Bug#1016451: shorewall takes more than 300 seconds to start if /etc/shorewall/blrules contains a lot of lines

Sun, 31 Jul 2022 12:54:21 -0700 

Package: shorewall
Version: 5.2.3.4-1
Severity: minor
Tags: upstream

Dear debian Maintainer,


   * What led up to the situation?
        I installed shorewall, everything worked fine.
        Since I filled /etc/shorewall/blrules with ~4000 lines, shorewall takes 
huge time to start
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?
        Packet Filter takes 0.3 sec to start with the same blacklist.
   * What's relevant logs?
        Here is /var/log/shorewall-init.log
[...]
Jul 31 21:04:43    Conntrack rule "CT:helper:pptp:PO - - tcp 1723" Compiled
Jul 31 21:04:43    Conntrack rule "CT:helper:sane:PO - - tcp 6566" Compiled
Jul 31 21:04:43    Conntrack rule "CT:helper:sane:PO - - tcp 6566" Compiled
Jul 31 21:04:43    Conntrack rule "CT:helper:sip:PO - - udp 5060" Compiled
Jul 31 21:04:43    Conntrack rule "CT:helper:sip:PO - - udp 5060" Compiled
Jul 31 21:04:43    Conntrack rule "CT:helper:snmp:PO - - udp 161" Compiled
Jul 31 21:04:43    Conntrack rule "CT:helper:snmp:PO - - udp 161" Compiled
Jul 31 21:04:43    Conntrack rule "CT:helper:tftp:PO - - udp 69" Compiled
Jul 31 21:04:43    Conntrack rule "CT:helper:tftp:PO - - udp 69" Compiled
Jul 31 21:04:43 Compiling MAC Filtration -- Phase 2...
Jul 31 21:04:43 Applying Policies...
Jul 31 21:04:43    Policy ACCEPT from fw to net using chain fw-net
Jul 31 21:04:43 ..Expanding inline action 
/usr/share/shorewall/action.Broadcast...
Jul 31 21:04:43     Rule " DROP - - - ;; -m addrtype --dst-type BROADCAST" 
Compiled
Jul 31 21:04:43     Rule " DROP - - - ;; -m addrtype --dst-type ANYCAST" 
Compiled
Jul 31 21:04:43 ..End inline action /usr/share/shorewall/action.Broadcast
Jul 31 21:04:43 ..Expanding inline action 
/usr/share/shorewall/action.Multicast...
Jul 31 21:04:43     Rule " DROP - - - ;; -m addrtype --dst-type MULTICAST" 
Compiled
Jul 31 21:04:43 ..End inline action /usr/share/shorewall/action.Multicast
Jul 31 21:04:43    Policy DROP from net to fw using chain net-fw
Jul 31 21:04:43    Policy ACCEPT from net to net using chain net-net
Jul 31 21:04:43 Generating Rule Matrix...
Jul 31 21:04:43    Handling complex zones...
Jul 31 21:04:43    Entering main matrix-generation loop...
Jul 31 21:04:43    Finishing matrix...
Jul 31 21:04:43 ..Expanding inline action 
/usr/share/shorewall/action.Broadcast...
Jul 31 21:04:43     Rule " DROP - - - ;; -m addrtype --dst-type BROADCAST" 
Compiled
Jul 31 21:04:43     Rule " DROP - - - ;; -m addrtype --dst-type ANYCAST" 
Compiled
Jul 31 21:04:43 ..End inline action /usr/share/shorewall/action.Broadcast
Jul 31 21:04:43 ..Expanding inline action 
/usr/share/shorewall/action.Multicast...
Jul 31 21:04:43     Rule " DROP - - - ;; -m addrtype --dst-type MULTICAST" 
Compiled
Jul 31 21:04:43 ..End inline action /usr/share/shorewall/action.Multicast
Jul 31 21:04:43 ..Expanding inline action 
/usr/share/shorewall/action.Broadcast...
Jul 31 21:04:43     Rule " DROP - - - ;; -m addrtype --dst-type BROADCAST" 
Compiled
Jul 31 21:04:43     Rule " DROP - - - ;; -m addrtype --dst-type ANYCAST" 
Compiled
Jul 31 21:04:43 ..End inline action /usr/share/shorewall/action.Broadcast
Jul 31 21:04:43 ..Expanding inline action 
/usr/share/shorewall/action.Multicast...
Jul 31 21:04:43     Rule " DROP - - - ;; -m addrtype --dst-type MULTICAST" 
Compiled
Jul 31 21:04:43 ..End inline action /usr/share/shorewall/action.Multicast
