> It's possible to extend the interface to expose this, but how useful > is this? cristian: imo, it is important from the operational point of view to monitor the size of the sets. from an implementation point of view, since the sets can grow to very large sizes, reading large packets over netlink sockets just to count the elements in the sets does not seem very efficient. the nft user space tool has a switch which turns off showing the set content: '-t', however it will only show the name of the set and the flags. I also did not check if this feature is offered at the socket layer or if the elements are actually read from the kernel but not displayed. thanks, cristian On Thu, Sep 30, 2021 at 4:00 PM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > On Thu, Sep 30, 2021 at 01:21:26PM +0200, Cristian Constantin wrote: > > hi! > > > > is there a way to get from the kernel just some metrics about nft > > sets, without getting > > all (possibly lots of) elements of the set? > > > > e.g.: > > > > - number of full ip addresses (i.e. /32 prefix for ipv4); > > - number of "prefix" elements; > > - number of intervals; > > It's possible to extend the interface to expose this, but how useful > is this?
