bugzilla-daemon at netfilter.org
2024-Jan-30 10:52 UTC
[Bug 1735] New: Adding nftables interval sets progressively gets slower and makes the nft CLI less responsive with each added set
https://bugzilla.netfilter.org/show_bug.cgi?id=1735 Bug ID: 1735 Summary: Adding nftables interval sets progressively gets slower and makes the nft CLI less responsive with each added set Product: nftables Version: 1.0.x Hardware: All OS: All Status: NEW Severity: major Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: anton.khazan at gmail.com Created attachment 734 --> https://bugzilla.netfilter.org/attachment.cgi?id=734&action=edit shell script demonstrating the bug The title basically describes the issue. Steps to reproduce the issue: Take an ip list for any country (in most of my tests I've been using the ip list for GB fetched from ipdeny, which currently has 8589 ipv4 ip blocks), measure time taking to load it into a new set, measure time adding the same ip list again in a new set under a new name (without removing the 1st one), repeat n times. Each new iteration takes a little longer. On the OpenWRT installation in VM, 1st iteration takes 0.12s. 10th iteration takes 0.47s. 40th iteration takes 1.59s. Getting a response from the command 'nft list tables' also takes progressively longer with each added set, as well as any other nft CLI operation involving the table under test. Starting with 0.04s after 1st iteration and up to 1.49s after the 40th iteration. Monitoring memory use while running this test also reveals that the transient memory use spikes (similar to those reported in Bug 1584) get progressively larger as you go, reaching about 180MB around the 40th iteration (i've been just monitoring memory use via the 'top' utility which samples once a second at most, so I might have missed the peak of the spike). Using the same ip list is not an essential part of the bug, as well as the specific list for GB. I picked GB because it's a mid-sized list, and re-using it because this way it is possible to get comparable results. The issue also extends to ipv6 ip lists. nft CLI operations involving other tables seem unaffected. This is a pretty big problem for applications like geoip, especially so on embedded devices like routers with limited memory. I'm not sure whether this belongs to the kernel component or nft userspace. Filing this under nft userspace component in the meanwhile. Hardware used for testing: Intel i7-4770 Same behavior on Linux Mint (kernel 6.2.0, nftables 1.0.2) and OpenWRT x86-64 installed in a VM (kernel 5.15.137, nftables 1.0.8). A shell script reproducing the issue is attached. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240130/f11cf698/attachment-0001.html>
bugzilla-daemon at netfilter.org
2024-Jan-30 11:06 UTC
[Bug 1735] Adding nftables interval sets progressively gets slower and makes the nft CLI less responsive with each added set
https://bugzilla.netfilter.org/show_bug.cgi?id=1735 --- Comment #1 from anton.khazan at gmail.com --- Also to clarify, the issue happens with or without 'auto-merge', although enabling auto-merge somewhat reduces the magnitude. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240130/89f94f6b/attachment.html>
bugzilla-daemon at netfilter.org
2024-Jan-30 11:17 UTC
[Bug 1735] Adding nftables interval sets progressively gets slower and makes the nft CLI less responsive with each added set
https://bugzilla.netfilter.org/show_bug.cgi?id=1735 anton.khazan at gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |anton.khazan at gmail.com -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240130/691e6750/attachment.html>
bugzilla-daemon at netfilter.org
2024-Jan-31 01:00 UTC
[Bug 1735] Adding nftables interval sets progressively gets slower and makes the nft CLI less responsive with each added set
https://bugzilla.netfilter.org/show_bug.cgi?id=1735 --- Comment #2 from anton.khazan at gmail.com --- Update: the author of BanIP (OpenWRT application doing similar tasks with interval sets) shared their method of populating sets and listing the contents of a table, which avoids the bug. Attaching their version of the test script for comparison. Looking at the differences, I'm starting to suspect that some commands cause nftables to re-process all accumulated sets (which causes spikes in memory use and reduced responsiveness), and some don't. 'nft list tables' does, while 'nft list ruleset' doesn't. BanIP method of populating the sets doesn't, while my method does. I still really don't completely understand why but this looks like a bug to me. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240131/3109d231/attachment.html>
