On Thu, Aug 03, 2023 at 11:49:59AM +0000, Brskt wrote: > Hi, > > Is there any updates on this ? > > https://marc.info/?l=netfilter&m=166256224929259&w=2 > > I don't understand why using "nft list chain netdev firewall filter" take > time and CPU usage even if a set have a high numbers of elements since we > don't show the elements in the set. > > There is the filter command in the chain "nft add rule netdev firewall > filter update @ratelimit_test { ip saddr . ip daddr . th dport } counter > drop" which use the set but, we don't see how many elements and/or which > elements are in the set. > > Listing a chain should not try to load the elements in the set(s) that are > used in a filter like iptables with ipset does not. > It also do the same even if "counter" is not used. Patch to address this issue: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230822095324.23656-1-pablo@xxxxxxxxxxxxx/
