Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-10983

puppetlabs-firewall : Slow performance caused by unnecessary parsing



    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: firewall
    • Labels:
    • Template:
    • QA Risk Assessment:
      Needs Assessment


      Module Version: 3.0.0
      Puppet Version: 6.20.1
      OS Name/Version: CentOS 7.9

      We have around 1000 rules in a specific iptables chain - these rules must not be purged by puppet therefore we specify the specific chains to purge using the firewallchain resource i.e.

      firewallchain {
        purge => true,


      However because the generate[1] method of the firewallchain type calls instances[2] which in turn calls iptables-save this ends up forcing the provider to parse and convert all of those 1000 rules (plus any other puppet managed rules) that sit in the unmanaged chain only for them then to be removed[3] from the returned array as they are not in the chain that we are looking to purge.

      The generate method runs for every chain on every apply (so in this example it parses and converts 1000 rules 12 times on each apply) so this is consistently causing slow performance and applies, depending on how many rules we have in iptables we've seen the firewall module take over 10 minutes to apply.

      [1] https://github.com/puppetlabs/puppetlabs-firewall/blob/main/lib/puppet/type/firewallchain.rb#L246

      [2] https://github.com/puppetlabs/puppetlabs-firewall/blob/main/lib/puppet/provider/firewall/iptables.rb#L418

      [3] https://github.com/puppetlabs/puppetlabs-firewall/blob/main/lib/puppet/type/firewallchain.rb#L249

      Desired Behavior:

      The firewallchain resource should only attempt to retrieve rules from the specific chain it is working on, I think we'd need a new provider method which accepts a chain and a table param which could use iptables -t <table> -S <chain> to only return the rules for the chain that is being worked on, there are also some other places in the codebase where it may be preferable to switch to this method i.e. https://github.com/puppetlabs/puppetlabs-firewall/blob/main/lib/puppet/provider/firewall/iptables.rb#L909-L913 

      Actual Behavior:

      puppet apply takes an unnecessarily long time due to the firewall module spending time parsing and converting rules which are never considered




            Unassigned Unassigned
            gcampbell George Campbell
            2 Vote for this issue
            4 Start watching this issue



                Zendesk Support