On 06/01/2019 23:05, Florian Westphal wrote:
> Unfortunately not, right now nft dumps everything and filters in
> userspace. We need to propagate "table name" to the cache init
> function, but maybe more changes are needed to make this work
> (caching infra is tricky).
>
> This patch is a starting point, but it doesn't work correctly
> with libnftables/interactive mode (nft -i):
>
I just tested the patch, and it's a way better now:
# time nft list ruleset > /dev/null
nft list ruleset > /dev/null 1.39s user 3.86s system 97% cpu 5.413 total
# time nft list table ip raw-set > /dev/null
nft list table ip raw-set > /dev/null 1.39s user 4.10s system 98% cpu 5.573 total
# time nft list table inet raw > /dev/null
nft list table inet raw > /dev/null 0.00s user 0.00s system 81% cpu 0.008 total
It's nice.
Maybe is there a way to add some other patch and introduce an
option to hide sets' IPs?
For instance:
# nft --hide-set-elements list table ip raw-set
would return:
table ip raw-set {
set somelist {
type ipv4_addr
flags interval
auto-merge
elements = { _hidden_ }
}
chain PREROUTING {
... rules ...
}
chain OUTPUT {
... rules ...
}
}
Many people would appreciate this kind of output, especially
when you deal with huge lists of IPs.
Attachment:
signature.asc
Description: OpenPGP digital signature
