Firewall ipv6/ipv6 address and network groups maxelem count

Hi together,

i’ve noticed that firewall groups (address and network) are created as ipset with a maxelem of 65536.
For our border router which also acts as border firewall we have a list of about 85000 IPv4 addresses and 3500 IPv4 Subnets which need to be filtered.

We created a new empty firewall address group and tried to add the about 80000 IPs by the set firewall group address-group ipv4-blocklist-hosts address command.
This seems to be not the best idea and is terrible slowly --> Not our choice.

Another idea was to use this empty address group and add the IP addresses directly to the created IPset. Thus the IPset is created by vyos with a maxelem of 65536 this also is no option.

We could simply bypass this maxelem by creating several firewall groups which, i guess is not the best option and will get a mess in automating the updates.

I’ve read from other people having the same “issue” trying to bypass the default value.

A new and simple to implement option, where we can specify the maxelem count with a default value of the current 65536 would overcome this “issue”:
set firewall group address-group ipv4-blocklist-hosts maxelem [0-1000000]
set firewall group network-group ipv4-blocklist-network maxelem [0-1000000]
set firewall group ipv6-address-group ipv6-blocklist-hosts maxelem [0-1000000]
set firewall group ipv6-address-group ipv6-blocklist-networks maxelem [0-1000000]

If this isn’t any option for the developers, any idea to overcome this limitation is very appreciated.

Regards
Alex

What do you want to do? Filter source or destination to these networks?

Hi Viacheslav,

mainly source at the moment but also destination in the future.

Can you test it?

ipset create  ipv4-blocklist-hosts  hash:ip maxelem 120000 hashsize 16384

Creating works without an issue:

Name: ipv4-blocklist-hosts
Type: hash:ip
Revision: 4
Header: family inet hashsize 16384 maxelem 120000
Size in memory: 88
References: 0
Number of entries: 0
Members:

@AWHarvard Need to fill the table with 80K ip’s and check if it really works.

By the way, I think we rewrite ipsets with nft sets

Seems not to work properly :confused:
Whey inserting a couple of hundred IPs it works properly and maxelem stays 120000.
After inserting about 40000 IPs, maxelem suddenly resets to 65536

Can you check it with nft list?
For example.

nft add set ip filter blackhole { type ipv4_addr\;}
nft add element ip filter blackhole { 192.168.0.2 }
nft add element ip filter blackhole { 192.168.3.3 }

Adding all 80k IPs is quite slow but working properly until now using nft.

Just as an FYI I don’t have issues with larger ipset sizes.

I dynamically create a list of country IP blocks to whitelist for ingress traffic. Currently it spits out the following

create country-whitelist hash:net family inet hashsize 262144 maxelem 486957

Verified the correct siye by running the following (with output)

phillipmcmahon@myrouter:~$ ipset list country-whitelist | wc -l
486965