Firewalld + ipset = big problems

[KernelOops]

1) the huge delay that you are seeing, is a known nftables bug and has been corrected in RHEL 8.3, so you'll need to wait for 3 or 6 months before you get the fix as part of CentOS 8.3


2) the memory problems are another known problem. I block most of Asia and all of Africa and CentOS 7 firewalld consumes 300MB of memory, while CentOS 8 firewalld consumes 500MB of memory. That is a considerable 200MB difference to load the SAME set of addresses. I don't know if the memory issues have been fixed or not.

[TrevorH]

Personally I hate firewalld. It's one of the worst examples of Red Hat dreaming up something and having it designed by committee so that it attempts to be all things to all people. And it fails. Its syntax is arcane and unlike anything else and doesn't support the obvious things like "firewall-cmd status" or anything useful. It's a massive memory hog, eats cpu, runs all the time and is basically unmanageable. It's a hideous thing and the sooner it dies in a fire, the better for everyone.

For my use case, I want a set of firewall rules that are basically static and never vary. For that I have zero need of something that runs all the time as a daemon. If I ever use CentOS 8 - which is quite doubtful - then I will use nftables directly or maybe use the iptables wrapper that's present since it does 90% of the iptables functionality and doesn't suffer any of the firewalld drawbacks.

You did ask...

[jlehtone]

CentOS 8's kernel has nftables under its hood. Firewalld is just a fancy UI.
If you don't like it, then there is nftables.service.
(In fact, Red Hat recommends nftables.service for "serious servers".)

[BShT]

i never use firewalld either, i just want my lovely and long pure script were i can see the packages in and out

its sexy

[acicali]

If this is not an issue with firewalld, but an issue with nftables, then it's unresolvable with CentOS 8 until version 8.3... is that accurate? It seems at this time my only path forward if I need to use ipsets to block traffic is to use CentOS 7. Just want to make sure I understand correctly.

[KernelOops]

You can still use centos 8.2 with the defective nftables and wait 2-3 hours for it to load all the ipset rules (something that will need to happen on every reboot and every time you run firewall-cmd --reload).

Or stick with CentOS 7 and wait for 3-6 months until CentOS 8.3 is out. RHEL 8.3 is still in beta, so I expect CentOS 8.3 to come out within 2021.

Of course, if you are a redhat client, you can use your support contract to get them to backport the fixed nftables for 8.2

[TrevorH]

You could also look to see if the fix has landed in Stream yet and accidentally pull the package(s) concerned over...