[Kernel Bug 86261] Ipset add/restore slowed to a crawl in kernel 3.17 (and 3.17.1)

[Kim N <spam1@norring.dk>]

Daniel Borkmann (dborkman@redhat.com) requested that I report this issue 
here:

------
The speed of adding and restoring IPs in ipset has changed drastically 
from kernel version 3.16.5 to 3.17.0.

3.16.5 adds and restores attached list of IP ranges (~430 records) in 
0-1 seconds.
3.17.0 adds in 30s and restores in 14s.

Some of the other files I use with country IP ranges contains more than 
50.000 records taking hours to add/restore in kernel 3.17.

I used a clean VirtualBox Debian installation for this test.
The kernels were build using default settings.
-----

Test-script/data and details can be found here:

https://bugzilla.kernel.org/show_bug.cgi?id=86261

Kind regards

Kim Nørring

-------- Forwarded Message --------
Subject: 	Re: Fwd: [Bug 86261] New: Ipset add/restore slowed to a crawl
Date: 	Tue, 21 Oct 2014 20:50:57 +0200
From: 	Daniel Borkmann <dborkman@redhat.com>
To: 	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
CC: 	spam1@norring.dk



[ Cc'ing reporter ]

On 10/21/2014 08:48 PM, Jozsef Kadlecsik wrote:
> Hi,
>
> On Mon, 20 Oct 2014, Daniel Borkmann wrote:
>
>> -------- Original Message --------
>> Subject: [Bug 86261] New: Ipset add/restore slowed to a crawl
>> Date: Tue, 14 Oct 2014 18:58:57 +0000
>> From:bugzilla-daemon@bugzilla.kernel.org
>> To:dborkman@redhat.com
>>
>>https://bugzilla.kernel.org/show_bug.cgi?id=86261
>>
>>              Bug ID: 86261
>>             Summary: Ipset add/restore slowed to a crawl
>>             Product: Networking
>>             Version: 2.5
>>      Kernel Version: Linux debian2 3.17.0
>>            Hardware: i386
>>                  OS: Linux
>>                Tree: Mainline
>>              Status: NEW
>>            Severity: high
>>            Priority: P1
>>           Component: Netfilter/Iptables
>>            Assignee:networking_netfilter-iptables@kernel-bugs.osdl.org
>>            Reporter:spam1@norring.dk
>>          Regression: No
>>
>> Created attachment 153751
>>    -->https://bugzilla.kernel.org/attachment.cgi?id=153751&action=edit
>> IP range for Afghanistan in CIDR format
>>
>> The speed of adding and restoring IPs in ipset has changed drastically from
>> kernel version 3.16.5 to 3.17.0.
>>
>> 3.16.5 adds and restores attached list of IP ranges (~430 records) in 0-1
>> seconds.
>> 3.17.0 adds in 30s and restores in 14s.
>>
>> Some of the other files I use with country IP ranges contains more than 50.000
>> records taking hours to add/restore in kernel 3.17.
>>
>> I used a clean VirtualBox Debian installation for this test.
>> The kernels were build using default settings.
>>
>>
>> Script:
>> **********************
>> #!/bin/bash
>> IPSET=/usr/sbin/ipset
>> IPSET_NAME=mytest
>>
>> function addThem {
>>      for IP in $(cat ./AF); do
>>          $IPSET add $IPSET_NAME $IP
>>      done
>> }
>>
>> ipset x
>>
>> $IPSET create $IPSET_NAME hash:net
>>
>> time addThem
>>
>> time $IPSET save > ./saved
>>
>> ipset x
>>
>> time $IPSET restore < ./saved
>>
>> *****************
>
> I went through the ipset relates patches between 3.16 and 3.17 and see
> nothing which could result such a performance drop. The patches either
> fix static checker or other warnings or contain new features (skbinfo
> extension and hash:mac set type) which looks totally independet from this.
> (Netlink itself changed radically between the two kernel releases.)
>
> So I'm going to setup an environment to check it myself.
>
> Best regards,
> Jozsef
> -
> E-mail  :kadlec@blackhole.kfki.hu,kadlecsik.jozsef@wigner.mta.hu
> PGP key :http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
>            H-1525 Budapest 114, POB. 49, Hungary
>



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html