Jul 31 21:04:43 ..Expanding inline action 
/usr/share/shorewall/action.Broadcast...
Jul 31 21:04:43     Rule " DROP - - - ;; -m addrtype --dst-type BROADCAST" 
Compiled
Jul 31 21:04:43     Rule " DROP - - - ;; -m addrtype --dst-type ANYCAST" 
Compiled
Jul 31 21:04:43 ..End inline action /usr/share/shorewall/action.Broadcast
Jul 31 21:04:43 ..Expanding inline action 
/usr/share/shorewall/action.Multicast...
Jul 31 21:04:43     Rule " DROP - - - ;; -m addrtype --dst-type MULTICAST" 
Compiled
Jul 31 21:04:43 ..End inline action /usr/share/shorewall/action.Multicast
Jul 31 21:04:43    Chain NET_IF_iop deleted
Jul 31 21:04:43    Chain A_DROP deleted
Jul 31 21:04:43    Chain NET_IF_oop deleted
Jul 31 21:04:43    Chain NET_IF_fop deleted
Jul 31 21:04:43    Chain net-net deleted
Jul 31 21:04:43 Optimizing Ruleset...
Jul 31 21:04:43 
  Table raw pass 1, 2 referenced chains, level 4a...
Jul 31 21:04:43 
  Table raw pass 2, 2 referenced chains, level 4b...
Jul 31 21:04:43 
  Table raw pass 2, 2 referenced user chains, level 16...
Jul 31 21:04:43 
  Table raw pass , 0 referenced user chains, level 8...
Jul 31 21:04:43    Table raw Optimized -- Passes = 1
Jul 31 21:04:43 
Jul 31 21:04:43 
  Table nat pass 1, 4 referenced chains, level 4a...
Jul 31 21:04:43 
  Table nat pass 2, 4 referenced chains, level 4b...
Jul 31 21:04:43 
  Table nat pass 2, 4 referenced user chains, level 16...
Jul 31 21:04:43 
  Table nat pass , 0 referenced user chains, level 8...
Jul 31 21:04:43    Table nat Optimized -- Passes = 1
Jul 31 21:04:43 
Jul 31 21:04:43 
  Table mangle pass 1, 10 referenced chains, level 4a...
Jul 31 21:04:43    Chain tcin deleted
Jul 31 21:04:43    Chain tcout deleted
Jul 31 21:04:43    Chain tcpost deleted
Jul 31 21:04:43    Chain tcpre deleted
Jul 31 21:04:43    Empty chain tcfor deleted
Jul 31 21:04:43 
  Table mangle pass 2, 5 referenced chains, level 4a...
Jul 31 21:04:43 
  Table mangle pass 3, 5 referenced chains, level 4b...
Jul 31 21:04:43 
  Table mangle pass 3, 5 referenced user chains, level 16...
Jul 31 21:04:43 
  Table mangle pass , 0 referenced user chains, level 8...
Jul 31 21:04:43    Table mangle Optimized -- Passes = 1
Jul 31 21:04:43 
Jul 31 21:04:43 
  Table filter pass 1, 14 referenced chains, level 4a...
Jul 31 21:04:43     3 ACCEPT rules deleted from chain fw-net
Jul 31 21:04:43     3 DROP rules deleted from chain net-fw
Jul 31 21:04:43 
  Table filter pass 2, 14 referenced chains, level 4a...
Jul 31 21:04:43    1 references to chain fw-net replaced
Jul 31 21:04:43    Chain fw-net deleted
Jul 31 21:04:43 
  Table filter pass 3, 13 referenced chains, level 4a...
Jul 31 21:04:43 
  Table filter pass 4, 13 referenced chains, level 4b...
Jul 31 21:04:43 
  Table filter pass 5, 2 short chains, level 4c...
Jul 31 21:04:43 
  Table filter pass 5, 13 referenced user chains, level 16...
Jul 31 21:11:44 
  Table filter pass , 10 referenced user chains, level 8...
Jul 31 21:11:44    Table filter Optimized -- Passes = 1
Jul 31 21:11:44 
Jul 31 21:11:44 Creating iptables-restore input...
Jul 31 21:11:45 Shorewall configuration compiled to /var/lib/shorewall/.start
Jul 31 21:11:45 Starting Shorewall....
Jul 31 21:11:45 Initializing...
Jul 31 21:11:45 Setting up Route Filtering...
Jul 31 21:11:45 Setting up Martian Logging...
Jul 31 21:11:45 Setting up Accept Source Routing...
Jul 31 21:11:45 Disabling Kernel Automatic Helper Association
Jul 31 21:11:45 Preparing iptables-restore input...
Jul 31 21:11:45 Running /sbin/iptables-restore --wait 60...
Jul 31 21:11:45 done.



