Re: nftables: response of nft is rising

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Apr 23, 2017 at 4:36 PM, Robert White <rwhite@xxxxxxxxx> wrote:
> Is this day-one size or end-of-test size? e.g. are you saying you see
> the sets with 706 entires to start, or that you start empty and
> accumulated 506 entries? (or is it some other scenario

The ruleset ist starting with empty sets.
Each set is filled dynamically by fail2ban and myself by investigating logfiles.
If elements are added by fail2ban, they get removed after a specific
bantime (mostly 30 days)
If i add myself some elements, they are blocked permanent.

> Aside from being potentially interesting, why do you care?
>
> This isn't a snarky question, are you seeing some other performance
> issues, like with actual packet clearing rates, or are you just noticing
> that the ruleset dump is taking longer?

Because the response-time of the "nft"-command is rising, the time
will come (perhaps after 20 days+-),
when it takes more than 60 seconds. fail2ban gets a timeout when
adding elements than.
Attackers wouldn't be blocked anymore.

Beside this, i couldn't clear/save/flush anything in nftables anymore.
The whole backend is blocked of freezed, but intact.

> I'm pretty sure you are experiencing the normal effects of the context
> switches required to get the set members out of the kernel one element
> at a time. I don't see a bulk unload operation in the module operations
> structure so the enumeration time for extracting large sets might take a
> lot of time. Enumerating a set is way different that checking for
> membership.

Possbile, but i never recognized this heavy increasing time with kernel-4.4.6.
So i thought about a memory leak or something like that?

> So if you dump the ruleset and then reload what you just dumped, does it
> take the same, more, or less time to dump the ruleset a second time?

As i wrote above, when i dump the ruleset by restarting nftables
(/etc/init.d/nftables restart), it first save the ruleset,
clear the ruleset and reload the ruleset. The response-time is than reset.
That means, loading the ruleset with approx 800 elements (over all
sets) doesn't take any effect of the response-time of nft?

It's a kind of memory leak or so?

--
Regards
Alex
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux