> > cristian: imo, it is important from the operational point of view to > > monitor the size of the sets. from an implementation point of view, > > since the sets can grow to very large sizes, reading large packets > > over netlink sockets just to count the elements in the sets does not > > seem very efficient. > > You mean, provide stats that allow to monitor the memory size? That > might make sense, yes. cristian: basically generic resource consumption monitoring. assume a setup like this: 1. ~1M ip addresses loaded in a set; 2. there is a filter rule which drops all forwarded ip packets with dst address matching the ip addresses in the set; 3. some traffic generator (e.g. hping3) floods the respective machine/interface with UDP traffic ~400 Kpkts/s, destination ip addresses being randomized but in the range of those in the respective set; the machine running the firewall uses btw. 15%-20% CPU (with occasional spikes up to 30%) so far I can tell, the number of ip addresses in a set can affect directly the CPU consumption as well... On Thu, Sep 30, 2021 at 8:04 PM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > On Thu, Sep 30, 2021 at 05:47:07PM +0200, Cristian Constantin wrote: > > > It's possible to extend the interface to expose this, but how useful > > > is this? > > > > cristian: imo, it is important from the operational point of view to > > monitor the size of the sets. from an implementation point of view, > > since the sets can grow to very large sizes, reading large packets > > over netlink sockets just to count the elements in the sets does not > > seem very efficient. > > You mean, provide stats that allow to monitor the memory size? That > might make sense, yes. > > > the nft user space tool has a switch which turns off showing the set > > content: '-t', however it will only show the name of the set and the > > flags. I also did not check if this feature is offered at the socket > > layer or if the elements are actually read from the kernel but not > > displayed. > > IIRC, they are read from the kernel, then not displayed, but it should > be easy to only fetch the set, I'll prepare a patch to speed -t > listing.
