netfilter buglog - Sep 2023 - [Bug 1706] New: Nft is slow when loading ruleset with lots of add element calls of different interval maps

https://bugzilla.netfilter.org/show_bug.cgi?id=1706

            Bug ID: 1706
           Summary: Nft is slow when loading ruleset with lots of add
                    element calls of different interval maps
           Product: nftables
           Version: 1.0.x
          Hardware: x86_64
                OS: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: jannh at selfnet.de

Attached there is an "example.conf" file containing a simple set of
very
repetitive rules with 4 interval maps and add element calls to fill these maps
with ~16000 entries.

On our Debian bookworm (nftables 1.0.6) and ArchLinux (1.0.8) hosts, the
resulting rules take very long to load with "nft -f" (at least
multiple
minutes). It seems the size of the maps itself is not the issue, since there
are other maps in our ruleset which have no issues.

Further info of things we have tested:
- With a regular map instead of an interval map (just remove the "flags
interval" in the example), the rules are loaded in fractions of a second
- Ordering the add element calls by map (i.e. when all add element calls of
each map are put together instead of mixing these), it loads as fast as
expected
- We have had no issues with this kind of ruleset on Debian Bullseye (Kernel
5.10, nftables 0.9.8), it seems to have been introduced later

Thanks for taking a look!

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230919/f6f35208/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1706

--- Comment #1 from jannh at selfnet.de ---
Created attachment 721
  --> https://bugzilla.netfilter.org/attachment.cgi?id=721&action=edit
Script creating the example ruleset

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230919/0cef868f/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1706

jannh at selfnet.de changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jannh at selfnet.de

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231001/e93e89c8/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1706

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kfm at plushkava.net
             Blocks|                            |1461

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240108/dd27f8be/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1706

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugzilla.netfilter.
                   |                            |org/show_bug.cgi?id=1735

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241117/8142eafb/attachment.html>