[Pkg-utopia-maintainers] Bug#1006544: firewall-cmd times out with large blocklists

[Felix Niederwanger]

Package: firewalld
Version: 0.9.3-2

## Observation

I'm noticing that `firewalld-cmd --reload` crashes when it has to deal
with a large drop.xml file, as shown here:

root at debian:/etc/firewalld/zones# time firewall-cmd --
reload                   
ERROR:dbus.proxies:Introspect error on
:1.28084:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException:
org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible
causes include: the remote applicat
ion did not send a reply, the message bus security policy blocked the
reply, the reply timeout expired, or the network connection was broken.
Error: Message recipient disconnected from message bus without
replying              
                                                     
real    15m2.633s
user    0m0.273s
sys     0m0.045s


root at debian:/etc/firewalld/zones# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon       
     Loaded: loaded (/lib/systemd/system/firewalld.service; enabled;
vendor preset: enabled)
     Active: failed (Result: signal) since Sun 2022-02-27 10:46:57 CET;
27min
ago                                                                    
                                                                  
       Docs: man:firewalld(1)
    Process: 33724 ExecStart=/usr/sbin/firewalld --nofork --nopid
(code=killed, signal=KILL)  
   Main PID: 33724 (code=killed, signal=KILL)
        CPU: 15min
20.336s                                                                
                                                                       
                                                      

Feb 27 10:31:34 debian systemd[1]: Starting firewalld - dynamic
firewall daemon...
Feb 27 10:31:35 debian systemd[1]: Started firewalld - dynamic firewall
daemon.
 
Feb 27 10:46:57 debian systemd[1]: firewalld.service: Main process
exited, code=killed, status=9/KILL
Feb 27 10:46:57 debian systemd[1]: firewalld.service: Failed with
result 'signal'.
Feb 27 10:46:57 debian systemd[1]: firewalld.service: Consumed 15min
20.336s CPU time.


## Reproducer

Find attached to this email my drop.xml list. I tested this bug in a
fresh VM running Debian 10 with all installed updates.

* Put attached drop.xml into /etc/firewalld/zones/drop.xml
* Run `firewall-cmd --reload`

## Expected behaviour

The same works on a openSUSE Leap 15.3 VM, where the process took up to
20 minutes to complete.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: drop.xml
Type: application/xml
Size: 958438 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20220227/e3d41dd5/attachment-0001.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20220227/e3d41dd5/attachment-0001.sig>