Slow "nft list counters"

Slow "nft list counters"

[Stephan Ferlin-Reiter]

Hi,

On a host I have many network interfaces with associated nftables
rules and named counters. I’d like to get the state of the counters
and thought about running “nft -j list counters”. That seems to take
many seconds, however. As an alternative I wrote a small program that
talks netlink and sends a dump request with NFT_MSG_GETOBJ for the
tables I care about. That takes just milliseconds.

Now I’m wondering whether I’m missing something in my program - I do
seem to get what I care about. I’m also curious as to why the
operation with the nft tool takes so long. Is it maybe looking at all
the rules, which are complex in my case?

Thanks
Stephan

Re: Slow "nft list counters"

[Pablo Neira Ayuso]

On Mon, Oct 06, 2025 at 12:39:56PM +0200, Stephan Ferlin-Reiter wrote:
> Hi,
> 
> On a host I have many network interfaces with associated nftables
> rules and named counters. I’d like to get the state of the counters
> and thought about running “nft -j list counters”. That seems to take
> many seconds, however. As an alternative I wrote a small program that
> talks netlink and sends a dump request with NFT_MSG_GETOBJ for the
> tables I care about. That takes just milliseconds.
> 
> Now I’m wondering whether I’m missing something in my program - I do
> seem to get what I care about. I’m also curious as to why the
> operation with the nft tool takes so long. Is it maybe looking at all
> the rules, which are complex in my case?

What userspace nftables version are you using?

I remember to have speed up this recently:

commit 969ce17b66f8084626610202f11d607911e049e6
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Mon Aug 26 00:41:37 2024 +0200

    cache: add filtering support for objects
    
    Currently, full ruleset flag is set on to fetch objects.

otherwise, provide simple script to reproduce.

Thanks.

Re: Slow "nft list counters"

[Stephan Ferlin-Reiter]

¡Hola!

nft --version prints:
nftables v0.9.8 (E.D.S.)

Which doesn't include your fix. Fantastic timing that you improved the
situation just recently, Pablo.

Thank you! I'll try to build the latest version of nft and give it a go,
Stephan

Am Mo., 6. Okt. 2025 um 22:52 Uhr schrieb Pablo Neira Ayuso
<pablo@netfilter.org>:
>
> On Mon, Oct 06, 2025 at 12:39:56PM +0200, Stephan Ferlin-Reiter wrote:
> > Hi,
> >
> > On a host I have many network interfaces with associated nftables
> > rules and named counters. I’d like to get the state of the counters
> > and thought about running “nft -j list counters”. That seems to take
> > many seconds, however. As an alternative I wrote a small program that
> > talks netlink and sends a dump request with NFT_MSG_GETOBJ for the
> > tables I care about. That takes just milliseconds.
> >
> > Now I’m wondering whether I’m missing something in my program - I do
> > seem to get what I care about. I’m also curious as to why the
> > operation with the nft tool takes so long. Is it maybe looking at all
> > the rules, which are complex in my case?
>
> What userspace nftables version are you using?
>
> I remember to have speed up this recently:
>
> commit 969ce17b66f8084626610202f11d607911e049e6
> Author: Pablo Neira Ayuso <pablo@netfilter.org>
> Date:   Mon Aug 26 00:41:37 2024 +0200
>
>     cache: add filtering support for objects
>
>     Currently, full ruleset flag is set on to fetch objects.
>
> otherwise, provide simple script to reproduce.
>
> Thanks.