fwknop Fwknop does not seem to handle a large number of rules.

Fwknop does not seem to handle a large number of rules.

Open shrinidhi111 opened this issue 5 years ago • 1 comments

If I send a 100 requests from the client (say), the server can handle it fairly well. I gave an expiry time of just 10 secs and all of them expired in approximate time.

But once the number of requests exceeds 1000, the server takes an excruciatingly long time to clear the expired rules (if at all). I do not know if it has to do with the efficiency of the code, my CPU power (I have a 3.5 Ghz quad core) or whether fwknop was even meant to handle such loads in the first place.

39   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:39 /* _exp_1556793016 */
40   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:40 /* _exp_1556793016 */
run_extcmd() (with execvpe()): running CMD: /sbin/iptables -t filter -L FWKNOP_INPUT --line-numbers -n
run_extcmd(): returning 16, pid_status: 13
check_firewall_rules() CMD: '/sbin/iptables -t filter -L FWKNOP_INPUT --line-numbers -n' (res: 16, ipt_output_buf: Chain FWKNOP_INPUT (1 references)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:1 /* _exp_1556793016 */
2    ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:2 /* _exp_1556793016 */
3    ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:3 /* _exp_1556793016 */
4    ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:4 /* _exp_1556793016 */
5    ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:5 /* _exp_1556793016 */
6    ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:6 /* _exp_1556793016 */
7    ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:7 /* _exp_1556793016 */
8    ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:8 /* _exp_1556793016 */
9    ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:9 /* _exp_1556793016 */
10   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:10 /* _exp_1556793016 */
11   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:11 /* _exp_1556793016 */
12   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:12 /* _exp_1556793016 */
13   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:13 /* _exp_1556793016 */
14   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:14 /* _exp_1556793016 */
15   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:15 /* _exp_1556793016 */
16   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:16 /* _exp_1556793016 */
17   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:17 /* _exp_1556793016 */
18   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:18 /* _exp_1556793016 */
19   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:19 /* _exp_1556793016 */
20   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:20 /* _exp_1556793016 */
21   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:21 /* _exp_1556793016 */
22   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:22 /* _exp_1556793016 */
23   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:23 /* _exp_1556793016 */
24   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:24 /* _exp_1556793016 */
25   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:25 /* _exp_1556793016 */
26   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:26 /* _exp_1556793016 */
27   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:27 /* _exp_1556793016 */
28   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:28 /* _exp_1556793016 */
29   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:29 /* _exp_1556793016 */
30   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:30 /* _exp_1556793016 */
31   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:31 /* _exp_1556793016 */
32   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:32 /* _exp_1556793016 */
33   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:33 /* _exp_1556793016 */
34   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:34 /* _exp_1556793016 */
35   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:35 /* _exp_1556793016 */
36   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:36 /* _exp_1556793016 */
37   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:37 /* _exp_1556793016 */
38   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:38 /* _exp_1556793016 */
39   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:39 /* _exp_1556793016 */
40   ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:40 /* _exp_1556793016 */)
check_firewall_rules() Error 16 from cmd:'/sbin/iptables -t filter -L FWKNOP_INPUT --line-numbers -n': Chain FWKNOP_INPUT (1 references)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:1 /* _exp_1556793016 */
2    ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:2 /* _exp_1556793016 */
3    ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:3 /* _exp_1556793016 */
4    ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:4 /* _exp_1556793016 */
5    ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:5 /* _exp_1556793016 */
6    ACCEPT     tcp  --  192.168.1.77         0.0.0.0/0            tcp dpt:6 /* _exp_1556793016 */

Just to give you an idea, I sent 10,000 requests of expiration time of just 1 sec. It has been over 25 minutes and non of them have expired.

Are there any work-arounds to help fwknop-server handle a large number of loads better?

Thanks again!

May 02 '19 10:05 shrinidhi111

Also, I am using fwknop server 2.6.10

May 02 '19 11:05 shrinidhi111

fwknop fwknop copied to clipboard

Fwknop does not seem to handle a large number of rules.

fwknop
fwknop copied to clipboard