How many firewall rules support by vyos?

I configured 20,000 firewall rules on my vyos(48 cores and 100GB RAN, KVM), but commit configuration need at least 3 hours,and after I reboot my vyos machine, it can not up and stagnate at “Mouting Vyos Config ”. So I want to know how many firewall rules support by vyos and work properly?
all I configured firewall rules is basic rules,it is permit host source and destination IP and TCP/UDP protocol.

Which version of VyOS are you using?
Do you use address-ranges?

my vyos version is 1.4,I am justing test the performance of vyos(like how many rules it support),so I dont use address range.

For 1.4 (after January releases we rewrite firewall completely) as backend, we use nftables As I know there are no known limits
Could you check the time loads of all rules directly? It should be atomic rule replacement and takes less time than commit.
Load rules to some temp file, flush rules and load them again. Do you see any issues with this step?

sudo nft -s list ruleset > /tmp/rules.nft
sudo nft flush ruleset
sudo time nft -f /tmp/rules.nft

Also, it would be good to see a template used for rules generation. Maybe we will find there something that can be optimized on the VyOS configuration commit side.

I set these commands as you mentioned,but the vyos stagnate at blow state long time,almost 10 hours, then it resumed.

It can be a kernel or nft bug, that’s why I asked about which exact version you are using.
Could you send the show version
some examples of rules or rules generation script or just attach rules.nft file?

my vyos version is 1.4-rolling-202206161834.

I created a bug report T4610

Can you share the rules.nft?

In my internal test 20K entries applyed in 0.20s, VM

root@r14:/home/vyos# cat tmp.nft | wc -l
root@r14:/home/vyos# sudo time nft -f tmp.nft
real	0m 0.20s
user	0m 0.13s
sys	0m 0.06s

200K entries in 2 sec

root@r14:/home/vyos# cat tmp.nft | wc -l
root@r14:/home/vyos# sudo nft flush ruleset
root@r14:/home/vyos# sudo time nft -f tmp.nft
real	0m 1.91s
user	0m 1.20s
sys	0m 0.70s

I wonder, is there a lot of geoip matching involved or something link that?