ipset does NSS lookups even if ports are numeric
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ipset (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Invalid
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
High
|
James Page | ||
Groovy |
Won't Fix
|
Undecided
|
Unassigned | ||
Hirsute |
Fix Released
|
High
|
James Page | ||
Impish |
Fix Released
|
High
|
James Page | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
A change included ipset 6.37 as a performance regression as all ip set rule incur a getprotocolbyname lookup, irrespective of whether the name of the protocol or the actual port number is specified in the set configuration. For large sets this can double the speed of applying changes to ipset tables.
[Test Plan]
# Create a suitable large set of data to restore to the ipset
for x in `seq 1 7`; do for y in `seq 1 254`; do for z in `seq 1 254`; do echo "add test 10.1.1.
# Destroy,create, restore
sudo ipset destroy test
sudo ipset create test hash:net,port,net hashsize 4096 maxelem 786432
time sudo ipset restore < ./whitelist-ipv4
Large reduction in time taken to restore the ipset (32s-> 5s on an 8 core machine).
[Where problems could occur]
The original patch to resolve this issue did introduce another bug which as subsequently been fixed as well (and is included in the updated packages).
If the fix introduces issues its likely that iptable rules making use of ipset groups will start to fail in some way - probably rejecting traffic or suchlike.
[Other Info]
[Original Bug Report]
Hi,
Do you think we could get https:/
This divides our ipset loading time by ~2 (from ~60s to ~25s).
Thanks
Related branches
- Christian Ehrhardt (community): Approve
- OpenStack Ubuntu packagers: Pending requested
- Canonical Server packageset reviewers: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 69 lines (+47/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/lp-1918936-Parse-port-before-trying-by-service-name.patch (+39/-0)
debian/patches/series (+1/-0)
- Christian Ehrhardt (community): Approve
- OpenStack Ubuntu packagers: Pending requested
- Canonical Server packageset reviewers: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 69 lines (+47/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/lp-1918936-Parse-port-before-trying-by-service-name.patch (+39/-0)
debian/patches/series (+1/-0)
- Christian Ehrhardt (community): Approve
- OpenStack Ubuntu packagers: Pending requested
- Canonical Server packageset reviewers: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 69 lines (+47/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/lp-1918936-Parse-port-before-trying-by-service-name.patch (+39/-0)
debian/patches/series (+1/-0)
Changed in ipset (Ubuntu Bionic): | |
status: | New → Invalid |
Changed in ipset (Ubuntu Focal): | |
status: | New → Confirmed |
description: | updated |
description: | updated |
Changed in ipset (Ubuntu Impish): | |
importance: | Undecided → High |
Changed in ipset (Ubuntu Hirsute): | |
importance: | Undecided → High |
Changed in ipset (Ubuntu Focal): | |
importance: | Undecided → High |
assignee: | nobody → James Page (james-page) |
Changed in ipset (Ubuntu Hirsute): | |
assignee: | nobody → James Page (james-page) |
Changed in ipset (Ubuntu Impish): | |
assignee: | nobody → James Page (james-page) |
description: | updated |
description: | updated |
Status changed to 'Confirmed' because the bug affects multiple users.