On Sat, Jun 22, 2024 at 04:38:23PM +0200, Marco Moock wrote:
Am Sat, 22 Jun 2024 06:04:24 -0600 schrieb R C cjvijf@gmail.com:
(on a side note, what would be more 'expensive' for the firewall to implement, a port opened with "|firewall-cmd --add-port=22/tcp" or have a rich rule that does the same thing for a set of source IPs?)
I assume (I haven tested) the rich.rule with the source IPs will need more resources. It needs additional checks for the IP addresses.
Neither. It's almost certainly not noticeable for a benchmark like iperf3.
Once the connection is established (after the TCP handshake) both of the examples (--add-port and rich rule) follow the _exact_ same packet path. I mentioned earlier in the thread that firewalld short circuits established connections.
The 10% overhead you're seeing is likely due to a combination of connection tracking and the nftables hook. The latter can be completely avoided by using NftablesFlowtable in firewalld.conf.