bugzilla-daemon at netfilter.org
2023-Sep-19 17:40 UTC
[Bug 1706] New: Nft is slow when loading ruleset with lots of add element calls of different interval maps
https://bugzilla.netfilter.org/show_bug.cgi?id=1706 Bug ID: 1706 Summary: Nft is slow when loading ruleset with lots of add element calls of different interval maps Product: nftables Version: 1.0.x Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: jannh at selfnet.de Attached there is an "example.conf" file containing a simple set of very repetitive rules with 4 interval maps and add element calls to fill these maps with ~16000 entries. On our Debian bookworm (nftables 1.0.6) and ArchLinux (1.0.8) hosts, the resulting rules take very long to load with "nft -f" (at least multiple minutes). It seems the size of the maps itself is not the issue, since there are other maps in our ruleset which have no issues. Further info of things we have tested: - With a regular map instead of an interval map (just remove the "flags interval" in the example), the rules are loaded in fractions of a second - Ordering the add element calls by map (i.e. when all add element calls of each map are put together instead of mixing these), it loads as fast as expected - We have had no issues with this kind of ruleset on Debian Bullseye (Kernel 5.10, nftables 0.9.8), it seems to have been introduced later Thanks for taking a look! -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230919/f6f35208/attachment.html>
bugzilla-daemon at netfilter.org
2023-Sep-19 17:42 UTC
[Bug 1706] Nft is slow when loading ruleset with lots of add element calls of different interval maps
https://bugzilla.netfilter.org/show_bug.cgi?id=1706 --- Comment #1 from jannh at selfnet.de --- Created attachment 721 --> https://bugzilla.netfilter.org/attachment.cgi?id=721&action=edit Script creating the example ruleset -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230919/0cef868f/attachment.html>
bugzilla-daemon at netfilter.org
2023-Oct-01 21:19 UTC
[Bug 1706] Nft is slow when loading ruleset with lots of add element calls of different interval maps
https://bugzilla.netfilter.org/show_bug.cgi?id=1706 jannh at selfnet.de changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jannh at selfnet.de -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231001/e93e89c8/attachment.html>
bugzilla-daemon at netfilter.org
2024-Jan-08 21:03 UTC
[Bug 1706] Nft is slow when loading ruleset with lots of add element calls of different interval maps
https://bugzilla.netfilter.org/show_bug.cgi?id=1706 kfm at plushkava.net changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kfm at plushkava.net Blocks| |1461 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240108/dd27f8be/attachment.html>
Apparently Analagous Threads
- [Bug 1195] New: 'list ruleset' of 'nft -f' outputs garbage while 'nft list ruleset' seems to work.
- [Bug 1118] New: nft: nft -f and nft list ruleset use different sets of service -> port mappings
- [Bug 1349] New: "nft list ruleset" shows rules twice
- [Bug 1450] New: Using certain simple set combinations with TCP flags causes error in mergesort.c from nft list ruleset
- [Bug 1424] New: v0.9.0: segfault when using nft -f <file> and issuing "ruleset flush" twice