thr3ads.net - netfilter buglog - [Bug 1326] New: `nft list' is very slow when output contains meters that has lots of elements [Mar 2019]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at netfilter.org

2019-Mar-08 21:52 UTC

[Bug 1326] New: `nft list' is very slow when output contains meters that has lots of elements

https://bugzilla.netfilter.org/show_bug.cgi?id=1326

            Bug ID: 1326
           Summary: `nft list' is very slow when output contains meters
                    that has lots of elements
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: richard0053 at gmail.com

I am running an NTP server and trying to add some basic rate limit on the
service. The rule in use is basically matching UDP packets to the NTP port and
apply a meter on it. But after adding the rule, the `nft list` command takes a
long time to execute, even if I do not ask for the content of the meter:

# time nft list table ip filter
table ip filter {
        chain input {
                type filter hook input priority 0; policy accept;
                iifname "ens2" udp dport ntp meter ntp-rate-limit size
65535 {
ip saddr timeout 1m limit rate over 600/minute}  drop
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}

real    0m2.837s
user    0m0.320s
sys     0m1.200s

Even for a completely unrelated table:

# time nft list table ip sshguard
table ip sshguard {
        set attackers {
                type ipv4_addr
                flags interval
                elements = { 118.25.1.73, 120.92.15.82,
                             122.2.16.126, 193.112.52.201,
                             222.186.30.71 }
        }

        chain blacklist {
                type filter hook input priority -10; policy accept;
                ip saddr @attackers drop
        }
}

real    0m2.857s
user    0m0.356s
sys     0m1.150s

strace shows that nft is receiving lots of messages from the netlink socket. 

The meter `ntp-rate-limit' does contain a lot of elements.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190308/7fceda6d/attachment.html>

bugzilla-daemon at netfilter.org

2019-Mar-08 21:52 UTC

head link

[Bug 1326] `nft list' is very slow when output contains meters that have lots of elements

https://bugzilla.netfilter.org/show_bug.cgi?id=1326

richard0053 at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|`nft list' is very slow     |`nft list' is very slow
                   |when output contains meters |when output contains meters
                   |that has lots of elements   |that have lots of elements

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190308/c6e71d5d/attachment.html>

bugzilla-daemon at netfilter.org

2019-Dec-31 19:57 UTC

head link

[Bug 1326] `nft list' is very slow when output contains meters that have lots of elements

https://bugzilla.netfilter.org/show_bug.cgi?id=1326

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kfm at plushkava.net

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191231/00f345de/attachment.html>

bugzilla-daemon at netfilter.org

2020-Aug-29 00:23 UTC

head link

[Bug 1326] `nft list' is very slow when output contains meters that have lots of elements

https://bugzilla.netfilter.org/show_bug.cgi?id=1326

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1461

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200829/57576618/attachment.html>

Maybe Matching Threads

Search for more seemingly similar threads

netfilter buglog - Mar 2019 - [Bug 1326] New: `nft list' is very slow when output contains meters that has lots of elements

[Bug 1326] New: `nft list' is very slow when output contains meters that has lots of elements

[Bug 1326] `nft list' is very slow when output contains meters that have lots of elements

[Bug 1326] `nft list' is very slow when output contains meters that have lots of elements

[Bug 1326] `nft list' is very slow when output contains meters that have lots of elements

Maybe Matching Threads