On Thu, Sep 01, 2022 at 12:34:15PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Aug 31, 2022 at 02:18:17AM +0200, Brskt wrote:
> > Hello,
> >
> > I'm using some filter which uses sets with meters. When the server is
> > receiving a lot of packets per seconds (~800k+) and using the command to
> > list the chain, it does take ~80% of CPU and take a long time to return an
> > output.
> >
> > # cat /etc/issue
> > Welcome to Alpine Linux 3.16
> >
> > # nft -v
> > nftables v1.0.5 (Lester Gooch #4)
> >
> > # uname -r
> > 5.15.62-1-lts
>
> Could you provide more information on your setup? ruleset?
>
> Ruleset listing is also lockless.
>
> It is hard to guess with this short notice.
For the record, the existing userspace cache logic in nftables is
retrieving the elements in your set, and I suspect you have a lot of
elements, that is why:
nft list chain x y
is likely taking time there to show the listing.
It should be possible to improve this cache logic, it will only
require a userspace software update.
