the updated ip block. The problem is, this is very
slow. While adding an ip block takes (in my VM) 0.09s, deleting all
ip's from that same block takes 14.5s.

This is how I'm doing the deletion and the time measurement:
printf '%s\n' "delete element inet test testset { $(cat test.set) };"
| /usr/bin/time -f %es nft -f -

(the test.set file stores a comma-separated list of subnets)

Is there a more efficient way to do this? I could of course flush the
set and rebuild it every time I need to update some part of it, but I
thought I'd ask before deciding to implement that.


that's what swap is for - you don't mangle around live in a large ipset
/usr/sbin/ipset -exist create IANA_RESERVED_IPV4_TMP hash:net maxelem 512 family inet 
/usr/sbin/ipset flush IANA_RESERVED_IPV4_TMP

/usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 127.0.0.0/8
/usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 10.0.0.0/8
/usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 100.64.0.0/10
/usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 169.254.0.0/16
/usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 172.16.0.0/12
/usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 192.0.0.0/24
/usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 192.0.2.0/24
/usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 192.168.0.0/16
/usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 192.88.99.0/24
/usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 198.18.0.0/15
/usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 198.51.100.0/24
/usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 203.0.113.0/24
/usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 240.0.0.0/4

/usr/sbin/ipset swap IANA_RESERVED_IPV4_TMP IANA_RESERVED_IPV4
/usr/sbin/ipset destroy IANA_RESERVED_IPV4_TMP
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux