[Bug 1439] Atomically updating/reloading a large set with nft -f is excessively slow

Thu Jul 30 21:09:01 CEST 2020

https://bugzilla.netfilter.org/show_bug.cgi?id=1439

--- Comment #9 from Timo Sigurdsson <public_timo.s at silentcreek.de> ---
(In reply to Pablo Neira Ayuso from comment #8)
> Testing with nftables at 7c9bef0c
> 
> # nft add table inet filter
> # nft add set inet filter ipv6_bogons { type ipv6_addr\; flags interval\; }
> 
> # nft list ruleset
> table inet filter {
>         set ipv6_bogons {
>                 type ipv6_addr
>                 flags interval
>         }
> }
> 
> ... download your bogons tarball, decompress
> 
> # nft -f ipv6_bogons.nft
> ... few seconds
> # nft -f ipv6_bogons.nft
> ... few seconds
> # nft list ruleset | wc -l
> 113210
> 
> Are you sure you are running a fresh nft binary?

As mentioned in the other bug. You're right. My installation of the fresh
binaries and libraries was somehow broken. I just assume I was running the new
build since nft -v returned 0.9.6 (whereas Ubuntu 20.04 ships 0.9.3). I
reinstalled the custom build from fresh and now it works. Loading the set for
the first time takes ~0.6s and repeated loads take only slightly longer with
~0.9s. All good! Thanks!

Another question: In a different bug you mentioned that your fix in nftables
requires also an updated libnftnl. Is there a specific commit in libnftnl that
is required by your change or does it depend on more changes? I'm asking
because I'd like to try to backport the fix to Debian stable if the changes
required are fairly small.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200730/4950001a/attachment.html>