On 4/3/24 07:37, DERUMIER, Alexandre via pve-devel wrote: > I'll really take time to test it (I was super busy theses last month > with a datacenter migration), as I wait for nftables since a while. > > Can't help too much with rust, but I really appriciate it, as I had > some servers with a lot of vms && rules, take more than 10s to generate > the rules with current perl implementation).
Thanks! I'd be really interested in how this performs with a large ruleset since I haven't really tried with an excessively large ruleset so far. I have only done very basic checks of the performance, but it looked quite promising. 50% of the time is actually spent in libnftables, so I'd be interested to see how this changes with large rulesets. There is also still some room for performance improvements, since performance wasn't my main concern so far. For instance I am currently reading the guest configuration files 1:1 via the filesystem, but I wanted to implement getting the configuration via pmxcfs where one call would then suffice to retrieve the network configuration of all guests. If you have a large configuration I could use for testing, that you'd be willing to share, then I could run tests myself. Otherwise I will probably use a script to generate a huge config myself at some point. > I really would like to not have fwbr bridge anymore, because I have > seen a big performance bug with them: I agree 100%, getting rid of those would eliminate several bugs and issues. > I'll try your code, see the generated rules, and try to see if I can > get reject working. Thanks! Maybe you can come up with something. Otherwise we might have to implement a configuration option that switches between firewall bridge on/off and people have to make choices about the tradeoffs themselves. _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel