On 07/01/2019 00:32, Florian Westphal wrote: > Mikhail Morfikov <mmorfikov@xxxxxxxxx> wrote: >> On 06/01/2019 23:05, Florian Westphal wrote: >>> Unfortunately not, right now nft dumps everything and filters in >>> userspace. We need to propagate "table name" to the cache init >>> function, but maybe more changes are needed to make this work >>> (caching infra is tricky). >>> >>> This patch is a starting point, but it doesn't work correctly >>> with libnftables/interactive mode (nft -i): >>> >> >> I just tested the patch, and it's a way better now: >> >> # time nft list ruleset > /dev/null >> nft list ruleset > /dev/null 1.39s user 3.86s system 97% cpu 5.413 total >> >> # time nft list table ip raw-set > /dev/null >> nft list table ip raw-set > /dev/null 1.39s user 4.10s system 98% cpu 5.573 total >> >> # time nft list table inet raw > /dev/null >> nft list table inet raw > /dev/null 0.00s user 0.00s system 81% cpu 0.008 total >> >> It's nice. > > Thanks. It has to be reworked a bit so we handle interactive mode > correctly, once I think its good i will make formal patch submission. > >> Maybe is there a way to add some other patch and introduce an >> option to hide sets' IPs? > > I think it would be a good idea. > >> Many people would appreciate this kind of output, especially >> when you deal with huge lists of IPs. > > Agree, it makes sense. > What's the current status of this?
Attachment:
signature.asc
Description: OpenPGP digital signature
