[Bug 1706] New: Nft is slow when loading ruleset with lots of add element calls of different interval maps
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Tue Sep 19 19:40:49 CEST 2023
https://bugzilla.netfilter.org/show_bug.cgi?id=1706
Bug ID: 1706
Summary: Nft is slow when loading ruleset with lots of add
element calls of different interval maps
Product: nftables
Version: 1.0.x
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: jannh at selfnet.de
Attached there is an "example.conf" file containing a simple set of very
repetitive rules with 4 interval maps and add element calls to fill these maps
with ~16000 entries.
On our Debian bookworm (nftables 1.0.6) and ArchLinux (1.0.8) hosts, the
resulting rules take very long to load with "nft -f" (at least multiple
minutes). It seems the size of the maps itself is not the issue, since there
are other maps in our ruleset which have no issues.
Further info of things we have tested:
- With a regular map instead of an interval map (just remove the "flags
interval" in the example), the rules are loaded in fractions of a second
- Ordering the add element calls by map (i.e. when all add element calls of
each map are put together instead of mixing these), it loads as fast as
expected
- We have had no issues with this kind of ruleset on Debian Bullseye (Kernel
5.10, nftables 0.9.8), it seems to have been introduced later
Thanks for taking a look!
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230919/f6f35208/attachment.html>
More information about the netfilter-buglog
mailing list