Project

General

Profile

Actions

Bug #12174

open

Firewall rule tabs load slowly when many rules on the tab utilize gateways

Added by lufte grof about 2 months ago. Updated 26 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
Rules / NAT
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
21.09
Release Notes:
Default
Affected Version:
2.5.x
Affected Architecture:
SG-1100

Description

firewall_rules.php is slow to load for interfaces that have numerous rules utilizing the gateway field for policy-based routing. The implementation of Feature Request #885 appears to be what caused this problem.

This has been affecting an SG-1100 since the upgrade to pfSense+ v21.02. I do not have any other platforms making extensive use of policy-based routing. However, user dlogan posted "Firewall -> Rules -> LAN very slow to load since 21.02 update" to the Netgate forums in May 2021. They are on an SG-5100. I will be following-up to see whether they are using policy-based routing in that configuration.

(https://forum.netgate.com/topic/164005/firewall-rules-lan-very-slow-to-load-since-21-02-update?_=1627572482359)

The original PR 4367 (https://github.com/pfsense/pfsense/pull/4367) checked for the disablealiaspopupdetail config option, but that condition was removed prior to merge because "there wouldn't be any similar issues with gateway popups."

With the attached patch, and configuring <disablealiaspopupdetail>, I have worked around the problem until a more efficient gateway_info_popup function can be developed.


Files

guiconfig.inc_29JUL2021b.patch (473 Bytes) guiconfig.inc_29JUL2021b.patch lufte grof, 07/29/2021 11:07 AM
guiconfig.inc_02AUG2021.patch (3.43 KB) guiconfig.inc_02AUG2021.patch lufte grof, 08/02/2021 02:20 PM
firewall_rules.php_02AUG2021.patch (2.31 KB) firewall_rules.php_02AUG2021.patch lufte grof, 08/02/2021 02:39 PM
Actions #1

Updated by Jim Pingle about 2 months ago

  • Assignee set to Jim Pingle
  • Target version set to 2.6.0
  • Plus Target Version set to 21.09

A quick look at the code tells me this is likely the same root cause as what is making the IPsec status and apply process slow, which I'm in the middle of fixing already. I'll take a look at this when I finish up what I'm doing with IPsec.

Actions #2

Updated by Jim Pingle about 2 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #3

Updated by lufte grof about 2 months ago

Jim Pingle wrote in #note-2:

Applied in changeset 87011dce1fe88ad48c098d6b6804add53cf64084.

Hi, Jim. Appreciate the quick turnaround. Unfortunately, that patch still didn't get the page load times down to a usable level.

For testing I used an interface consisting of a set of 75 rules, 49 of which have gateways defined.

  • v21.05 time to load was ~37 seconds.
  • changeset 87011dce1fe88ad48c098d6b6804add53cf64084 time to load was ~21 seconds.
  • I cobbled together a patch that gets the same page to load in ~3 seconds.

I'm only just learning how you've got the code organized, so there is bound to be something about this that doesn't conform to your standards. Though, is there anything inherently wrong with this approach (attached)?

Actions #4

Updated by Jim Pingle about 2 months ago

  • Status changed from Feedback to In Progress

The main problems with that are:

  • You're moving too much of that logic onto the page and out of the include file. Could maybe be split into two functions in guiconfig.inc, but it should stay in there one way or another
  • You've lost a bit of validation to ensure things like the gateways in the config are actually defined/are an array. Not every configuration has a gateway config and the "after" code here is making some faulty assumptions

Either way, this should be submitted as a PR on github which allows for much better collaboration: https://docs.netgate.com/pfsense/en/latest/development/pull-request.html

Actions #5

Updated by lufte grof about 2 months ago

Ok, I'll work on a PR.

I took what you said and applied it. My latest doesn't touch guiconfig.inc. Instead, firewall_rules.php keeps an array of gateway popup content for each encountered gateway, and only calls the gateway_info_popup() function the first time it encounters each unique gateway. And, it's even faster.

But I'll work on that PR and submit it there.

Thanks.

Actions #7

Updated by Jim Pingle about 2 months ago

  • Status changed from In Progress to Pull Request Review
Actions #8

Updated by Renato Botelho about 1 month ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

Actions #9

Updated by Jim Pingle 26 days ago

  • Subject changed from firewall_rules.php is slow to load to Firewall rule tabs load slowly when many rules on the tab utilize gateways

Updating subject for release notes.

Actions

Also available in: Atom PDF