Hi, Since I updated Ubuntu, I've been experiencing performance problems when using the 'shorewall drop' command. During the upgrade Ubuntu 18.04 to 22.04, shorewall updated from version 5.1.12.2 to 5.2.3.4
Based on a script, I update my firewall rules every few minutes using a
'shorewall drop <ip1> <ip2> ... && shorewall allow <ip1> <ip2> ...' command.
Since the upgrade, I see that it takes approximately 15 seconds per ip-address
to process. On my other servers, it takes much less time.
Using the process manager, I found out the following 4 commands are executed
and take approx. 3-4 seconds each. How is it possible that they take so much
time since this update?
/sbin/iptables -D dynamic -s <ip> -j reject
/sbin/iptables -D dynamic -s <ip> -j DROP
/sbin/iptables -D dynamic -s <ip> -j logreject
/sbin/iptables -D dynamic -s <ip> -j logdrop
FYI: my iptables list was before update, and still is, approx. 130.000
ip-addresses long, most rules are in the dynamic part, based on this 'shorewall
drop' command.
As far as I know I haven't changed anything relevant in the shorewall.conf, in
attachment.
My rules/policy/zones are small and not that interesting as far as I can think
of.
---
I think this information isn't necessary but because it's requested on the
website, hereby:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
group default qlen 1000
link/ether 3e:d0:64:a4:68:a9 brd ff:ff:ff:ff:ff:ff
altname enp0s18
inet <ipv4addr>/26 brd 79.99.130.255 scope global ens18
valid_lft forever preferred_lft forever
inet6 <ipv6part>:5::20:5/64 scope global
valid_lft forever preferred_lft forever
inet6 <ipv6part>:5::20:3/64 scope global
valid_lft forever preferred_lft forever
inet6 <ipv6part>:5::20:1/64 scope global
valid_lft forever preferred_lft forever
inet6 <ipv6part>:a::20:1/48 scope global
valid_lft forever preferred_lft forever
inet6 <ipv6part>:5::20:2/64 scope global
valid_lft forever preferred_lft forever
inet6 <ipv6part>:5::20:4/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::3cd0:64ff:fea4:68a9/64 scope link
valid_lft forever preferred_lft forever
3: ens19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
group default qlen 1000
link/ether c6:6c:32:93:d4:bb brd ff:ff:ff:ff:ff:ff
altname enp0s19
inet 192.168.60.30/26 brd 192.168.60.63 scope global ens19
valid_lft forever preferred_lft forever
inet6 fe80::c46c:32ff:fe93:d4bb/64 scope link
valid_lft forever preferred_lft forever
root@hosting20:/etc/shorewall# ip route show
default via <ipv4gateway> dev ens18 proto static
<ipv4subnet>/26 dev ens18 proto kernel scope link src <ipv4gateway>
192.168.0.0/16 via 192.168.60.1 dev ens19 proto static
192.168.60.0/26 dev ens19 proto kernel scope link src 192.168.60.30
Thanks in advance!!
Martijn
shorewall.conf
Description: shorewall.conf
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
