Re: [SSHGuard-users] performance when using firewalld: adding/removing many entries at once

[Christopher E. <ce...@lc...>]

I think it's a good idea to try to see if we can make the calls to
firewalld faster, but in the meantime, I've taken a stab at letting the
backend function group requests here [1] (branch: batch-process).

If you're on Fedora, you can install that version from Copr [2] as well.

The backend now collects all requests that come within 1 second and
sends them as one to the fw_block()/fw_release() functions. Those then
can do something smart with that. So far, only the firewalld backend
tries to be smart, all the others just disaggregate the combined request
and then do what they did before.

It seems to work, but I have only tested the firewalld and null backends
& I haven't done any benchmarking yet.

On 27.08.20 21:15, Felix Schwarz wrote:
> I guess I should try to create a test scenario where I call add random IP
> addresses via firewall-cmd and check if I also see high CPU load. Ideally I'd
> see much a lower CPU load - though I'm a bit swamped currently so it'll take a
> few days.

You can use the fakeip.sh [3] script from my fork (or from the doc dir
of the forked sshguard package) to send random block/release requests to
the sshguard backends. There shouldn't be significant overhead in
interacting with firewall-cmd in that manner. Just pipe the output into
/usr/libexec/sshguard/sshg-fw-firewalld.

Christopher

[1]
https://bitbucket.org/lcts/sshguard/branches/compare/lcts/sshguard:batch-process%0Dsshguard/sshguard:master#diff
[2]
https://copr.fedorainfracloud.org/coprs/lcts/fedora-rpm-forks/build/1637820/
[3] https://bitbucket.org/lcts/sshguard/src/batch-process/fakeip.sh