Long `HOME_NET` list leads to very slow startup times?

Standard version 7.0.0-rc1 installation, mostly default config with EmergingThreats open ruleset installed via suricata-update.

When using the default HOME_NET set (maybe 2 or 3 entries), Suricata seems to take 3 seconds or so to startup and start processing the requested input.

However, if I add the 40 or so subnets which I would like to be considered ‘internal’, the startup time balloons to like 45 seconds, sometimes longer.

I’m assuming it has to do with parsing/compiling all of the rules (delay happens after SigAddressPrepareStage1 entry in suricata.log), but my main concern is if there is going to be a similar amount of overhead in the processing of the rules against the network traffic as well? Or is it only a cost at startup?

Is this kind of behavior expected? I noticed the same with v6.0.8 I believe as well.

It should speed up the detection, especially if your rules use home_net variable extensively, since a big portion of the traffic will not be matched against.

Good to know. So it’s more of an ‘upfront cost’ then with respect to startup time.

Is the slow startup with a long list of HOME_NET subnets a normal thing?

Can you post your HOME_NET values here? Of course, redact sensitive information but give enough info so we can get the gist of it:
HOME_NET: [subnet1.x.y.z/16,...] or whatever you’re using?