Can you give information about the firewall rule set that is already in place and the changes that will be added? A firewall dump with iptables-save would show the current rules set. The restore files seem to be placed in /tmp. From the the example in comment 6 there are these iptables-restore calls: iptables-restore --noflush --counters /tmp/kube-temp-iptables-restore-247982443 One these files altogether with the rules set before the iptables-restore call would help to understand what is going on here. Please select one of the files, where the restore takes a lot of time. As there does not seem to be a change in the IPv6 rules, it might not be needed to add them also.
*** Bug 1372824 has been marked as a duplicate of this bug. ***
http://patchwork.ozlabs.org/patch/697722/ ... might provide some speedup. Note that I can't backport to rhel since this isn't upstream yet.