Adding firewall port ranges makes commit/boot MASSIVELY slow
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	xrobau
	Nov 24 2021, 1:12 AM

Description

As of this commit, every port is checked with an exec(ipset -T):

https://github.com/vyos/vyatta-cfg-firewall/commit/835304e5aaa252e8b0bcf4651629cd089e670147

If there is a large port range, this can take many many minutes. A simple example would be

conf
set firewall group port-group slowwwwww port '20000-65531'
commit

That would run ipset -T 45,531 times.

A better idea is to get the ipset result BEFORE the check, and then iterate over the result to see if anything is missing.

Details

Version: VyOS 1.3-beta-202111232035
Is it a breaking change?: Behavior change

Related Objects

Mentioned Here: T2189: Adding a large port-range will take ~ 20 minutes to commit

Event Timeline

xrobau created this task.Nov 24 2021, 1:12 AM

xrobau triaged this task as Low priority.

xrobau created this object in space S1 VyOS Public.

Duplicate? T2189

I'm going to do what I suggested.

IpSetMgr package https://github.com/xrobau/vyatta-cfg-firewall/commit/ac9fefc6750f1c15ae25660847e2b46fe777081c

pasik subscribed.Dec 21 2021, 8:45 AM

There were some improvements for 1.3 related ipset checks and implemented in T2189, but due to the old backend it is impossible to do anything else.
The 1.5/1.4 do not have this issue
Close the task

Adding firewall port ranges makes commit/boot MASSIVELY slowClosed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

Adding firewall port ranges makes commit/boot MASSIVELY slow
Closed, ResolvedPublic
Actions