On Wed, Oct 23, 2024 at 03:34:40PM +0200, Pablo Neira Ayuso wrote:
> 498a5f0c219d ("rule: collapse set element commands") does not help to
> reduce memory consumption in the case of large sets defined by one
> element per line:
>
> add element ip x y { 1.1.1.1 }
> add element ip x y { 1.1.1.2 }
> ...
>
> This patch collapses set element whenver possible to reduce the number
> of cmd objects, this reduces memory consumption by ~75%.
>
> This patch also adds a special case for variables for sets similar to:
>
> be055af5c58d ("cmd: skip variable set elements when collapsing commands")
>
> This patch requires this small kernel fix:
>
> commit b53c116642502b0c85ecef78bff4f826a7dd4145
> Author: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> Date: Fri May 20 00:02:06 2022 +0200
>
> netfilter: nf_tables: set element extended ACK reporting support
>
> which is included in recent -stable kernels:
>
> # cat ruleset.nft
> add table ip x
> add chain ip x y
> add set ip x y { type ipv4_addr; }
> create element ip x y { 1.1.1.1 }
> create element ip x y { 1.1.1.1 }
>
> # nft -f ruleset.nft
> ruleset.nft:5:25-31: Error: Could not process rule: File exists
> create element ip x y { 1.1.1.1 }
> ^^^^^^^
>
> there is no need to relate commands via sequence number, this allows to
> remove the uncollapse step too.
>
> Fixes: 498a5f0c219d ("rule: collapse set element commands")
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Hi Pablo,
This patch appears to introduce a performance regression for set entries
in the JSON interface. AFAICS, the collapse code is only called from the
CLI parser now.
E.
