Had to restart it on Eru, because 31GiB resident memory was making the server crawl.
Firewalling temporarily disabled, because it's currently causing more trouble than what it is worth. sigh
A single thread in a release build can do ~4-5 blocks / sec on my development box. That's... piss poor.
On top of that, it slows down over time.
Hrm. The problem with batching is that I'd need to build separate commands for each set. So what if I made this simpler, and I'd only have two sets: one for IPv4 and one for IPv6 addresses.
No per-ruleset counters that way, but much simpler implementation.
Inserted 120k entries in about a minute, so about 2000 / second, with a batch size of 1000. Not bad. Not perfect, but not bad.
Now to figure out how to make it timeout, so I don't have IPs stuck in the queue if I don't reach the batch limit.
Then clean up the code, and all that.
So... what if I had one thread to send tasks to, which collects them in a pair of HashSets. I can make these tokio tasks, so that I can have an interval ticking too.
When the hashsets reach their quota, or interval expires, this thread will construct an nft command, and send it over to another thread that talks with nftables.
The advantage of this architecture is that I can later turn the nftables thread into a threadpool.
Current downside: no per-ruleset chains or sets. Not sure how I will ferry the table name over, either.
This will break the firewall API on the Roto side (unless I keep it the same, but ignore some params).
For #iocaine 3.4, I think I'm just gonna ignore the table & set name, and use hard-coded ones. Not very nice, but that's a simple to implement and API-compatible way.
Will fix it in 4.0. That'll restore configurable table name, but the per-ruleset sets and chains will be gone (from the API too).
@petko It's mostly parsing. I don't directly talk to netlink, I talk to libnftables, which turns a string into... something, and then sends that to netlink.
There's quite a bit of work involved in that process that has nothing to do with nftables.
I could make it a lot faster if I talked directly to netlink, but the Rust support for that is limited. So: compromises had to be made.
The fault lies not in nft or libnftables, but in the way I use them.
a very strange trackball
Vysogota