Speed up ipset entries changes

jfroche · jfroche · commit 25dff54ee172 · 2018-04-26T12:58:37.000+02:00
We now use `--add-entries-from-file` and `--remove-entries-from-file` to change firewalld ipset. Adding or removing entries one by one was really slow. This pull request is based on https://github.com/42wim/puppet-firewalld/blob/04683b46cbe6e6a925c585283941cc363752aceb/lib/puppet/provider/firewalld_ipset/firewall_cmd.rb
diff --git a/lib/puppet/provider/firewalld_ipset/firewall_cmd.rb b/lib/puppet/provider/firewalld_ipset/firewall_cmd.rb
@@ -17,27 +17,37 @@ def create
     args << ["--type=#{@resource[:type]}"]
     args << ["--option=#{@resource[:options].map { |a,b| "#{a}=#{b}" }.join(',')}"] if @resource[:options]
     execute_firewall_cmd(args.flatten, nil)
-    @resource[:entries].each { |e| add_entry(e) }
+    add_entries_from_file(@resource[:entries])
   end
 
   def entries
     execute_firewall_cmd(["--ipset=#{@resource[:name]}", "--get-entries"], nil).split("\n").sort
   end
 
-  def add_entry(entry)
-    execute_firewall_cmd(["--ipset=#{@resource[:name]}", "--add-entry=#{entry}"], nil)
+  def add_entries_from_file(entries)
+    f = Tempfile.new('ipset')
+    entries.each { |e| f.write(e+"\n") }
+    f.close
+    execute_firewall_cmd(["--ipset=#{@resource[:name]}", "--add-entries-from-file=#{f.path}"], nil)
   end
 
-  def remove_entry(entry)
-    execute_firewall_cmd(["--ipset=#{@resource[:name]}", "--remove-entry=#{entry}"], nil)
+  def remove_entries_from_file(entry)
+    f = Tempfile.new('ipset')
+    entries.each { |e| f.write(e+"\n") }
+    f.close
+    execute_firewall_cmd(["--ipset=#{@resource[:name]}", "--remove-entries-from-file=#{f.path}"], nil)
   end
 
   def entries=(should_entries)
     cur_entries = entries
     delete_entries = cur_entries-should_entries
     add_entries = should_entries-cur_entries
-    delete_entries.each { |e| remove_entry(e) }
-    add_entries.each { |e| add_entry(e) }
+    if delete_entries
+      remove_entries_from_file(delete_entries)
+    end
+    if add_entries
+      add_entries_from_file(add_entries)
+    end
   end
 
   def destroy
diff --git a/spec/unit/puppet/type/firewalld_ipset_spec.rb b/spec/unit/puppet/type/firewalld_ipset_spec.rb
@@ -4,6 +4,14 @@
 
   before do
     Puppet::Provider::Firewalld.any_instance.stubs(:state).returns(:true)
+    tempfile = stub('tempfile', :class => Tempfile,
+                  :write => true,
+                  :flush => true,
+                  :close! => true,
+                  :close => true,
+                  :path => '/tmp/ipset-rspec'
+                 )
+      Tempfile.stubs(:new).returns(tempfile)
   end
 
   describe "type" do
@@ -55,8 +63,7 @@
 
     it "should create" do
       provider.expects(:execute_firewall_cmd).with(['--new-ipset=whitelist', '--type=hash:ip'], nil)
-      provider.expects(:execute_firewall_cmd).with(['--ipset=whitelist', '--add-entry=192.168.2.2'], nil)
-      provider.expects(:execute_firewall_cmd).with(['--ipset=whitelist', '--add-entry=10.72.1.100'], nil)
+      provider.expects(:execute_firewall_cmd).with(["--ipset=whitelist", "--add-entries-from-file=/tmp/ipset-rspec"], nil)
       provider.create
     end
 
@@ -66,17 +73,16 @@
     end
 
     it "should set entries" do
-      provider.expects(:entries).returns([])
-      provider.expects(:execute_firewall_cmd).with(['--ipset=whitelist', '--add-entry=192.168.2.2'], nil)
-      provider.expects(:execute_firewall_cmd).with(['--ipset=whitelist', '--add-entry=10.72.1.100'], nil)
+      provider.expects(:entries).returns([]).at_least_once()
+      provider.expects(:execute_firewall_cmd).with(["--ipset=whitelist", "--add-entries-from-file=/tmp/ipset-rspec"], nil)
+      provider.expects(:execute_firewall_cmd).with(["--ipset=whitelist", "--remove-entries-from-file=/tmp/ipset-rspec"], nil)
       provider.entries=(['192.168.2.2', '10.72.1.100'])
     end
 
     it "should remove unconfigured entries" do
-      provider.expects(:entries).returns(['10.9.9.9', '10.8.8.8', '10.72.1.100'])
-      provider.expects(:execute_firewall_cmd).with(['--ipset=whitelist', '--add-entry=192.168.2.2'], nil)
-      provider.expects(:execute_firewall_cmd).with(['--ipset=whitelist', '--remove-entry=10.9.9.9'], nil)
-      provider.expects(:execute_firewall_cmd).with(['--ipset=whitelist', '--remove-entry=10.8.8.8'], nil)
+      provider.expects(:entries).returns(['10.9.9.9', '10.8.8.8', '10.72.1.100']).at_least_once()
+      provider.expects(:execute_firewall_cmd).with(["--ipset=whitelist", "--add-entries-from-file=/tmp/ipset-rspec"], nil)
+      provider.expects(:execute_firewall_cmd).with(["--ipset=whitelist", "--remove-entries-from-file=/tmp/ipset-rspec"], nil)
       provider.entries=(['192.168.2.2', '10.72.1.100'])
     end
 
