bugzilla-daemon at netfilter.org
2020-Aug-28 15:46 UTC
[Bug 1460] New: nft_table_validate() exceptionally slow for some configurations
https://bugzilla.netfilter.org/show_bug.cgi?id=1460 Bug ID: 1460 Summary: nft_table_validate() exceptionally slow for some configurations Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: kernel Assignee: pablo at netfilter.org Reporter: steve at opendium.com Created attachment 606 --> https://bugzilla.netfilter.org/attachment.cgi?id=606&action=edit Example pathological configuration nf_tables_check_loops() and nft_table_validate() are executed when new rules are added to nftables. These are brute-force validation functions which walk over the entire ruleset, following all jumps and gotos. Chains which are jumped/goto'd to multiple times are walked over multiple times. nft_table_validate() can become extremely slow with some configurations. The attached test-case takes 5 seconds to validate on my test machine, during which time the CPU is locked up and the machine is unresponsive. Worse configurations are trivial to implement, locking the machine up for many minutes at a time. I'm not sure why, but nf_table_check_loops() seems comparatively fast. As far as I can see it walks over the ruleset in the same way as nft_table_validate() (although it doesn't always start from the root chains, so doesn't always check the whole ruleset). There are more efficient algorithms for checking for loops, and adding some caching to nft_chain_validate() so that chains aren't revisited multiple times would be a big help. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200828/66d47bc4/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-28 16:29 UTC
[Bug 1460] nft_table_validate() exceptionally slow for some configurations
https://bugzilla.netfilter.org/show_bug.cgi?id=1460 --- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> --- Comment on attachment 606 --> https://bugzilla.netfilter.org/attachment.cgi?id=606 Example pathological configuration Could you post a file that can be restored via iptables-nft-restore? Thanks. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200828/ed75494c/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-28 16:39 UTC
[Bug 1460] nft_table_validate() exceptionally slow for some configurations
https://bugzilla.netfilter.org/show_bug.cgi?id=1460 Steve Hill <steve at opendium.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #606 is|0 |1 obsolete| | --- Comment #2 from Steve Hill <steve at opendium.com> --- Created attachment 607 --> https://bugzilla.netfilter.org/attachment.cgi?id=607&action=edit Test case that can be restores with iptables-nft-restore -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200828/f1a2ad70/attachment-0001.html>