Sets update

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,

i recently start to port my ipsets to nftables set. I was using these
ipsets (beside other) in manner, where they was some timeout set
and its content was regulary updated (from various sources, online
and local). If some IP(v6) was removed, i didn't bother to remove it
from ipset, as it was removed by timeout...

Now i fight with the same approach in nftables sets (kernel 5.15, nft
1.0.8). I learned, that to update element's timeout i need to remove
element and then (re)add it again. As here is not simple way to do
it from shell (simple shell command) i play with python script, which
consumes IP list on input and produces appropriate nft commands,
eg.:

   fetch someiplist | myscript.py | nft -f -

Now i am not sure, how to produce that output. Have i do it per IP?
Eg.:

    add element ... {IP1}
    delete element ... {IP1}
    add element ... {IP1 ...}
    add element ... {IP2}
    delete element ... {IP2}
    add element ... {IP2 ...}
    etc

Or have i produce output for all IPs at once? Eg:

    add element ... {IP1, IP2, ...}
    delete element ... {IP1, IP2, ...}
    add element ... {IP1 ..., IP2 ..., ...}

Please, is here technical difference or something other to consider?
The IP lists ranges from some hundreds to some thounsand of IPs,
thus nothing really big, but not small.

Another question/problem is, that this approach (delete/add) does't
preserve counters. Please, how to preserve counters? Is only way
to fetch and parse counters before i delete element and then add
them into final add? IMO, this isn't very memory friendly (in script...).

While these counters are not crucial for me, i use them in some
ipsets for statistics, eg. i fill items from various sources into one
ipset and group/count them by comment then. In ipset it is really
simple task for awk and it was working even on small OpenWrt
devices. But nftables sets doesn't produce as straighforward output.
Please, how i can/have to parse element' counters? I am even not
sure, if i will able to parse it by python (but i didn't try it yet), is here
some tool for that?

regards

-- 
Slavko
https://www.slavino.sk/
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux