Page MenuHomeVyOS Platform

Adding firewall port ranges makes commit/boot MASSIVELY slow
Closed, ResolvedPublic


As of this commit, every port is checked with an exec(ipset -T):

If there is a large port range, this can take many many minutes. A simple example would be

set firewall group port-group slowwwwww port '20000-65531'

That would run ipset -T 45,531 times.

A better idea is to get the ipset result BEFORE the check, and then iterate over the result to see if anything is missing.


Difficulty level
Unknown (require assessment)
VyOS 1.3-beta-202111232035
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Behavior change
Issue type
Improvement (missing useful functionality)

Event Timeline

xrobau created this task.
xrobau created this object in space S1 VyOS Public.
Viacheslav claimed this task.
Viacheslav added a subscriber: Viacheslav.

There were some improvements for 1.3 related ipset checks and implemented in T2189, but due to the old backend it is impossible to do anything else.
The 1.5/1.4 do not have this issue
Close the task