Daniel Borkmann (dborkman@xxxxxxxxxx) requested that I report this issue
here:
------
The speed of adding and restoring IPs in ipset has changed drastically
from kernel version 3.16.5 to 3.17.0.
3.16.5 adds and restores attached list of IP ranges (~430 records) in
0-1 seconds.
3.17.0 adds in 30s and restores in 14s.
Some of the other files I use with country IP ranges contains more than
50.000 records taking hours to add/restore in kernel 3.17.
I used a clean VirtualBox Debian installation for this test.
The kernels were build using default settings.
-----
Test-script/data and details can be found here:
https://bugzilla.kernel.org/show_bug.cgi?id=86261
Kind regards
Kim Nørring
-------- Forwarded Message --------
Subject: Re: Fwd: [Bug 86261] New: Ipset add/restore slowed to a crawl
Date: Tue, 21 Oct 2014 20:50:57 +0200
From: Daniel Borkmann <dborkman@xxxxxxxxxx>
To: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>
CC: spam1@xxxxxxxxxx
[ Cc'ing reporter ]
On 10/21/2014 08:48 PM, Jozsef Kadlecsik wrote:
Hi,
On Mon, 20 Oct 2014, Daniel Borkmann wrote:
-------- Original Message --------
Subject: [Bug 86261] New: Ipset add/restore slowed to a crawl
Date: Tue, 14 Oct 2014 18:58:57 +0000
From:bugzilla-daemon@xxxxxxxxxxxxxxxxxxx
To:dborkman@xxxxxxxxxx
https://bugzilla.kernel.org/show_bug.cgi?id=86261
Bug ID: 86261
Summary: Ipset add/restore slowed to a crawl
Product: Networking
Version: 2.5
Kernel Version: Linux debian2 3.17.0
Hardware: i386
OS: Linux
Tree: Mainline
Status: NEW
Severity: high
Priority: P1
Component: Netfilter/Iptables
Assignee:networking_netfilter-iptables@xxxxxxxxxxxxxxxxxxxx
Reporter:spam1@xxxxxxxxxx
Regression: No
Created attachment 153751
-->https://bugzilla.kernel.org/attachment.cgi?id=153751&action=edit
IP range for Afghanistan in CIDR format
The speed of adding and restoring IPs in ipset has changed drastically from
kernel version 3.16.5 to 3.17.0.
3.16.5 adds and restores attached list of IP ranges (~430 records) in 0-1
seconds.
3.17.0 adds in 30s and restores in 14s.
Some of the other files I use with country IP ranges contains more than 50.000
records taking hours to add/restore in kernel 3.17.
I used a clean VirtualBox Debian installation for this test.
The kernels were build using default settings.
Script:
**********************
#!/bin/bash
IPSET=/usr/sbin/ipset
IPSET_NAME=mytest
function addThem {
for IP in $(cat ./AF); do
$IPSET add $IPSET_NAME $IP
done
}
ipset x
$IPSET create $IPSET_NAME hash:net
time addThem
time $IPSET save > ./saved
ipset x
time $IPSET restore < ./saved
*****************
I went through the ipset relates patches between 3.16 and 3.17 and see
nothing which could result such a performance drop. The patches either
fix static checker or other warnings or contain new features (skbinfo
extension and hash:mac set type) which looks totally independet from this.
(Netlink itself changed radically between the two kernel releases.)
So I'm going to setup an environment to check it myself.
Best regards,
Jozsef
-
E-mail :kadlec@xxxxxxxxxxxxxxxxx,kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key :http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
