Thank you for your input. As I mentioned, I am specifically
considering nftables sets, not 'ipset' sets. nftables sets do not
support swap AFAIK. Now I could use separate sets for each country
regardless and replace them when needed, however this way the firewall
won't be as efficient as with one rule and one set. I may eventually
do it this way if there is no better option.
On Wed, Jan 31, 2024 at 10:21 AM Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote:
>
>
>
> Am 31.01.24 um 09:14 schrieb Anton:
> > Hello, I've been experimenting with nftables sets for the purpose of
> > geoip blocking. Let's say I'd like to add ip blocks for multiple
> > countries to a blacklist or to a whitelist. Perhaps the most efficient
> > way to do that would be by combining all required ip blocks in one set
> > (for each family). However since country ip blocks are a moving
> > target, I would need to regularly refresh parts of that set. My idea
> > was to delete all ip addresses corresponding to an ip block from the
> > set and then add the updated ip block. The problem is, this is very
> > slow. While adding an ip block takes (in my VM) 0.09s, deleting all
> > ip's from that same block takes 14.5s.
> >
> > This is how I'm doing the deletion and the time measurement:
> > printf '%s\n' "delete element inet test testset { $(cat test.set) };"
> > | /usr/bin/time -f %es nft -f -
> >
> > (the test.set file stores a comma-separated list of subnets)
> >
> > Is there a more efficient way to do this? I could of course flush the
> > set and rebuild it every time I need to update some part of it, but I
> > thought I'd ask before deciding to implement that.
>
> that's what swap is for - you don't mangle around live in a large ipset
>
> /usr/sbin/ipset -exist create IANA_RESERVED_IPV4_TMP hash:net maxelem
> 512 family inet
> /usr/sbin/ipset flush IANA_RESERVED_IPV4_TMP
>
> /usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 127.0.0.0/8
> /usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 10.0.0.0/8
> /usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 100.64.0.0/10
> /usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 169.254.0.0/16
> /usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 172.16.0.0/12
> /usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 192.0.0.0/24
> /usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 192.0.2.0/24
> /usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 192.168.0.0/16
> /usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 192.88.99.0/24
> /usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 198.18.0.0/15
> /usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 198.51.100.0/24
> /usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 203.0.113.0/24
> /usr/sbin/ipset add IANA_RESERVED_IPV4_TMP 240.0.0.0/4
>
> /usr/sbin/ipset swap IANA_RESERVED_IPV4_TMP IANA_RESERVED_IPV4
> /usr/sbin/ipset destroy IANA_RESERVED_IPV4_TMP
