Dear nftables-maintainers,
we are currently deploying nftables on our CGN-Linux-Machines at
Selfnet. We have about 5500 members, which we provide with internet
access (from students for students, non-profit). Since we like to
experiment and our Linux machines seemed to reach a high CPU load, we
wanted to test how much we can improve with nftables.
We used to have a quite large iptables setup ( a few 100k rules), which
we want to shorten with nftables. And improve the performance obviously.
After deploying on one of our machines, we have found a couple of things
we would like to report:
- flags interval: We have some maps (e.g. for SNAT), which are supposed
to contain IPv4-nets ( >= /31) as well as single ips ( = /32) as keys.
If we make one named map out of both (with flags interval), the single
IPs are not matched (even if /32 is explicitly given). It is however
possible to load the set (no syntax errors or such).
If we make two maps, one with nets and flags interval, one with ips and
no flags, everything works as expected. According to the wiki for sets,
with flags interval, the set/map "contains intervals". Is it, that a
subnet can be seen as an interval, but a single ip cannot and it
therefore just never matches? Is this expected?
- counters: In our iptables setup, we use the counters to count the
traffic of our users. We want to do the same in nftables. We therefore
created a bunch of named counters (it's about 22k of them) and a map
mapping a certain subnet/ip to the counter name. When we load the rules
with "nft -f", there seems to be a delay of some seconds, where no more
packets are processed. Since we do this frequently, these are frequent
outages of our entire network and this is unacceptable for us. When we
comment the counters and the map, the delay is gone.
Currently, the ruleset looks like this:
add chain inet filter FORWARD { type filter hook forward priority 0;
policy accept; }
add map inet filter inipvnrmap { type ipv4_addr : counter; flags interval;}
add map inet filter outipvnrmap { type ipv4_addr : counter; flags interval;}
add rule inet filter FORWARD counter name ip daddr map @inipvnrmap
add rule inet filter FORWARD counter name ip saddr map @outipvnrmap
... repeat lots of times with different numbers and ips ...
add counter inet filter INV4-VNR12345
add counter inet filter OUTV4-VNR12345
add element inet filter inipvnrmap { 100.65.12.0/28 : "INV4-VNR12345" }
add element inet filter outipvnrmap { 100.65.12.0/28 : "OUTV4-VNR12345" }
... end repeat ...
Any suggestions, if this can be improved or where we go wrong, that we
experience this delay?
Thank you very much for your help!
Jann
Selfnet e.V.
Allmandring 8A U2, 70569 Stuttgart
E-Mail: jann.haber@xxxxxxxxxx
Internet: http://www.selfnet.de
--
Selfnet e.V.
Vorstand: Steffen Oesterwind (1. Vorsitzender), Lukas Kramer (2.
Vorsitzender), Tobias Tröps (Kassenwart), Jonas Burgdorf (1. Beisitzer),
Maximilian Weiblen (2. Beisitzer)
Vereinsregister: Amtsgericht Stuttgart VR 6375
Sitz des Vereins: Stuttgart
