Bug #12174
closed
Firewall rule tabs load slowly when many rules on the tab utilize gateways
Added by lufte grof over 3 years ago.
Updated almost 3 years ago.
Plus Target Version:
22.01
Affected Architecture:
SG-1100
Description
firewall_rules.php is slow to load for interfaces that have numerous rules utilizing the gateway field for policy-based routing. The implementation of Feature Request #885 appears to be what caused this problem.
This has been affecting an SG-1100 since the upgrade to pfSense+ v21.02. I do not have any other platforms making extensive use of policy-based routing. However, user dlogan posted "Firewall -> Rules -> LAN very slow to load since 21.02 update" to the Netgate forums in May 2021. They are on an SG-5100. I will be following-up to see whether they are using policy-based routing in that configuration.
(https://forum.netgate.com/topic/164005/firewall-rules-lan-very-slow-to-load-since-21-02-update?_=1627572482359)
The original PR 4367 (https://github.com/pfsense/pfsense/pull/4367) checked for the disablealiaspopupdetail config option, but that condition was removed prior to merge because "there wouldn't be any similar issues with gateway popups."
With the attached patch, and configuring <disablealiaspopupdetail>, I have worked around the problem until a more efficient gateway_info_popup function can be developed.
Files
- Assignee set to Jim Pingle
- Target version set to 2.6.0
- Plus Target Version set to 21.09
A quick look at the code tells me this is likely the same root cause as what is making the IPsec status and apply process slow, which I'm in the middle of fixing already. I'll take a look at this when I finish up what I'm doing with IPsec.
- Status changed from New to Feedback
- % Done changed from 0 to 100
Jim Pingle wrote in #note-2:
Applied in changeset 87011dce1fe88ad48c098d6b6804add53cf64084.
Hi, Jim. Appreciate the quick turnaround. Unfortunately, that patch still didn't get the page load times down to a usable level.
For testing I used an interface consisting of a set of 75 rules, 49 of which have gateways defined.
- v21.05 time to load was ~37 seconds.
- changeset 87011dce1fe88ad48c098d6b6804add53cf64084 time to load was ~21 seconds.
- I cobbled together a patch that gets the same page to load in ~3 seconds.
I'm only just learning how you've got the code organized, so there is bound to be something about this that doesn't conform to your standards. Though, is there anything inherently wrong with this approach (attached)?
- Status changed from Feedback to In Progress
The main problems with that are:
- You're moving too much of that logic onto the page and out of the include file. Could maybe be split into two functions in guiconfig.inc, but it should stay in there one way or another
- You've lost a bit of validation to ensure things like the gateways in the config are actually defined/are an array. Not every configuration has a gateway config and the "after" code here is making some faulty assumptions
Either way, this should be submitted as a PR on github which allows for much better collaboration: https://docs.netgate.com/pfsense/en/latest/development/pull-request.html
Ok, I'll work on a PR.
I took what you said and applied it. My latest doesn't touch guiconfig.inc. Instead, firewall_rules.php keeps an array of gateway popup content for each encountered gateway, and only calls the gateway_info_popup() function the first time it encounters each unique gateway. And, it's even faster.
But I'll work on that PR and submit it there.
Thanks.
- Status changed from In Progress to Pull Request Review
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
- Subject changed from firewall_rules.php is slow to load to Firewall rule tabs load slowly when many rules on the tab utilize gateways
Updating subject for release notes.
- Plus Target Version changed from 21.09 to 22.01
- Status changed from Feedback to Resolved
This seems to be working fine here.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by