View Issue Details

IDProjectCategoryView StatusLast Update
0017525CentOS-8firewalldpublic2021-03-19 00:38
Reportermongo3k Assigned To 
Status newResolutionopen 
Product Version8.1.1911 
Summary0017525: firewall-cmd --reload is too slow
DescriptionReloading the firewall after a large ipset is added is very, very slow
After noticing it on a new server, I set up 3 VM's on the same server to test

These are the times measured to reload the firewall after adding an ipset of approx. 100k entries:

CentOS 8: 4.18.0-193.6.3.el8_2.x86_64
real 42m36.582s
user 0m0.144s
sys 0m0.011s

CentOS 7: 3.10.0-1127.el7.x86_64
real 0m1.853s
user 0m0.111s
sys 0m0.017s

Fedora 32 Server: 5.6.19-300.fc32.x86_64
real 0m21.558s
user 0m0.123s
sys 0m0.013s

The network is unusable while this is loading, so it's critical that it be fixed to run faster
Steps To ReproduceAdd a large ipset using firewall-cmd's, approx. 100k entries
time firewall-cmd --reload

Try this on CentOS 8, CentOS 7
Tagscentos 8, firewalld, ipset


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2020-06-21 22:57 mongo3k New Issue
2020-06-21 22:57 mongo3k Tag Attached: centos 8
2020-06-21 22:57 mongo3k Tag Attached: firewalld
2020-06-21 22:57 mongo3k Tag Attached: ipset