How to Accelerate Firewalld or should it be abandoned for nftables instead?

We have a problem where we set up a server running a service and it is capable of hundreds of simultaneous connections on port 3535 (arbitrarily assigned for this application). We have firewalld running on this near-end-host allowing connections from the far-end host and that is all working fine. The problem we ran into is the far-end-host is only able to establish a few connections at a time and it is taking upwards of 30 seconds to get those connections. The most we have seen on the near-end-receiving host is about 35 connections on average. We turned firewalld off and immediately it went to 850 connections and the far-end reported no problems and no delays when connecting and ran flawlessly for 15 minutes (until we turned firewalld back on).

We have a very simple rule set and are not doing any kind of throttling. Is there default throttling in firewalld that I need to disable or should I go to nftables and if so will it actually perform better or am I chasing a ghost? My ISP is not using VMWARE and so no external solution is available.

Thanks in advance. David

Solution 1:

firewalld maintainer here.

Firewalld does not currently support acceleration (software fast path or hardware offload). However, I think that both could be added by using nftables flowtable infrastructure. Only a few NICs support flowtable offload though.

That being said, what you're describing sounds wrong. That's abysmal performance. Firewalld doesn't actually do the firewalling. It builds iptables/nftables rule sets and applies them. The iptables/nftables rule execution happens in the kernel/netfilter.

You may consider disabling some optional firewalld features. IPv6_rpfilter is known to have performance issues in scaled environments because it requires a FIB lookup. Also consider other things that may cause frequent rule updates or add a large amount of rules, e.g. fail2ban.