<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - [REGRESSION] nft cannot load big set anymore"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1228">1228</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>[REGRESSION] nft cannot load big set anymore
</td>
</tr>
<tr>
<th>Product</th>
<td>nftables
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>OS</th>
<td>other
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>nft
</td>
</tr>
<tr>
<th>Assignee</th>
<td>pablo@netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>oleksandr@natalenko.name
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=530" name="attach_530" title="Huge set">attachment 530</a> <a href="attachment.cgi?id=530&action=edit" title="Huge set">[details]</a></span>
Huge set
Hello.
After nft v0.8.1 is released, I cannot load my huge set of blackholes anymore.
nft just eats CPU at 100% while loading the rules. I've waited for 5 minutes
before killing it. v0.8.0 performed the load well in ~15 seconds.
Next, I've recompiled the nft v0.8.2 with the debug info and then attached to
it with gdb while it wastes CPU to get a backtrace:
===
(gdb) bt
#0 0x00007fc9593d134b in __gmpz_cmp () from /usr/lib/libgmp.so.10
#1 0x00005600a1cb1097 in interval_overlap (e1=e1@entry=0x5600aaf5efc0,
e2=e2@entry=0x5600addf0240) at segtree.c:350
#2 0x00005600a1cb1794 in intervals_overlap (keylen=<optimized out>,
intervals=<optimized out>, msgs=<optimized out>)
at segtree.c:386
#3 set_to_segtree (merge=<optimized out>, add=true, tree=0x7fff36409230,
init=0x5600a2fdc590, set=0x5600a2fdbe10,
msgs=0x7fff36409490) at segtree.c:416
#4 set_to_intervals (errs=0x7fff36409490, set=set@entry=0x5600a2fdbe10,
init=0x5600a2fdc590, add=add@entry=true,
debug_mask=<optimized out>, merge=false) at segtree.c:586
#5 0x00005600a1c94fe0 in do_add_set (flags=0, set=0x5600a2fdbe10,
h=0x5600a2fdcaf0, ctx=0x7fff364093e0) at rule.c:1015
#6 do_command_add (ctx=0x7fff364093e0, cmd=0x5600a2fdcab0,
excl=excl@entry=false) at rule.c:1054
#7 0x00005600a1c967a7 in do_command (ctx=ctx@entry=0x7fff364093e0,
cmd=cmd@entry=0x5600a2fdcab0) at rule.c:1805
#8 0x00005600a1c810e5 in nft_netlink (nf_sock=0x5600a2fdbb50,
msgs=0x7fff36409490, state=0x7fff364094a0, nft=0x5600a2fdba20)
at libnftables.c:47
#9 nft_run (nft=nft@entry=0x5600a2fdba20, nf_sock=0x5600a2fdbb50,
scanner=scanner@entry=0x5600a2fdbb90,
state=state@entry=0x7fff364094a0, msgs=msgs@entry=0x7fff36409490) at
libnftables.c:95
#10 0x00005600a1c817dc in nft_run_cmd_from_filename (nft=0x5600a2fdba20,
filename=0x7fff3640be70 "/etc/nftables.conf")
at libnftables.c:323
#11 0x00005600a1c80799 in main (argc=3, argv=0x7fff36409d58) at main.c:276
===
I think this has something to do with the changes related to checking for
overlapping ranges introduced in v0.8.1.
Here is how the set gets loaded:
===
…
table inet filter {
set blackhole {
type ipv4_addr
flags interval
include "/etc/nftables-blackhole.conf"
}
…
===
I'm attaching the nftables-blackhole.conf file to this ticket too.
Could you please fix this?
Thanks.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>