Adding firewall port ranges makes commit/boot MASSIVELY slow
Open, LowPublic
Actions

Assigned To

None

Authored By

	xrobau
	Nov 24 2021, 1:12 AM

Description

As of this commit, every port is checked with an exec(ipset -T):

If there is a large port range, this can take many many minutes. A simple example would be

conf
set firewall group port-group slowwwwww port '20000-65531'
commit

That would run ipset -T 45,531 times.

A better idea is to get the ipset result BEFORE the check, and then iterate over the result to see if anything is missing.

Mentioned Here: T2189: Adding a large port-range will take ~ 20 minutes to commit

xrobau triaged this task as Low priority.Nov 24 2021, 1:12 AM

xrobau created this task.

xrobau created this object in space S1 VyOS Public.

Duplicate? T2189

I'm going to do what I suggested.