Even in el9 the man firewall-cmd does point to man 8 ipset even though the “ipset” it has created is an nftables set. What does FirewallD of el8 actually do? Do you see your “ipset” in nft list ruleset, or do the rules point to ipset ipset?
That you have to ask from Red Hat. I do agree that such performance regression is not what one expects.
Maybe the ipset thing is slower? I dunno, I do it a different way. For example, I get a list of IP’s from Cloudflare or my CDN, and then I parse over them and add them to firewalld using the add-source option. I suppose you could try that method and see if it’s any faster. My IP lists are shorter than yours so I don’t have any speed issues.
This presumably creates/modifies file /etc/firewalld/ipsets/known_malicious_ips.xml
The ban_me_i_am_bad.txt “should contain an entry per line”, and inserting text to xml is relative trivial.
Now firewalld reads the XML file and writes to kernel (via nft library?). Sounds trivial, but time disagrees.
One could dump the active ruleset to file with nft list ruleset, disable firewalld.service, and make nftables.service load the ruleset from file. If that is faster, then the issue is clearly in the firewall-nft transaction.
This is one of the reasons I don’t use firewalld. The biggest problem with firewalld is that a complete reload is required when changing/adding/removing rules form what I have experienced. If you can modify firewalld rules without reloading them from scratch I would consider using it. With iptables you can update, add and delete rules on the fly leaving all the other rules untouched intact and protecting the server.
The first line makes it active now, the second makes sure we save it to be used when reloaded/restarted. If we just used the first line and reloaded/restart firewalld, the port would no longer be there and we’d have to add it again. Doing it like the above doesn’t require reload to be used. There maybe a better method, but none that I know of right now.
Yes. The firewall-cmd can change both the current active rules in the kernel (without --permanent) and update config (with --permanent) that is used on boot to load rules into kernel.
There is even possibility to give a timeout parameter for the former. You can add a rule that is automatically removed in, say 5 minutes. Within that time you see whether the rule works as expected, but are not permanently locked out from your system if the rule is “bad”.
The iptables (and nft) do change the current active rules in the kernel. They don’t change the stored config. (The iptables in Rocky is only a nft-translator that speaks nf_tables to the kernel.)
Furthermore, if you modify rules with iptables or nft while FirewallD “manages” the rules, it is “same manner” as your girlfriend rummaging your wallet while you are not watching – your assumptions about the contents of your wallet might become invalid.
When I manage with iptables my girlfriend has no idea what has been changed nor does she have access to modify anything or take anything out of my wallet. The “Config” of the firewall is dynamic and changing all the time. With very few static items.
When I was messing with firewalld and added rules (thinking they would be active on the fly) then checked active rules they do not display as active until firewalld is restarted.