Is there an existing issue for this?
What are you currently unable to do
I have some nftables sets in chains/tables that I manage on a host that also runs Incus.
Some of these sets contain more than 1 million entries, which presently makes nft list ruleset, nft list set, etc., take a long time (tens of minutes) at high cpu consumption.
Incus calls nft --json -nn list ruleset which likewise triggers that problem:
|
cmd := exec.Command("nft", "--json", "-nn", "list", "ruleset") |
What do you think would need to be added
If the specific elements within sets is unneeded by Incus' nftParseRuleset() , then you could include the -t / --terse option for the nft command, which omits the set elements but emits everything else.
nft --terse --json -nn list ruleset is fast on my host, despite my sets containing millions of entries, and I think it would still contain all the data that Incus needs for nftParseRuleset().
Is there an existing issue for this?
What are you currently unable to do
I have some nftables sets in chains/tables that I manage on a host that also runs Incus.
Some of these sets contain more than 1 million entries, which presently makes
nft list ruleset,nft list set, etc., take a long time (tens of minutes) at high cpu consumption.Incus calls
nft --json -nn list rulesetwhich likewise triggers that problem:incus/internal/server/firewall/drivers/drivers_nftables.go
Line 89 in dffb1d0
What do you think would need to be added
If the specific elements within sets is unneeded by Incus'
nftParseRuleset(), then you could include the-t / --terseoption for thenftcommand, which omits the set elements but emits everything else.nft --terse --json -nn list rulesetis fast on my host, despite my sets containing millions of entries, and I think it would still contain all the data that Incus needs fornftParseRuleset().