I have a script that creates a network-group that contains over 3000 networks. On my one firewall with quad core atom procs it takes over 10 minutes to create the network group when committing the config. Even more concerning is that the firewall sits in the boot up process for 10 minutes before giving you a login shell.
I found this link online that when using ipset restore to load the same data takes less than 3 seconds on my atom firewall making it 200-300 times faster. https://n0dy.com/blog/2013/05/19/faster-ipset-loading/ I started looking at the ipset code to see what it would take to modify it or bulk loading. The big caveat that I saw is that the commands for adding to firewall groups checks for mistakes at every turn. And I suspect that any attempt to use restore to load entries could not easily have the same careful checking. In the meantime I think I'm going to put a stub for my network group in the vyos config and then have a post script that loads in the majority of the 3000 records with ipset restore. You might wonder why on earth I have 3000 networks I want to load into a network-group. These are bogon networks that are not allocated in the ipv4 space. I want to have rules that prohibit traffic to or from these un-allocated addresses. Why? Why not? Just because you're paranoid does not mean they aren't trying to get you. I actually have a draft email discussing the idea of adding bogon blocking as a included option in vyos, a feature that pfSense has, but it needs more work to clearly get my ideas across.
_______________________________________________ Vyos-developers mailing list Vyos-developers@lists.tuxis.nl https://lists.tuxis.nl/listinfo/vyos-developers
