Extremely Slow Performance Rebuilding Long List of Rich Rules

Extremely Slow Performance Rebuilding Long List of Rich Rules

https://github.com/firewalld/firewalld/issues/849?utm_source=chatgpt.com

I restarted firewalld again with debug=10. I’m not sure where this comes from, to be honest.

Directly after starting firewalld, I get this in the logs.

2021-09-06 10:33:16 DEBUG2: Introspect()
2021-09-06 10:33:16 DEBUG1: zone.addRichRule('FedoraServer', 'rule family='ipv4' source address='y.y.y.y' port port='ssh' protocol='tcp' reject type='icmp-port-unreachable'')
2021-09-06 10:33:16 DEBUG4: <class 'firewall.core.fw_transaction.FirewallTransaction'>.execute(True)
2021-09-06 10:33:16 DEBUG4: <class 'firewall.core.fw_transaction.FirewallTransaction'>.prepare(True, ...)
2021-09-06 10:33:16 DEBUG4: <class 'firewall.core.fw_transaction.FirewallTransaction'>.pre()
2021-09-06 10:33:16 DEBUG3: <class 'firewall.core.nftables.nftables'>: calling python-nftables with JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_FedoraServer_deny", "expr": [{"match": {"left": {"meta": {"key": "nfproto"}}, "op": "==", "right": "ipv4"}}, {"match": {"left": {"payload": {"protocol": "ip", "field": "saddr"}}, "op": "==", "right": "y.y.y.y"}}, {"match": {"left": {"payload": {"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 22}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"reject": {"type": "icmp", "expr": "port-unreachable"}}]}}}]}
2021-09-06 10:33:16 DEBUG4: <class 'firewall.core.fw_transaction.FirewallTransaction'>.post()
2021-09-06 10:33:16 DEBUG1: zone.RichRuleAdded('FedoraServer', 'rule family='ipv4' source address='y.y.y.y' port port='ssh' protocol='tcp' reject type='icmp-port-unreachable'', 0)
2021-09-06 10:33:17 DEBUG2: Introspect()
2021-09-06 10:33:17 DEBUG1: zone.addRichRule('FedoraServer', 'rule family='ipv4' source address='x.x.x.x' port port='ssh' protocol='tcp' reject type='icmp-port-unreachable'')
2021-09-06 10:33:17 DEBUG4: <class 'firewall.core.fw_transaction.FirewallTransaction'>.execute(True)
2021-09-06 10:33:17 DEBUG4: <class 'firewall.core.fw_transaction.FirewallTransaction'>.prepare(True, ...)
2021-09-06 10:33:17 DEBUG4: <class 'firewall.core.fw_transaction.FirewallTransaction'>.pre()
2021-09-06 10:33:17 DEBUG3: <class 'firewall.core.nftables.nftables'>: calling python-nftables with JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_FedoraServer_deny", "expr": [{"match": {"left": {"meta": {"key": "nfproto"}}, "op": "==", "right": "ipv4"}}, {"match": {"left": {"payload": {"protocol": "ip", "field": "saddr"}}, "op": "==", "right": "x.x.x.x"}}, {"match": {"left": {"payload": {"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 22}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"reject": {"type": "icmp", "expr": "port-unreachable"}}]}}}]}
2021-09-06 10:33:17 DEBUG4: <class 'firewall.core.fw_transaction.FirewallTransaction'>.post()
2021-09-06 10:33:17 DEBUG1: zone.RichRuleAdded('FedoraServer', 'rule family='ipv4' source address='x.x.x.x' port port='ssh' protocol='tcp' reject type='icmp-port-unreachable'', 0)

After an hour and a half, I get:

2021-09-06 11:57:44 DEBUG2: Introspect()
2021-09-06 11:57:44 DEBUG1: zone.addRichRule('FedoraServer', 'rule family='ipv4' source address='a.a.a.a' port port='ssh' protocol='tcp' reject type='icmp-port-unreachable'')
2021-09-06 11:57:44 DEBUG4: <class 'firewall.core.fw_transaction.FirewallTransaction'>.execute(True)
2021-09-06 11:57:44 DEBUG4: <class 'firewall.core.fw_transaction.FirewallTransaction'>.prepare(True, ...)
2021-09-06 11:57:44 DEBUG4: <class 'firewall.core.fw_transaction.FirewallTransaction'>.pre()
2021-09-06 11:57:44 DEBUG3: <class 'firewall.core.nftables.nftables'>: calling python-nftables with JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_FedoraServer_deny", "expr": [{"match": {"left": {"meta": {"key": "nfproto"}}, "op": "==", "right": "ipv4"}}, {"match": {"left": {"payload": {"protocol": "ip", "field": "saddr"}}, "op": "==", "right": "a.a.a.a"}}, {"match": {"left": {"payload": {"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 22}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"reject": {"type": "icmp", "expr": "port-unreachable"}}]}}}]}
2021-09-06 11:57:48 DEBUG4: <class 'firewall.core.fw_transaction.FirewallTransaction'>.post()
2021-09-06 11:57:48 DEBUG1: zone.RichRuleAdded('FedoraServer', 'rule family='ipv4' source address='a.a.a.a' port port='ssh' protocol='tcp' reject type='icmp-port-unreachable'', 0)
2021-09-06 11:57:48 DEBUG2: Introspect()
2021-09-06 11:57:48 DEBUG1: zone.addRichRule('FedoraServer', 'rule family='ipv4' source address='b.b.b.b' port port='ssh' protocol='tcp' reject type='icmp-port-unreachable'')
2021-09-06 11:57:48 DEBUG4: <class 'firewall.core.fw_transaction.FirewallTransaction'>.execute(True)
2021-09-06 11:57:48 DEBUG4: <class 'firewall.core.fw_transaction.FirewallTransaction'>.prepare(True, ...)
2021-09-06 11:57:48 DEBUG4: <class 'firewall.core.fw_transaction.FirewallTransaction'>.pre()
2021-09-06 11:57:48 DEBUG3: <class 'firewall.core.nftables.nftables'>: calling python-nftables with JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_FedoraServer_deny", "expr": [{"match": {"left": {"meta": {"key": "nfproto"}}, "op": "==", "right": "ipv4"}}, {"match": {"left": {"payload": {"protocol": "ip", "field": "saddr"}}, "op": "==", "right": "b.b.b.b"}}, {"match": {"left": {"payload": {"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 22}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"reject": {"type": "icmp", "expr": "port-unreachable"}}]}}}]}
2021-09-06 11:57:52 DEBUG4: <class 'firewall.core.fw_transaction.FirewallTransaction'>.post()
2021-09-06 11:57:52 DEBUG1: zone.RichRuleAdded('FedoraServer', 'rule family='ipv4' source address='b.b.b.b' port port='ssh' protocol='tcp' reject type='icmp-port-unreachable'', 0)

What I’m seeing here, is that initially, the time between rule insertions is about a second. After an hour and a half and 3700+ rules inserted, time between insertions has gone up to 4 seconds.

Could there be some sort of throttling going on?