iptables-1.8.7-15.el9

- doc: Improve deprecation notices a bit
- nft: cache: Sort chains on demand only
- nft: Increase BATCH_PAGE_SIZE to support huge rulesets

Related: rhbz#1945151
Resolves: rhbz#1978362

0017-doc-Add-deprecation-notices-to-all-relevant-man-page.patch

@@ -1,58 +1,105 @@
-From 735e255367c6dde404bddd4e7f8290a779d278cd Mon Sep 17 00:00:00 2001
+From cbe4ed2b8d13b1d86e71b4d4fa434d1762f80463 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Thu, 17 Jun 2021 18:44:28 +0200
 Subject: [PATCH] doc: Add deprecation notices to all relevant man pages
 
 This is RHEL9 trying to friendly kick people towards nftables.
 ---
- iptables/arptables-nft-restore.8 | 4 ++++
- iptables/arptables-nft-save.8    | 4 ++++
- iptables/arptables-nft.8         | 4 ++++
- iptables/ebtables-nft.8          | 4 ++++
- iptables/iptables-apply.8.in     | 4 ++++
- iptables/iptables-restore.8.in   | 6 ++++++
- iptables/iptables-save.8.in      | 4 ++++
- iptables/iptables.8.in           | 5 +++++
- iptables/xtables-legacy.8        | 6 ++++++
- iptables/xtables-monitor.8.in    | 4 ++++
- iptables/xtables-nft.8           | 6 ++++++
- 11 files changed, 51 insertions(+)
+ iptables/arptables-nft-restore.8 | 13 ++++++++++++-
+ iptables/arptables-nft-save.8    | 14 +++++++++++++-
+ iptables/arptables-nft.8         | 19 ++++++++++++++++++-
+ iptables/ebtables-nft.8          | 15 ++++++++++++++-
+ iptables/iptables-apply.8.in     | 14 +++++++++++++-
+ iptables/iptables-restore.8.in   | 17 ++++++++++++++++-
+ iptables/iptables-save.8.in      | 15 ++++++++++++++-
+ iptables/iptables.8.in           | 17 +++++++++++++++++
+ iptables/xtables-monitor.8.in    | 11 +++++++++++
+ 9 files changed, 128 insertions(+), 7 deletions(-)
 
 diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8
-index 09d9082cf9fd3..986c448f4d589 100644
+index 09d9082cf9fd3..b1bf02998f9cc 100644
 --- a/iptables/arptables-nft-restore.8
 +++ b/iptables/arptables-nft-restore.8
-@@ -32,6 +32,10 @@ Use I/O redirection provided by your shell to read from a file
- .TP
+@@ -24,6 +24,17 @@ arptables-restore \- Restore ARP Tables (nft-based)
+ .SH SYNOPSIS
+ \fBarptables\-restore
+ .SH DESCRIPTION
++This tool is
++.B deprecated
++in Red Hat Enterprise Linux. It is maintenance only and will not receive new
++features. New setups should use
++.BR nft (8).
++Existing setups should migrate to
++.BR nft (8)
++when possible. See
++.UR https://red.ht/nft_your_tables
++.UE
++for details.
+ .PP
  .B arptables-restore
- flushes (deletes) all previous contents of the respective ARP Table.
-+.SH NOTES
-+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and
-+will not receive new features. New setups should use \fBnft\fP(8). Existing
-+setups should migrate to \fBnft\fP(8) when possible.
+ is used to restore ARP Tables from data specified on STDIN or
+@@ -35,5 +46,5 @@ flushes (deletes) all previous contents of the respective ARP Table.
  .SH AUTHOR
  Jesper Dangaard Brouer <brouer@redhat.com>
  .SH SEE ALSO
+-\fBarptables\-save\fP(8), \fBarptables\fP(8)
++\fBarptables\-save\fP(8), \fBarptables\fP(8), \fBnft\fP(8)
+ .PP
 diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8
-index 905e59854cc28..438955098aafc 100644
+index 905e59854cc28..49bb0f6260f2f 100644
 --- a/iptables/arptables-nft-save.8
 +++ b/iptables/arptables-nft-save.8
-@@ -40,6 +40,10 @@ Include the current values of all packet and byte counters in the output.
- .TP
- \fB\-V\fR, \fB\-\-version\fR
- Print version information and exit.
-+.SH NOTES
-+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and
-+will not receive new features. New setups should use \fBnft\fP(8). Existing
-+setups should migrate to \fBnft\fP(8) when possible.
+@@ -27,6 +27,18 @@ arptables-save \- dump arptables rules to stdout (nft-based)
+ \fBarptables\-save\fP [\fB\-V\fP]
+ .SH DESCRIPTION
+ .PP
++This tool is
++.B deprecated
++in Red Hat Enterprise Linux. It is maintenance only and will not receive new
++features. New setups should use
++.BR nft (8).
++Existing setups should migrate to
++.BR nft (8)
++when possible. See
++.UR https://red.ht/nft_your_tables
++.UE
++for details.
++.PP
+ .B arptables-save
+ is used to dump the contents of an ARP Table in easily parseable format
+ to STDOUT. Use I/O-redirection provided by your shell to write to a file.
+@@ -43,5 +55,5 @@ Print version information and exit.
  .SH AUTHOR
  Jesper Dangaard Brouer <brouer@redhat.com>
  .SH SEE ALSO
+-\fBarptables\-restore\fP(8), \fBarptables\fP(8)
++\fBarptables\-restore\fP(8), \fBarptables\fP(8), \fBnft\fP(8)
+ .PP
 diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
-index ea31e0842acd4..81b79740c82f3 100644
+index ea31e0842acd4..ec5b993a41e8b 100644
 --- a/iptables/arptables-nft.8
 +++ b/iptables/arptables-nft.8
-@@ -340,6 +340,10 @@ bridges, the same may be achieved using
+@@ -39,6 +39,19 @@ arptables \- ARP table administration (nft-based)
+ .BR "arptables " [ "-t table" ] " -P chain target " [ options ]
+ 
+ .SH DESCRIPTION
++.PP
++This tool is
++.B deprecated
++in Red Hat Enterprise Linux. It is maintenance only and will not receive new
++features. New setups should use
++.BR nft (8).
++Existing setups should migrate to
++.BR nft (8)
++when possible. See
++.UR https://red.ht/nft_your_tables
++.UE
++for details.
++.PP
+ .B arptables
+ is a user space tool, it is used to set up and maintain the
+ tables of ARP rules in the Linux kernel. These rules inspect
+@@ -340,9 +353,13 @@ bridges, the same may be achieved using
  chain in
  .BR ebtables .
  
