On Wed, Dec 01, 2021 at 05:48:40PM +0100, Pablo Neira Ayuso wrote: > Hi Phil, > > On Wed, Dec 01, 2021 at 04:02:53PM +0100, Phil Sutter wrote: > > Comparing performance of various commands with equivalent iptables ones > > I noticed that nftables fetches data from kernel it doesn't need in some > > cases. For instance, listing one table was slowed down by a large other > > table. > > > > Since there is already code to filter data added to cache, make use of > > that and craft GET requests to kernel a bit further so it returns only > > what is needed. > > Using netlink to filter from kernel space is the optimal solution. I was basically copying from iptables-nft. :) > > This series is not entirely complete, e.g. objects are still fetched as > > before. It rather converts some low hanging fruits. > > Only one thing: It would be good to test this on older kernels, > because IIRC some of the GET requests during the development, I would > suggest to give it a test with -stable kernels. Probably all of the > needed GET commands are already present there. Good point, thanks. I'll check and report. > In the nftables 1.0.1 release process, I tested it with 4.9.x and > tests where running fine, the error reports were coming from missing > features. If ENOENT wasn't reported as EINVAL, We could even fall back to plain NLM_F_DUMP on older kernels. Maybe tackle that first and build upon that? Cheers, Phil
