We have received some reports of excess CPU usage / locking CPU to 100% / abnormally long backup job execution times, which can be traced to a large volume of `iptables` rules existing in CSF (10k+ rules). The cause of the issue is iptables (without ipset rules), processes large volumes of rules linearly/sequentially, and can also manifest as high CPU usage when every connection to the destination needs to be checked against all rules.
If you experience excess CPU use or abnormally long backup times relative to the size of the accounts you're backing up, we would recommend performing the steps below to identify if you were affected by this.
First, check how many iptables rules exist on the server.
[root@server ~]# iptables -S | wc -l# Warning: iptables-legacy tables present, use iptables-legacy to see them45679
In the example, we see there are over 45,000 rules that need to be processed sequentially for every connection and could bog down network transfer, even on a High-end server.
You may be able to enable IPSET, which is a companion to iptables, to allow these rules to be processed more efficiently in groups by using built-in kernel features.
To enable, please perform the following steps. IPSet may already be installed by default.
1. On AlmaLinux / CentOS / Rocky Linux / CloudLinux,
yum install ipset
1. On Debian / Ubuntu,
apt install ipset
2. Open /etc/csf/csf.conf in a text editor
3. Change LF_IPSET from 0 (disabled) to 1 (enabled)
LF_IPSET = "1"
4. Finally, restart CSF to apply the changes.
csf -r
Now, you should see that the backups are noticeably less bogged down during network transfer when this is enabled.
If you continue to encounter issues, as a test, please try temporarily disabling CSF and running the backup job again to see if you notice any improvement. If the issue is resolved when it's temporarily disabled, please try optimizing the number of iptables rules or reducing inefficient rules.
If there isn't a high volume of iptables rules and you still encounter issues, please open a support ticket so we can assist you further.
