diff --git a/0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch b/0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch
new file mode 100644
index 0000000..1994bff
--- /dev/null
+++ b/0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch
@@ -0,0 +1,61 @@
+From e7a2e0f70ed69c7b1ed1b4e6474ccf0924f81b23 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 2 Jun 2022 13:44:45 +0200
+Subject: [PATCH] tests: shell: Check overhead in iptables-save and -restore
+
+Some repeated calls have been reduced recently, assert this in a test
+evaluating strace output.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 0416ae5dea134b33e22c97e68b64010d679debe1)
+---
+ .../shell/testcases/ipt-save/0007-overhead_0  | 37 +++++++++++++++++++
+ 1 file changed, 37 insertions(+)
+ create mode 100755 iptables/tests/shell/testcases/ipt-save/0007-overhead_0
+
+diff --git a/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0
+new file mode 100755
+index 0000000000000..b86d71f209471
+--- /dev/null
++++ b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0
+@@ -0,0 +1,37 @@
++#!/bin/bash
++
++# Test recent performance improvements in iptables-save due to reduced
++# overhead.
++
++strace --version >/dev/null || { echo "skip for missing strace"; exit 0; }
++
++RULESET=$(
++	echo "*filter"
++	for ((i = 0; i < 100; i++)); do
++		echo ":mychain$i -"
++		echo "-A FORWARD -p tcp --dport 22 -j mychain$i"
++	done
++	echo "COMMIT"
++)
++
++RESTORE_STRACE=$(strace $XT_MULTI iptables-restore <<< "$RULESET" 2>&1 >/dev/null)
++SAVE_STRACE=$(strace $XT_MULTI iptables-save 2>&1 >/dev/null)
++
++do_grep() { # (name, threshold, pattern)
++	local cnt=$(grep -c "$3")
++	[[ $cnt -le $2 ]] && return 0
++	echo "ERROR: Too many $3 lookups for $1: $cnt > $2"
++	exit 1
++}
++
++# iptables prefers hard-coded protocol names instead of looking them up first
++
++do_grep "$XT_MULTI iptables-restore" 0 /etc/protocols <<< "$RESTORE_STRACE"
++do_grep "$XT_MULTI iptables-save" 0 /etc/protocols <<< "$SAVE_STRACE"
++
++# iptables-nft-save pointlessly checked whether chain jumps are targets
++
++do_grep "$XT_MULTI iptables-restore" 10 libxt_ <<< "$RESTORE_STRACE"
++do_grep "$XT_MULTI iptables-save" 10 libxt_ <<< "$SAVE_STRACE"
++
++exit 0
+-- 
+2.34.1
+
diff --git a/iptables.spec b/iptables.spec
index f12b868..c26e2fb 100644
--- a/iptables.spec
+++ b/iptables.spec
@@ -16,7 +16,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: https://www.netfilter.org/projects/iptables
 Version: 1.8.8
-Release: 1%{?dist}
+Release: 2%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@@ -32,6 +32,7 @@ Source10: ebtables-config
 Patch01: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
 Patch02: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
 Patch03: 0003-xshared-Fix-build-for-Werror-format-security.patch
+patch04: 0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch
 
 # pf.os: ISC license
 # iptables-apply: Artistic 2.0
@@ -447,6 +448,9 @@ fi
 %ghost %{_mandir}/man8/ebtables.8.gz
 
 %changelog
+* Thu Jun 02 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-2
+- tests: shell: Check overhead in iptables-save and -restore
+
 * Fri May 13 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-1
 - new version