-- System Information:
Debian Release: 11.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-16-amd64 (SMP w/4 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages shorewall depends on:
ii  bc                     1.07.1-2+b2
ii  debconf [debconf-2.0]  1.5.77
ii  iproute2               5.10.0-4
ii  iptables               1.8.7-1
ii  lsb-base               11.1.0
ii  perl                   5.32.1-4+deb11u2
ii  shorewall-core         5.2.3.4-1

Versions of packages shorewall recommends:
ii  libnetfilter-cthelper0  1.0.0-3

Versions of packages shorewall suggests:
ii  make           4.3-4.1
ii  shorewall-doc  5.2.3-1.1

-- Configuration Files:
/etc/shorewall/params changed:

/etc/shorewall/shorewall.conf changed:
STARTUP_ENABLED=Yes
VERBOSITY=1
PAGER=
FIREWALL=
LOG_LEVEL="debug"
BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_MARTIANS=Yes
LOG_VERBOSITY=2
LOG_ZONE=Both
LOGALLNEW=
LOGFILE=/var/log/messages
LOGFORMAT="%s %s "
LOGTAGONLY=No
LOGLIMIT="s:1/sec:10"
MACLIST_LOG_LEVEL="$LOG_LEVEL"
RELATED_LOG_LEVEL=
RPFILTER_LOG_LEVEL="$LOG_LEVEL"
SFILTER_LOG_LEVEL="$LOG_LEVEL"
SMURF_LOG_LEVEL="$LOG_LEVEL"
STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
UNTRACKED_LOG_LEVEL=
ARPTABLES=
CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
GEOIPDIR=/usr/share/xt_geoip/LE
IPTABLES=
IP=
IPSET=
LOCKFILE=
MODULESDIR=
NFACCT=
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
PERL=/usr/bin/perl
RESTOREFILE=restore
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=""
TC=
ACCEPT_DEFAULT="none"
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'
ACCOUNTING=Yes
ACCOUNTING_TABLE=filter
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=Yes
BALANCE_PROVIDERS=No
BASIC_FILTERS=No
BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=No
CLEAR_TC=Yes
COMPLETE=No
DEFER_DNS_RESOLUTION=Yes
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No
DISABLE_IPV6=Yes
DOCKER=No
DONT_LOAD=
DYNAMIC_BLACKLIST=Yes
EXPAND_POLICIES=Yes
EXPORTMODULES=Yes
FASTACCEPT=No
FORWARD_CLEAR_MARK=
HELPERS=
IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
IP_FORWARDING=Keep
KEEP_RT_TABLES=No
MACLIST_TABLE=filter
MACLIST_TTL=
MANGLE_ENABLED=Yes
MARK_IN_FORWARD_CHAIN=No
MINIUPNPD=No
MULTICAST=No
MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No
PERL_HASH_SEED=0
REJECT_ACTION=
RENAME_COMBINED=Yes
REQUIRE_INTERFACE=No
RESTART=restart
RESTORE_DEFAULT_ROUTE=Yes
RESTORE_ROUTEMARKS=Yes
RETAIN_ALIASES=No
ROUTE_FILTER=Yes
SAVE_ARPTABLES=No
SAVE_IPSETS=No
TC_ENABLED=Internal
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
TRACK_PROVIDERS=Yes
TRACK_RULES=No
USE_DEFAULT_RT=Yes
USE_NFLOG_SIZE=No
USE_PHYSICAL_NAMES=No
USE_RT_NAMES=No
VERBOSE_MESSAGES=Yes
WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
ZERO_MARKS=No
ZONE2ZONE=-
BLACKLIST_DISPOSITION=DROP
INVALID_DISPOSITION=CONTINUE
MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=CONTINUE
TC_BITS=
PROVIDER_BITS=
PROVIDER_OFFSET=
MASK_BITS=
ZONE_BITS=0


-- debconf information:
  shorewall/invalid_config:
  shorewall/dont_restart:
  shorewall/major_release:

Reply via email to