iptables-1.8.8-2.el9

- tests: shell: Check overhead in iptables-save and -restore Related: rhbz#2065330
2022-06-02 14:49:22 +02:00 · 2022-06-02 14:49:22 +02:00 · 73cb621bac
commit 73cb621bac
parent 08d57e3b00
2 changed files with 66 additions and 1 deletions
--- a/0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch
+++ b/0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch
@ -0,0 +1,61 @@
+From e7a2e0f70ed69c7b1ed1b4e6474ccf0924f81b23 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 2 Jun 2022 13:44:45 +0200
+Subject: [PATCH] tests: shell: Check overhead in iptables-save and -restore
+
+Some repeated calls have been reduced recently, assert this in a test
+evaluating strace output.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 0416ae5dea134b33e22c97e68b64010d679debe1)
+---
+ .../shell/testcases/ipt-save/0007-overhead_0  | 37 +++++++++++++++++++
+ 1 file changed, 37 insertions(+)
+ create mode 100755 iptables/tests/shell/testcases/ipt-save/0007-overhead_0
+
+diff --git a/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0
+new file mode 100755
+index 0000000000000..b86d71f209471
+--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0
+@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Test recent performance improvements in iptables-save due to reduced
+# overhead.
+
+strace --version >/dev/null || { echo "skip for missing strace"; exit 0; }
+
+RULESET=$(
+	echo "*filter"
+	for ((i = 0; i < 100; i++)); do
+		echo ":mychain$i -"
+		echo "-A FORWARD -p tcp --dport 22 -j mychain$i"
+	done
+	echo "COMMIT"
+)
+
+RESTORE_STRACE=$(strace $XT_MULTI iptables-restore <<< "$RULESET" 2>&1 >/dev/null)
+SAVE_STRACE=$(strace $XT_MULTI iptables-save 2>&1 >/dev/null)
+
+do_grep() { # (name, threshold, pattern)
+	local cnt=$(grep -c "$3")
+	[[ $cnt -le $2 ]] && return 0
+	echo "ERROR: Too many $3 lookups for $1: $cnt > $2"
+	exit 1
+}
+
+# iptables prefers hard-coded protocol names instead of looking them up first
+
+do_grep "$XT_MULTI iptables-restore" 0 /etc/protocols <<< "$RESTORE_STRACE"
+do_grep "$XT_MULTI iptables-save" 0 /etc/protocols <<< "$SAVE_STRACE"
+
+# iptables-nft-save pointlessly checked whether chain jumps are targets
+
+do_grep "$XT_MULTI iptables-restore" 10 libxt_ <<< "$RESTORE_STRACE"
+do_grep "$XT_MULTI iptables-save" 10 libxt_ <<< "$SAVE_STRACE"
+
+exit 0
+-- 
+2.34.1
+
--- a/iptables.spec
+++ b/iptables.spec
@ -16,7 +16,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: https://www.netfilter.org/projects/iptables
 Version: 1.8.8
-Release: 1%{?dist}
+Release: 2%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@ -32,6 +32,7 @@ Source10: ebtables-config
 Patch01: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
 Patch02: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
 Patch03: 0003-xshared-Fix-build-for-Werror-format-security.patch
+patch04: 0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch

 # pf.os: ISC license
 # iptables-apply: Artistic 2.0
@ -447,6 +448,9 @@ fi
 %ghost %{_mandir}/man8/ebtables.8.gz

 %changelog
+* Thu Jun 02 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-2
+- tests: shell: Check overhead in iptables-save and -restore
+
 * Fri May 13 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-1
 - new version