Hi, On Wed, 17 Jun 2020, Reindl Harald wrote: > the restore of a "bitmap:port" ipset with a lot of entries is *terrible* > slow, when you add a port-range like 42000–42999 it ends in 999 "add > PORTS_RESTRICTED" lines in the save-file and restore takes virtually > ages > > the cpu-time below is the whole systemd-unit which restores iptables, > ipset and configures the network with 3 nics, a bridge and wireguard > > why is this *that much* inefficient given that the original command with > port ranges returns instantly? > > on a datacenter firewall that makes the difference of 5 seconds or 15 > seconds downtime at reboot > --------------------------- > > Name: PORTS_RESTRICTED > Type: bitmap:port > Header: range 1-55000 > > --------------------------- > > /usr/sbin/ipset -file /etc/sysconfig/ipset restore > > CPU: 9.594s - Number of entries: 5192 > CPU: 6.246s - Number of entries: 3192 > CPU: 1.511s - Number of entries: 53 > > --------------------------- I cannot reproduce the issue. What is your ipset version (both userspace tool and kernel modules)? > 42000–42999 looks in /etc/sysconfig/ipset like below and frankly either > that can be speeded up or should be saved as ranges wherever it's > possible like hash:net prefers cidr The bitmap port type does not support ranges, just individual port elements. In my test restoring a set with 10000 elements took less than 1s. Best regars, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxx PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics H-1525 Budapest 114, POB. 49, Hungary
