Flushing of the nftables rules takes a long time

Mikhail Morfikov <mmorfikov@xxxxxxxxx> · Wed, 9 Jan 2019 00:21:03 +0100

This is the time of the flush command when there's no rules 
in nftables:

# time nft flush ruleset
nft flush ruleset  0.00s user 0.00s system 79% cpu 0.007 total

When I add my basic rules using the following file:
--------------------------------
# cat rules-base.nft

#!/usr/sbin/nft -f

flush ruleset

create table inet filter

create chain inet filter INPUT { type filter hook input priority 0; policy drop; }
create chain inet filter FORWARD { type filter hook forward priority 0; policy drop; }
create chain inet filter OUTPUT { type filter hook output priority 0; policy accept; }

add rule inet filter INPUT ct state invalid counter drop
add rule inet filter INPUT ct state related,established counter accept
add rule inet filter INPUT iifname "lo" counter accept
add rule inet filter INPUT counter drop
--------------------------------

The time of flushing the rules is also fast:

# time nft flush ruleset
nft flush ruleset  0.00s user 0.00s system 27% cpu 0.025 total

In my main-rules file I have some huge sets of IPS:

# wc -l < rules.nft
153
# wc -l < sets/nft_set-bt_level1.nft
236804
# wc -l < sets/nft_set-bt_spyware.nft
3291
# wc -l < sets/nft_set-bt_webexploit.nft
2163

All the sets/* files are included in the rules.nft file using:

include "./sets/nft_set-bt_level1.nft"

When I load the rules and flush them:

# time nft -f /etc/nftables/rules.nft
nft -f /etc/nftables/rules.nft  3.48s user 2.46s system 96% cpu 6.183 total

# time nft flush ruleset
nft flush ruleset  0.00s user 0.00s system 68% cpu 0.009 total

It also works fine.

But when I have all the rules from my main set applied and try
to load the rules from the rules-base.nft file I included above,
I get this:

# time nft -f /etc/nftables/rules.nft
nft -f /etc/nftables/rules.nft  3.46s user 2.42s system 96% cpu 6.065 total

# time nft -f /etc/nftables/rules-base.nft
nft -f /etc/nftables/rules-base.nft  0.87s user 3.63s system 92% cpu 4.854 total

# time nft -f /etc/nftables/rules-base.nft
nft -f /etc/nftables/rules-base.nft  0.00s user 0.01s system 17% cpu 0.045 total

So the first time the rules-base.nft is being applied takes 
almost 5s to finish, whereas the second time (and the next 
ones) takes only 0.04s. 

So what's wrong with it? It looks like flushing rules from 
file is causing some issues.

Attachment:
signature.asc

Description: OpenPGP digital signature