Menu
▾
▴
Re: [SSHGuard-users] performance when using firewalld: adding/removing many entries at once
|
From: Christopher E. <ce...@lc...> - 2020-09-01 08:36:28
|
On 2020-08-31 20:36, Kevin Zheng wrote: > Just to be clear, does "one-second batch" collect inputs from stdin > over > one second, then issues one large command to the backend? Yes. The fw_block/release() functions collect the inputs they receive and issue one big command to the backend if 1s has elapsed since the last time they did that. Technically, in this test there were 2 commands, because all tested backends have to deal with IPv4 and IPv6 separately. > If your list is 6000 addresses, and attacks come in at 10 attacks/sec, > and the backends are not CPU-limited (which they might be), shouldn't > this total 600 seconds? Yes, but that is not due to the backend, but to a badly designed experiment: The while loop issuing the commands doesn't actually complete in 600s, it take longer. I think the issue is that the sleep command is not that precise, as the total accumulated "surplus" depends on the sleep value. Regardless, the execution times are extremely reproducible (both for the issuing loop on its own & for loop plus backend), so I don't think it matters here (other than 10/s being actually "nominally 10/s"). > For now, I think it would also be useful to clearly document that > firewalld is slow. I wonder what upstream will say what you're using > firewalld for, heh. Execution speed is probably not really a focus for them, but I'm sort of hoping that there are some straightforward bottlenecks that simply nobody has bothered to identify yet. And to be fair, only being able to add ~5 IPs per second to a set is REALLY slow. > Regards, > Kevin |
