Hello, I was updating my kernel to 4.9.16, because it is the latest stable marked on Gentoo, and recognized a heavy rising response-time from nft. I have a standard ruleset including 4 sets, where each of them has dynamic content (ip blocklists) containing set1 450 entries, set2 250 entries, set3 5 entries and set4 1 entry. Each set was created with "type ipv4_addr" and "flags interval". After 3 days uptime, the response-time from "nft list table ip filter" (where "ip" is only ipv4 and "filter" the whole ruleset of ipv4) is approx 0.6s. >real 0m0.651s >user 0m0.105s >sys 0m0.536s After 4 days i'm reaching nearly 0.8-0.9s - rising. When i restart nftables, it's starting from 0.008 - 0.012s again, but it's still rising. So for me it's not related to the size of all four sets? Can anyone confirm this or has some ideas? Using: - kernel-4.9.16 - nftables-0.7 - libmnl-1.0.4 - libnftnl-1.0.7 -- Regards Alex -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
