ipset swap to nftables set

ipset swap to nftables set

[marek]

hi,

i'm using in production ipset swap with ~3000 ip addr

i.e.

- change coming from customer (new ips, old ips deprecated)

- generation of new list /etc/sysconfig/ipset-new

- swap ipset-new with ipset

transaction is near real-time


now i'm moving from RHEL7 to RHEL9 (rocky, kernel 5.14, nftables 1.0.4) 
and trying move from ipset to nftables sets

nft add set ip filter blackhole { type ipv4_addr\; comment \"drop all 
packets from these hosts\" \; }
fill the set

now the new flow is

- change coming from customer (new ips, old ips deprecated)

- nft flush set ip filter blackhole

- nft add element ip filter blackhole { X }   (bash for loop)


it tooks 10sec

can you recommend better way? (performance similar to ipset swap)

thanks

Marek

Re: ipset swap to nftables set

[Eric]

On Friday, September 29th, 2023 at 06:44, marek <cervajs64@gmail.com> wrote:
> - nft flush set ip filter blackhole
> 
> - nft add element ip filter blackhole { X } (bash for loop)

Hi Marek,

Do that last step atomically and it should be plenty fast.

nft flush set ip filter blackhole
nft add element ip filter blackhole {\
    1.0.0.1, \
    1.0.0.2, \
    1.0.0.3, \
    1.1.1.1, \
    1.1.1.2, \
    1.1.1.3, \
    1.193.146.35, \
...
    99.99.99.99, \
}

Eric

Re: ipset swap to nftables set

[Reindl Harald]

Am 29.09.23 um 16:30 schrieb Eric:
> On Friday, September 29th, 2023 at 06:44, marek <cervajs64@gmail.com> wrote:
>> - nft flush set ip filter blackhole
>>
>> - nft add element ip filter blackhole { X } (bash for loop)
> 
> Hi Marek,
> 
> Do that last step atomically and it should be plenty fast.
> 
> nft flush set ip filter blackhole
> nft add element ip filter blackhole {\
>      1.0.0.1, \
>      1.0.0.2, \
>      1.0.0.3, \
>      1.1.1.1, \
>      1.1.1.2, \
>      1.1.1.3, \
>      1.193.146.35, \
> ...
>      99.99.99.99, \
> }

still horrible ciomoared to ipset swap beause it is *not* atomically

Re: ipset swap to nftables set

[Kerin Millar]

On Fri, 29 Sep 2023, at 2:44 PM, marek wrote:
> hi,
>
> i'm using in production ipset swap with ~3000 ip addr
>
> i.e.
>
> - change coming from customer (new ips, old ips deprecated)
>
> - generation of new list /etc/sysconfig/ipset-new
>
> - swap ipset-new with ipset
>
> transaction is near real-time
>
>
> now i'm moving from RHEL7 to RHEL9 (rocky, kernel 5.14, nftables 1.0.4) 
> and trying move from ipset to nftables sets
>
> nft add set ip filter blackhole { type ipv4_addr\; comment \"drop all 
> packets from these hosts\" \; }
> fill the set
>
> now the new flow is
>
> - change coming from customer (new ips, old ips deprecated)
>
> - nft flush set ip filter blackhole
>
> - nft add element ip filter blackhole { X }   (bash for loop)

Executing nft repeatedly will certainly be slow, if that is what you are currently doing. I'd be interested to know what you are using for to iterate over precisely because there's a fair chance that your use of for is an anti-pattern to begin with.

>
>
> it tooks 10sec
>
> can you recommend better way? (performance similar to ipset swap)

Yes, definitely. However, I would prefer to see some of the existing code first. This will make it easier to provide clear guidance as to how to modify your script. In particular, please make it clear where the input data comes from, and the precise format of this data.

-- 
Kerin Millar

Re: ipset swap to nftables set

[Kerin Millar]

On Fri, 29 Sep 2023, at 3:36 PM, Reindl Harald wrote:
> Am 29.09.23 um 16:30 schrieb Eric:
>> On Friday, September 29th, 2023 at 06:44, marek <cervajs64@gmail.com> wrote:
>>> - nft flush set ip filter blackhole
>>>
>>> - nft add element ip filter blackhole { X } (bash for loop)
>> 
>> Hi Marek,
>> 
>> Do that last step atomically and it should be plenty fast.
>> 
>> nft flush set ip filter blackhole
>> nft add element ip filter blackhole {\
>>      1.0.0.1, \
>>      1.0.0.2, \
>>      1.0.0.3, \
>>      1.1.1.1, \
>>      1.1.1.2, \
>>      1.1.1.3, \
>>      1.193.146.35, \
>> ...
>>      99.99.99.99, \
>> }
>
> still horrible ciomoared to ipset swap beause it is *not* atomically

It should be atomic, provided that the command stream conveyed to a single invocation of nft includes both the flush and add command. That's how I've been going about it for years now. 

