Description Christina Scheinig 2023-01-06 13:44:48 CET

During tests with UCS in an environment isolated from the Internet, it was noticed that the univention-firewall init script takes several minutes to run each time it is called. This is particularly noticeable during a package update, where the firewall is restarted again and again, for example.



The reason is that at the beginning of each action in the initscript (start, stop, restart, flush, etc) the current ruleset is queried via "iptables --wait -t filter -L". Unfortunately, iptables unnecessarily tries to convert each IP address into a DNS name, since the parameter "-n" was not specified. This leads to massive delay on a system with multiple external IPs in the firewall, since no external DNS is available for resolution. But even in environments with working DNS, there are moderate delays due to the name resolutions.

The solution here would be to change each call to "iptables --wait -t filter -L" in the initscript to "iptables --wait -t filter -L -n".

Even the iptables man page points to this:
 

       -L, --list [chain]

              List all rules in the selected chain.  If no chain is selected, all chains are listed. Like every other iptables command, it applies to the specified table (filter is the default), so NAT rules get listed by

               iptables -t nat -n -L

              Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups.  It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed.  The exact output is affected by the other arguments given.  The  exact  rules

              are suppressed until you use

               iptables -L -v

              or iptables-save(8).