Firewall rules -list/page loading time



  • Hello,

    We've been experimenting with pfsense with roughly 2000 rules, and the Firewall/Rules -listing takes roughly 45 seconds to load and it gets worse as i add more rules.

    I believe this to be somewhat similar to what was discussed here:

    https://forum.pfsense.org/index.php?topic=106054.0;

    Eg. generating rule statistics and sorting seems to be time consuming.

    I played around with the thing and came up with the following "patches" (I truly lack in the php-skills department nor did i study the structure of pfsense too much, just wanted to make something that works) that seemed to drop loadtimes from 30 seconds to ~3-5secs:

    
    --- original/firewall_rules.php 2016-10-11 13:29:09.434075290 +0300
    +++ patched/firewall_rules.php  2016-10-11 13:28:59.445830193 +0300
    @@ -206,6 +206,8 @@
            }
     }
    
    +
    +
     if ($_POST) {
            $pconfig = $_POST;
    
    @@ -389,8 +391,9 @@
     }
    
     /* Load the counter data of each pf rule. */
    -$rulescnt = pfSense_get_pf_rules();
    -
    +if(!isset($config['interfaces'][$if]['showstats'])) {
    +       $rulescnt = pfSense_get_pf_rules();
    +       }
     // Update this if you add or remove columns!
     $columns_in_table = 13;
    
    @@ -975,16 +978,18 @@
    
            // Make rules sortable. Hiding the table before applying sortable, then showing it again is
            // a work-around for very slow sorting on FireFox
    -       $('table tbody.user-entries').hide();
    +       if(!isset($config['interfaces'][$if]['showstats'])) {
    +               $('table tbody.user-entries').hide();
    
    -       $('table tbody.user-entries').sortable({
    -               cursor: 'grabbing',
    -               update: function(event, ui) {
    -                       $('#order-store').removeAttr('disabled');
    -                       reindex_rules(ui.item.parent('tbody'));
    -                       dirty = true;
    -               }
    -       });
    +               $('table tbody.user-entries').sortable({
    +                       cursor: 'grabbing',
    +                       update: function(event, ui) {
    +                               $('#order-store').removeAttr('disabled');
    +                               reindex_rules(ui.item.parent('tbody'));
    +                               dirty = true;
    +                       }
    +               });
    +       }
    
            $('table tbody.user-entries').show();
    
    
    
    --- original/interfaces.php     2016-10-11 13:29:23.142411672 +0300
    +++ patched/interfaces.php      2016-10-11 13:28:48.109552018 +0300
    @@ -353,6 +353,7 @@
    
     $pconfig['blockpriv'] = isset($wancfg['blockpriv']);
     $pconfig['blockbogons'] = isset($wancfg['blockbogons']);
    +$pconfig['showstats'] = isset($wancfg['showstats']);
     $pconfig['spoofmac'] = $wancfg['spoofmac'];
     $pconfig['mtu'] = $wancfg['mtu'];
     $pconfig['mss'] = $wancfg['mss'];
    @@ -1390,6 +1391,14 @@
                    } else {
                            unset($wancfg['blockbogons']);
                    }
    +       
    +               if ($_POST['showstats'] == "yes") {
    +                        $wancfg['showstats'] = true;
    +                } else {
    +                        unset($wancfg['showstats']);
    +                }
    +
    +       
                    $wancfg['spoofmac'] = $_POST['spoofmac'];
                    if (empty($_POST['mtu'])) {
                            unset($wancfg['mtu']);
    @@ -3118,7 +3127,6 @@
     }
    
     $section = new Form_Section('Reserved Networks');
    -
     $section->addInput(new Form_Checkbox(
            'blockpriv',
            'Block private networks and loopback addresses',
    @@ -3130,6 +3138,15 @@
                            'generally be turned on, unless this network interface resides in such a private address space, too.');
    
     $section->addInput(new Form_Checkbox(
    +        'showstats',
    +        'DO *NOT* show rule statistics in listing',
    +        '',
    +        $pconfig['showstats'],
    +        'yes'
    +))->setHelp('Dont show rule statistics in rule listing - improves loading time with longer rule list');
    +
    +
    +$section->addInput(new Form_Checkbox(
            'blockbogons',
            'Block bogon networks',
            '',
    @@ -3140,7 +3157,6 @@
                            'Note: The update frequency can be changed under System->Advanced Firewall/NAT settings.');
    
     $form->add($section);
    -
     $form->addGlobal(new Form_Input(
            'if',
            null,
    
    

    So idea is to have a check box somewhere that allows you to skip the statistics and sorting.

    My question is, would it be possible to get something like this in the actual release?

    Thanks!


  • Developer Netgate

    Please submit your suggestion as a pull request here: https://github.com/pfsense/pfsense/ and the development team will review it for inclusion. At first glance it does look like a worthwhile improvement in cases with  very large number of rules.


Log in to reply