Jann Haber <jann.haber@xxxxxxxxxx> wrote: > thank you for your hint with the policy setting. If we use policy accept > and a drop rule at the bottom, we have no more hiccups. OK, thanks for confirming. I'm still not sure how to best fix this (its fixable for sure), I will probably get to addressing this next week. > On 1/8/19 12:27 AM, Florian Westphal wrote: > > Out of curiosity, how long does time 'nft -f your_ruleset' take? > > It's currently about 70s - I assume, most of it are the counters. Yes, each counter (named object) triggers very costly path in the kernel. If you can afford a patched kernel, try these two: https://patchwork.ozlabs.org/project/netfilter-devel/list/?series=84970 I'd wager time goes down to under 5 seconds. > However, we are currently using lots of "add element" statements to > build all of our maps, usually with only one element (since it was the > easiest to generate the file like this). I guess, we could improve the > time by using fewer "add element"s while putting more than one element > in each?! Probably not, at least not much. If you use nft -f $file, then all the individual 'add elements' are part of the same batch that gets handed to the kernel. If you use individual nft add element ... {} then yes, adding more per invocation would help a lot.
