[Bug 1918936] Re: ipset does NSS lookups even if ports are numeric

Sat Mar 13 00:23:01 UTC 2021

Current size of ipset used for testing:

| ubuntu at juju-87625f-hloeung-93:~/ipset$ wc -l ~/whitelist-ipv4
| 515698 /home/ubuntu/whitelist-ipv4

With the patch:

| ubuntu at juju-87625f-hloeung-93:~/ipset$ sudo ipset destroy test
| ubuntu at juju-87625f-hloeung-93:~/ipset$ sudo ipset create test hash:net,port,net hashsize 4096 maxelem 786432
| ubuntu at juju-87625f-hloeung-93:~/ipset$ time sudo ~/ipset/src/ipset restore < ~/whitelist-ipv4
|
| real    0m7.204s
| user    0m3.104s
| sys     0m3.877s

vs without.

| ubuntu at juju-87625f-hloeung-93:~/ipset$ sudo ipset destroy test
| ubuntu at juju-87625f-hloeung-93:~/ipset$ sudo ipset create test hash:net,port,net hashsize 4096 maxelem 786432
| ubuntu at juju-87625f-hloeung-93:~/ipset$ time sudo ~/ipset/src/ipset restore < ~/whitelist-ipv4 
|
| real    0m33.232s
| user    0m25.291s
| sys     0m7.682s

Output of what I used to revert to compare -
https://paste.ubuntu.com/p/x9wcsQdxMn/

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ipset in Ubuntu.
https://bugs.launchpad.net/bugs/1918936

Title:
  ipset does NSS lookups even if ports are numeric

Status in ipset package in Ubuntu:
  Confirmed

Bug description:
  Hi,

  Do you think we could get
  https://git.netfilter.org/ipset/commit/?id=dbeb20a667e82e4efb8b26b24a0ec641dab5c857
  SRUed to 20.04 ?

  This divides our ipset loading time by ~2 (from ~60s to ~25s).

  Thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ipset/+bug/1918936/+subscriptions