Hi,
I'd like to propose switching from individual nft commands to nft -f in
the nftables firewall backend — either as a new backend or as an
extension of the existing one.
The main motivation is performance. In benchmarking, nft -f is about 46%
faster:
The following commands are run on the .args files in the nwfilter
nftables v6 patch.
$ time for i in *.args; do n=$(echo $i | sed s/.args$//); sudo
./reset-tables.sh; sudo sh -e $i; done
real 0m8.335s
user 0m0.320s
sys 0m0.564s
$ time for i in *.output; do sudo ./reset-tables.sh skipvmap; sudo
nft -f $i; done
real 0m4.518s
user 0m0.274s
sys 0m0.498s
On top of that, loading a full ruleset via nft -f is atomic for the
whole set of changes, which allows us to remove the rollback logic and
removes the need for tmp rules.
One issue I see is that the current approach allows certain commands to
fail silently, deleting something that doesn't exist won't abort the
operation. That's not the case with nft -f, where a failure stops the
whole load. One approach here is to only use nft -f for sections that
don't contain ignore-errors commands, and run those separately as
individual commands.
As described earlier: to handle the current non-atomic nature, we have a
few extra commands in place — a temporary jump rule, delete vmap entry,
add vmap entry. The tmp jump can be replaced by running nft -f instead.
I wonder what your opinions are about adding nft -f.
Regards,
Dion
