Bug 1705732
| Summary: | RFE: nftables: speed up rule listing when only a single table is requested | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Florian Westphal <fwestpha> |
| Component: | nftables | Assignee: | Phil Sutter <psutter> |
| Status: | CLOSED ERRATA | QA Contact: | Tomas Dolezal <todoleza> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 9.0 | CC: | psutter, qe-baseos-daemons, rkhan, todoleza |
| Target Milestone: | rc | Keywords: | FutureFeature, Reopened, Triaged |
| Target Release: | 9.1 | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | nftables-1.0.4-1.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-15 11:22:16 UTC | Type: | Enhancement |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Deadline: | 2022-08-01 | ||
|
Description
Florian Westphal
2019-05-02 20:19:10 UTC
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened. Maybe implicitly fixed by a future rebase, but worth keeping this in place to have it tested for. After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened. Still relevant. Also, a quick test with current upstream nftables shows that adding chains to one table slows down listing of another table. Support for filtering data on kernel side has been completed recently in upstream nftables. There are ~40 commits that went into src/cache.c in between those commits and RHEL8. Given that this is an RFE and there's no explicit customer interest, I hereby postpone to RHEL9. After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened. Still relevant. Likely fixed implicitly by package rebase (bug 1917398), mark as TestOnly? Here's a simple test:
| #!/bin/bash
|
| {
| cat <<EOF
| flush ruleset
| table empty_table {
| }
| table full_table {
| chain c {
| EOF
| for ((i = 0; i < 50000; i++)); do
| echo "iifname eth0 tcp dport 22 counter accept"
| done
| cat <<EOF
| }
| }
| EOF
| } | nft -f -
|
| TIMEFORMAT='%R'
| time nft list table full_table >/dev/null
| time nft list table empty_table >/dev/null
The second value printed must be significantly lower than the first one.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (nftables bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:8381 |