bugzilla-daemon at netfilter.org
2024-Jan-31 01:04 UTC
[Bug 1735] Adding nftables interval sets progressively gets slower and makes the nft CLI less responsive with each added set
https://bugzilla.netfilter.org/show_bug.cgi?id=1735 --- Comment #3 from anton.khazan at gmail.com --- Created attachment 735 --> https://bugzilla.netfilter.org/attachment.cgi?id=735&action=edit shell script avoiding the bug -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240131/2cf99289/attachment.html>
bugzilla-daemon at netfilter.org
2024-Feb-07 18:26 UTC
[Bug 1735] Adding nftables interval sets progressively gets slower and makes the nft CLI less responsive with each added set
https://bugzilla.netfilter.org/show_bug.cgi?id=1735 Phil Sutter <phil at nwl.cc> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |phil at nwl.cc Assignee|pablo at netfilter.org |phil at nwl.cc --- Comment #4 from Phil Sutter <phil at nwl.cc> --- Pointless set element fetching with 'list tables' command fixed in commit 674eb7fa28958 ("cache: Optimize caching for 'list tables' command"). Sadly, fixing the same for 'add element' command is sadly not as trivial, but I'll leave this ticket open as I think it should be doable. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240207/6f456666/attachment.html>
bugzilla-daemon at netfilter.org
2024-Feb-08 01:01 UTC
[Bug 1735] Adding nftables interval sets progressively gets slower and makes the nft CLI less responsive with each added set
https://bugzilla.netfilter.org/show_bug.cgi?id=1735 --- Comment #5 from anton.khazan at gmail.com --- Thank you for looking into this. Additional affected command: 'nft -t list table inet test' (0.01s after 1st iteration, 0.5s after 40th iteration) To my best understanding, it's not supposed to fetch elements when called with the '-t' option. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240208/a2ffebff/attachment.html>
bugzilla-daemon at netfilter.org
2024-Feb-08 01:41 UTC
[Bug 1735] Adding nftables interval sets progressively gets slower and makes the nft CLI less responsive with each added set
https://bugzilla.netfilter.org/show_bug.cgi?id=1735 --- Comment #6 from anton.khazan at gmail.com --- 'nft -t list set' is also likely affected to some degree, as comparing the time it takes to list a small set (261 ip ranges) to a large set (11655 ip ranges), I'm noticing a significant difference - 0.01s vs 0.07s on my VM (the actual difference is likely higher but I'm limited to 0.01s measurement precision). Note that this is also with the '-t' option so it's not supposed to fetch elements (to my understanding). -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240208/35d85553/attachment.html>
bugzilla-daemon at netfilter.org
2024-Feb-08 11:41 UTC
[Bug 1735] Adding nftables interval sets progressively gets slower and makes the nft CLI less responsive with each added set
https://bugzilla.netfilter.org/show_bug.cgi?id=1735 --- Comment #7 from Phil Sutter <phil at nwl.cc> --- (In reply to anton.khazan from comment #6)> 'nft -t list set' is also likely affected to some degree, as comparing the > time it takes to list a small set (261 ip ranges) to a large set (11655 ip > ranges), I'm noticing a significant difference - 0.01s vs 0.07s on my VM > (the actual difference is likely higher but I'm limited to 0.01s measurement > precision). Note that this is also with the '-t' option so it's not supposed > to fetch elements (to my understanding).It is. To see for yourself, use --debug=netlink: | nft --debug=netlink -t list set ... If debug output contains lots of "element" lines while non-debug output doesn't, there likely is a bug (with list-like commands at least). -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240208/34690f35/attachment.html>
Reasonably Related Threads
- [Bug 1281] New: Using kernel 4.18.10, nft commandline tool or nft -f can't parse negative priority values over -200.
- [Bug 914] New: nft configure does not use --prefix as include/lib search path
- [Bug 1751] New: ip6tables-restore doesn't restore counters
- [Bug 1347] New: ebtables-nft: regression in -o option
- [Bug 1407] New: Segfault with iptables-nft-restore when flush rules included