How many firewall rules support by vyos?

jack · August 10, 2022, 10:05am

I configured 20,000 firewall rules on my vyos（48 cores and 100GB RAN, KVM）, but commit configuration need at least 3 hours，and after I reboot my vyos machine, it can not up and stagnate at “Mouting Vyos Config ”. So I want to know how many firewall rules support by vyos and work properly?
all I configured firewall rules is basic rules，it is permit host source and destination IP and TCP/UDP protocol.

Viacheslav · August 10, 2022, 10:45am

Which version of VyOS are you using?
Do you use address-ranges?

jack · August 10, 2022, 10:50am

my vyos version is 1.4，I am justing test the performance of vyos（like how many rules it support），so I dont use address range.

Viacheslav · August 10, 2022, 11:11am

For 1.4 (after January releases we rewrite firewall completely) as backend, we use nftables As I know there are no known limits
Could you check the time loads of all rules directly? It should be atomic rule replacement and takes less time than commit.
Load rules to some temp file, flush rules and load them again. Do you see any issues with this step?

sudo nft -s list ruleset > /tmp/rules.nft
sudo nft flush ruleset
sudo time nft -f /tmp/rules.nft

zsdc · August 10, 2022, 6:07pm

Also, it would be good to see a template used for rules generation. Maybe we will find there something that can be optimized on the VyOS configuration commit side.

jack · August 12, 2022, 3:25am

I set these commands as you mentioned，but the vyos stagnate at blow state long time，almost 10 hours, then it resumed.

Viacheslav · August 12, 2022, 10:12am

It can be a kernel or nft bug, that’s why I asked about which exact version you are using.
Could you send the show version
some examples of rules or rules generation script or just attach rules.nft file?

jack · August 15, 2022, 1:32am

my vyos version is 1.4-rolling-202206161834.

Viacheslav · August 15, 2022, 9:50am

I created a bug report T4610

roedie · August 15, 2022, 5:53pm

Can you share the rules.nft?

Viacheslav · August 18, 2022, 1:39pm

In my internal test 20K entries applyed in 0.20s, VM

root@r14:/home/vyos# cat tmp.nft | wc -l
20029
root@r14:/home/vyos# 
root@r14:/home/vyos# sudo time nft -f tmp.nft
real	0m 0.20s
user	0m 0.13s
sys	0m 0.06s
root@r14:/home/vyos#

200K entries in 2 sec

root@r14:/home/vyos# cat tmp.nft | wc -l
200029
root@r14:/home/vyos# 
root@r14:/home/vyos# sudo nft flush ruleset
root@r14:/home/vyos# 
root@r14:/home/vyos# sudo time nft -f tmp.nft
real	0m 1.91s
user	0m 1.20s
sys	0m 0.70s
root@r14:/home/vyos#

roedie · August 23, 2022, 6:36pm

I wonder, is there a lot of geoip matching involved or something link that?