Hello, I have a problem with migration from iptables to nftables. Our setup: Intel(R) Xeon(R) E-2288G CPU @ 3.70GHz 32GB RAM NIC: XL710 for 40GbE QSFP+ Centos 8 kernel 5.15.6-1.el8.elrepo.x86_64 nftables v1.0.1 (Fearless Fosdick #3) 5-8k ip clients, about 5-8Gbit/s traffic My problem: 1. Almost every new connection from the clients seems to drop few packets on start (ICMP starts after 1-2 first ping missing, DNS queries slowdowns) Afer this first few packets problems, the connection (tcp session) is stable and seems there are problems further. 2. DNS server on the router also have problems (slow response seems to be connected to the packet drops) 3. Almost every traceroute from the router ends like: [root@new-kitana ~]# traceroute www.wp.pl traceroute to www.wp.pl (212.77.98.9), 30 hops max, 60 byte packets send: Operation not permitted mtr, ping works, but sometimes we have the same issue like with traceroute. The more traffic, the more problems we observe. After disabling the nftables everything gets back to normal (nft flush ruleset) The attachment has the nft_ruleset with stripped sets (the whole nft_rulset is about 650kB, we have about 6k snat/dnat map elements, ip/mac sets, ip/mark sets etc) The same machine with a very similar iptables setup has no problems. Please advise :) Greetings, Stanisław Czech
Attachment:
nft_ruleset
Description: Binary data
