2173764 – nft add chain very slow and high %sys CPU usage

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2173764 - nft add chain very slow and high %sys CPU usage

Summary: nft add chain very slow and high %sys CPU usage

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	nftables
Sub Component:
Version:	9.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Phil Sutter
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-02-27 22:04 UTC by Jonathan Maxwell
Modified:	2023-03-07 16:11 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-03-07 16:11:03 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
perf (661.62 KB, application/gzip) 2023-02-27 22:04 UTC, Jonathan Maxwell	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	2173801	0	unspecified	CLOSED	nft memory leak and OOM	2023-03-07 16:19:35 UTC
Red Hat Issue Tracker	RHELPLAN-149964	0	None	None	None	2023-02-27 22:05:42 UTC

Description Jonathan Maxwell 2023-02-27 22:04:51 UTC

Created attachment 1946792 [details]
perf

Description of problem:

"nft add chain" is very slow on RHEL9.2 and uses excessive CPU usage.

Version-Release number of selected component (if applicable):

RHEL 9.2
kernel-5.14.0-282.el9.x86_64


How reproducible:

Always

Steps to Reproduce:

Run:

for a in {1..30000}
do
	nft add table inet filter$a 
	nft add chain inet filter$a input { type filter hook input priority 0 \; }
done

Actual results:

Very slow takes over a second to add one chain and very high kernel memory usage:

Error: Could not process rule: Argument list too long
add chain inet filter7739 input { type filter hook input priority 0 ; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: Could not process rule: Argument list too long
add chain inet filter7740 input { type filter hook input priority 0 ; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: Could not process rule: Argument list too long
add chain inet filter7741 input { type filter hook input priority 0 ; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: Could not process rule: Argument list too long
add chain inet filter7742 input { type filter hook input priority 0 ; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

top - 16:56:45 up 16:22,  2 users,  load average: 1.00, 1.00, 0.72
Tasks: 124 total,   2 running, 122 sleeping,   0 stopped,   0 zombie
%Cpu(s): 13.3 us, 40.0 sy,  0.0 ni, 46.7 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st

Expected results:

faster execution and lower %sys.

Comment 1 Jonathan Maxwell 2023-02-28 00:05:52 UTC

Running this on a different terminal while the script in description was running made it even worse.

In this case "nft list ruleset" was hung for 110 minutes until <Ctrl-C> and the script adding chains was taking 4-5 seconds per chain.

# time nft list ruleset|wc -l

^C

real	110m21.597s
user	19m42.535s
sys	68m53.753s

Comment 2 Jonathan Maxwell 2023-02-28 01:23:50 UTC

Also when I ran:

for a in {1..35000}
do
	echo table: $a
	nft add table inet t$a 
 }
done

after that completed nft crashes with an OOM:

# nft list ruleset|wc -l
Connection to kvm-xxx closed by remote host.
Connection to kvm-xxx closed.

[70996.476272] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/user.slice/user-0.slice/session-5.scope,task=nft,pid=105241,uid=0
[70996.478180] Out of memory: Killed process 105241 (nft) total-vm:7548104kB, anon-rss:3460780kB, file-rss:0kB, shmem-rss:0kB, UID:0 pgtables:14808kB oom_score_adj:0

Comment 3 Jonathan Maxwell 2023-02-28 01:31:19 UTC

I'll add a new bugzilla for the OOM.

Comment 5 Phil Sutter 2023-03-07 16:11:03 UTC

Testing on RHEL-9.2.0-20230305.14 on a beaker machine with 24 physical cores on
two CPUs and 251GB RAM:

Kernel supports at most 1023 base chains, so limited testing here:

| # nft add table t
| # time for ((i=0;i<1023;i++)); do
| >   nft add chain t c$i '{ type filter hook forward priority filter; }'
| > done
| 
| real	0m2.474s
| user	0m1.195s
| sys	0m1.328s

Non-base chains are unlimited. Picking up the 35k benchmark from earlier tests:

| # time for ((i=0;i<35000;i++)); do nft add chain t c$i; done
| 
| real	1m32.245s
| user	0m40.885s
| sys	0m52.719s

This is mostly 'nft' call overhead:

# time (for ((i=0;i<35000;i++)); do echo "add chain t c$i"; done | nft -f -)

real	0m0.334s
user	0m0.274s
sys	0m0.121s

So if one wants to create so many chains, nft is up for the task.

Adding tables is pretty slow and memory consuming. Their presence slows down
other tasks manipulating the ruleset because nft always fetches the full list
of tables if it needs a table cache. There is room for improvement, but unless
there's a good reason to use such many tables, investing time into improving
this is not feasible.

I'll hereby close this ticket. Please feel free to reopen in case you think
there's something to improve about performance of adding chains in RHEL9.

Note You need to log in before you can comment on or make changes to this bug.