From 340aab6f486a32111d0e903b68fcbcc6331069c4 Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Tue, 27 Jan 2026 15:13:02 +0000 Subject: [PATCH] network: batch nftables blocks for nft submission --- .../networking/templates/default/nftables.erb | 47 ++++++++++++++++++- 1 file changed, 45 insertions(+), 2 deletions(-) diff --git a/cookbooks/networking/templates/default/nftables.erb b/cookbooks/networking/templates/default/nftables.erb index 677958659..e69defe71 100644 --- a/cookbooks/networking/templates/default/nftables.erb +++ b/cookbooks/networking/templates/default/nftables.erb @@ -25,14 +25,57 @@ reload() { start } +nft_add_list() { + set_name="$1" + list="$2" + /usr/sbin/nft --check add element inet chef-filter "$set_name" "{ $list }" && /usr/sbin/nft add element inet chef-filter "$set_name" "{ $list }" +} + block() { + max_batch=200 + ip_list="" + ip6_list="" + ip_count=0 + ip6_count=0 for address in "$@" do case "$address" in - *.*) /usr/sbin/nft --check add element inet chef-filter ip-blocklist "{ $address }" && /usr/sbin/nft add element inet chef-filter ip-blocklist "{ $address }" ;; - *:*) /usr/sbin/nft --check add element inet chef-filter ip6-blocklist "{ $address }" && /usr/sbin/nft add element inet chef-filter ip6-blocklist "{ $address }" ;; + *.*) + if [ -n "$ip_list" ]; then + ip_list="$ip_list, $address" + else + ip_list="$address" + fi + ip_count=$((ip_count + 1)) + if [ "$ip_count" -ge "$max_batch" ]; then + nft_add_list ip-blocklist "$ip_list" + ip_list="" + ip_count=0 + fi + ;; + *:*) + if [ -n "$ip6_list" ]; then + ip6_list="$ip6_list, $address" + else + ip6_list="$address" + fi + ip6_count=$((ip6_count + 1)) + if [ "$ip6_count" -ge "$max_batch" ]; then + nft_add_list ip6-blocklist "$ip6_list" + ip6_list="" + ip6_count=0 + fi + ;; esac done + + if [ -n "$ip_list" ]; then + nft_add_list ip-blocklist "$ip_list" + fi + + if [ -n "$ip6_list" ]; then + nft_add_list ip6-blocklist "$ip6_list" + fi } unblock() { -- 2.39.5