Here is an example, in which a list of newline-delimited IPv4 addresses is consumed from a file named "ipv4-list.txt".

{
    set="ip filter blackhole"
    echo "flush set $set"
    echo "add element $set {"
    sed -e 's/$/,/'
    echo "}"
} < ipv4-list.txt | nft -f -

-- 
Kerin Millar

Re: ipset swap to nftables set

[marek]

Dne 2023-09-29 v 16:41 Kerin Millar napsal(a):
> On Fri, 29 Sep 2023, at 2:44 PM, marek wrote:
>> hi,
>>
>> i'm using in production ipset swap with ~3000 ip addr
>>
>> i.e.
>>
>> - change coming from customer (new ips, old ips deprecated)
>>
>> - generation of new list /etc/sysconfig/ipset-new
>>
>> - swap ipset-new with ipset
>>
>> transaction is near real-time
>>
>>
>> now i'm moving from RHEL7 to RHEL9 (rocky, kernel 5.14, nftables 1.0.4)
>> and trying move from ipset to nftables sets
>>
>> nft add set ip filter blackhole { type ipv4_addr\; comment \"drop all
>> packets from these hosts\" \; }
>> fill the set
>>
>> now the new flow is
>>
>> - change coming from customer (new ips, old ips deprecated)
>>
>> - nft flush set ip filter blackhole
>>
>> - nft add element ip filter blackhole { X }   (bash for loop)
> Executing nft repeatedly will certainly be slow, if that is what you are currently doing. I'd be interested to know what you are using for to iterate over precisely because there's a fair chance that your use of for is an anti-pattern to begin with.
>
>>
>> it tooks 10sec
>>
>> can you recommend better way? (performance similar to ipset swap)
> Yes, definitely. However, I would prefer to see some of the existing code first. This will make it easier to provide clear guidance as to how to modify your script. In particular, please make it clear where the input data comes from, and the precise format of this data.


i'll try tip from previous mail

current version is very simple loop like

cat file | while read i

do

nft add element ip filter blackhole { $i }

done

"i" is  ipv4 /32 ip address

Marek

Re: ipset swap to nftables set

[Reindl Harald]

Am 29.09.23 um 21:47 schrieb marek:
> 
> Dne 2023-09-29 v 16:41 Kerin Millar napsal(a):
>> On Fri, 29 Sep 2023, at 2:44 PM, marek wrote:
>>> hi,
>>>
>>> i'm using in production ipset swap with ~3000 ip addr
>>>
>>> i.e.
>>>
>>> - change coming from customer (new ips, old ips deprecated)
>>>
>>> - generation of new list /etc/sysconfig/ipset-new
>>>
>>> - swap ipset-new with ipset
>>>
>>> transaction is near real-time
>>>
>>>
>>> now i'm moving from RHEL7 to RHEL9 (rocky, kernel 5.14, nftables 1.0.4)
>>> and trying move from ipset to nftables sets
>>>
>>> nft add set ip filter blackhole { type ipv4_addr\; comment \"drop all
>>> packets from these hosts\" \; }
>>> fill the set
>>>
>>> now the new flow is
>>>
>>> - change coming from customer (new ips, old ips deprecated)
>>>
>>> - nft flush set ip filter blackhole
>>>
>>> - nft add element ip filter blackhole { X }   (bash for loop)
>> Executing nft repeatedly will certainly be slow, if that is what you 
>> are currently doing. I'd be interested to know what you are using for 
>> to iterate over precisely because there's a fair chance that your use 
>> of for is an anti-pattern to begin with.
>>
>>>
>>> it tooks 10sec
>>>
>>> can you recommend better way? (performance similar to ipset swap)
>> Yes, definitely. However, I would prefer to see some of the existing 
>> code first. This will make it easier to provide clear guidance as to 
>> how to modify your script. In particular, please make it clear where 
>> the input data comes from, and the precise format of this data.
> 
> 
> i'll try tip from previous mail
> 
> current version is very simple loop like
> 
> cat file | while read i
> 
> do
> 
> nft add element ip filter blackhole { $i }
> 
> done
> 
> "i" is  ipv4 /32 ip address

this is always a problem - with a list of 10k records you call a binary 
10k times - you have the same difference between "iptables restore" and 
call iptables thousands of times

i disklike nftables in general and especially because oyu can't have you 
ipsets completly seperate and load the atomically at every point in time

hopefully iptables-nft will last forever