Re: Is there an efficient way to delete multiple elements from a set?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 1 Feb 2024, Pablo Neira Ayuso wrote:

> On Thu, Feb 01, 2024 at 10:41:21AM +0100, Pablo Neira Ayuso wrote:
> > On Wed, Jan 31, 2024 at 10:14:41AM +0200, Anton wrote:
> > > Hello, I've been experimenting with nftables sets for the purpose of
> > > geoip blocking. Let's say I'd like to add ip blocks for multiple
> > > countries to a blacklist or to a whitelist. Perhaps the most efficient
> > > way to do that would be by combining all required ip blocks in one set
> > > (for each family). However since country ip blocks are a moving
> > > target, I would need to regularly refresh parts of that set. My idea
> > > was to delete all ip addresses corresponding to an ip block from the
> > > set and then add the updated ip block. The problem is, this is very
> > > slow. While adding an ip block takes (in my VM) 0.09s, deleting all
> > > ip's from that same block takes 14.5s.
> > > 
> > > This is how I'm doing the deletion and the time measurement:
> > > printf '%s\n' "delete element inet test testset { $(cat test.set) };"
> > > | /usr/bin/time -f %es nft -f -
> > > 
> > > (the test.set file stores a comma-separated list of subnets)
> > > 
> > > Is there a more efficient way to do this? I could of course flush the
> > > set and rebuild it every time I need to update some part of it, but I
> > > thought I'd ask before deciding to implement that.
> > 
> > It is possible to flush the set and fill up with content again:
> > 
> > flush set inet test testset
> > add element inet test testset { ...  }
> 
> I forgot to mention: Run this a batch .nft file, then:
> 
>         # nft -f update-set.nft

I'd like to add that the nft command above is atomic and either it 
succeeds and the set content is replaced with the new elements or it fails 
and the original set is kept intact. (It is important that the "flush" and 
"add" subcommands be executed by a single nft command invocation as in the 
example above.)

So it's roughly equivalent with

	ipset create temp-set ...
	ipset add temp-set ...
	ipset swap production-set temp-set
	ipset destroy temp-set

Best regards,
Jozsef
-- 
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxx
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux