Hi Martijn,
I've noticed similar things, although it's not a big deal on my system
because the number of addresses is much lower.
Under recent Ubuntu (and Debian, and I'm sure many other distros)
versions, iptables has become a compatibility wrapper around nftables.
My guess (only a guess, without any data to back it up) would be that
this is the cause.
I'd try using ipsets instead to see if this improves your performance;
something like:
DROP net:+reject $FW
REJECT $FW net:+reject
in your rules to implement the blocking, and:
ipset create -exist reject hash:ip counters hashsize 65536 maxelem
16777216 # tune these numbers to your liking
to create the set, and:
ipset add reject 1.2.3.4
to add something to the list.
I'd be interested to know how you fare with this...
On 4/7/24 05:10, Martijn Verhoef via Shorewall-users wrote:
Hi,
Since I updated Ubuntu, I’ve been experiencing performance problems
when using the ‘shorewall drop’ command.
During the upgrade Ubuntu 18.04 to 22.04, shorewall updated from
version 5.1.12.2 to 5.2.3.4
Based on a script, I update my firewall rules every few minutes using
a ‘shorewall drop <ip1> <ip2> … && shorewall allow <ip1> <ip2> …’ command.
Since the upgrade, I see that it takes approximately 15 seconds per
ip-address to process. On my other servers, it takes much less time.
Using the process manager, I found out _the following 4 commands are
executed and take approx. 3-4 seconds each._ How is it possible that
they take so much time since this update?
/sbin/iptables -D dynamic -s <ip> -j reject
/sbin/iptables -D dynamic -s <ip> -j DROP
/sbin/iptables -D dynamic -s <ip> -j logreject
/sbin/iptables -D dynamic -s <ip> -j logdrop
...
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