@@ -63,133 +110,199 @@ index ea31e0842acd4..81b79740c82f3 100644
  .SH MAILINGLISTS
  .BR "" "See " http://netfilter.org/mailinglists.html
  .SH SEE ALSO
+-.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip (8)
++.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip "(8), " nft (8)
+ .PP
+ .BR "" "See " https://wiki.nftables.org
 diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
-index 1fa5ad9388cc0..1444ddafdccb6 100644
+index 1fa5ad9388cc0..5bdc0bb8a939e 100644
 --- a/iptables/ebtables-nft.8
 +++ b/iptables/ebtables-nft.8
-@@ -1104,6 +1104,10 @@ arp message and the hardware address length in the arp header is 6 bytes.
- .I EBTABLES_ATOMIC_FILE
- .SH MAILINGLISTS
- .BR "" "See " http://netfilter.org/mailinglists.html
-+.SH NOTES
-+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and
-+will not receive new features. New setups should use \fBnft\fP(8). Existing
-+setups should migrate to \fBnft\fP(8) when possible.
- .SH BUGS
- The version of ebtables this man page ships with does not support the
- .B broute
+@@ -52,6 +52,19 @@ ebtables \- Ethernet bridge frame table administration (nft-based)
+ .br
+ 
+ .SH DESCRIPTION
++.PP
++This tool is
++.B deprecated
++in Red Hat Enterprise Linux. It is maintenance only and will not receive new
++features. New setups should use
++.BR nft (8).
++Existing setups should migrate to
++.BR nft (8)
++when possible. See
++.UR https://red.ht/nft_your_tables
++.UE
++for details.
++.PP
+ .B ebtables
+ is an application program used to set up and maintain the
+ tables of rules (inside the Linux kernel) that inspect
+@@ -1111,6 +1124,6 @@ table. Also there is no support for
+ .B string
+ match. And finally, this list is probably not complete.
+ .SH SEE ALSO
+-.BR xtables-nft "(8), " iptables "(8), " ip (8)
++.BR xtables-nft "(8), " iptables "(8), " ip "(8), " nft (8)
+ .PP
+ .BR "" "See " https://wiki.nftables.org
 diff --git a/iptables/iptables-apply.8.in b/iptables/iptables-apply.8.in
-index f0ed4e5f8d450..5df8cc99d6733 100644
+index f0ed4e5f8d450..7f99a21ed2b61 100644
 --- a/iptables/iptables-apply.8.in
 +++ b/iptables/iptables-apply.8.in
-@@ -45,6 +45,10 @@ Display usage information.
- .TP
- \fB\-V\fP, \fB\-\-version\fP
+@@ -11,6 +11,18 @@ iptables-apply \- a safer way to update iptables remotely
+ \fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] [\fB-w\fP \fIsavefile\fP] {[\fIrulesfile]|-c [runcmd]}\fP
+ .SH "DESCRIPTION"
+ .PP
++This tool is
++.B deprecated
++in Red Hat Enterprise Linux. It is maintenance only and will not receive new
++features. New setups should use
++.BR nft (8).
++Existing setups should migrate to
++.BR nft (8)
++when possible. See
++.UR https://red.ht/nft_your_tables
++.UE
++for details.
++.PP
+ iptables\-apply will try to apply a new rulesfile (as output by
+ iptables-save, read by iptables-restore) or run a command to configure
+ iptables and then prompt the user whether the changes are okay. If the
+@@ -47,7 +59,7 @@ Display usage information.
  Display version information.
-+.SH NOTES
-+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and
-+will not receive new features. New setups should use \fBnft\fP(8). Existing
-+setups should migrate to \fBnft\fP(8) when possible.
  .SH "SEE ALSO"
  .PP
- \fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8).
+-\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8).
++\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8), \fBnft\fP(8).
+ .SH LEGALESE
+ .PP
+ Original iptables-apply - Copyright 2006 Martin F. Krafft <madduck@madduck.net>.
 diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in
-index b4b62f92740d1..de7d2e8efc069 100644
+index b4b62f92740d1..1bbf7a0d98d0a 100644
 --- a/iptables/iptables-restore.8.in
 +++ b/iptables/iptables-restore.8.in
-@@ -79,6 +79,12 @@ inspect /proc/sys/kernel/modprobe to determine the executable's path.
- .TP
- \fB\-T\fP, \fB\-\-table\fP \fIname\fP
- Restore only the named table even if the input stream contains other ones.
-+.SH NOTES
-+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and
-+will not receive new features. New setups should use \fBnft\fP(8). Existing
-+setups should migrate to \fBnft\fP(8) when possible, see
-+\fBiptables\-restore\-translate\fP/\fBip6tables\-restore\-translate\fP for help
-+doing so.
- .SH BUGS
- None known as of iptables-1.2.1 release
- .SH AUTHORS
+@@ -31,6 +31,19 @@ ip6tables-restore \(em Restore IPv6 Tables
+ [\fB\-W\fP \fIusecs\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP]
+ [\fBfile\fP]
+ .SH DESCRIPTION
++These tools are
++.B deprecated
++in Red Hat Enterprise Linux. They are maintenance only and will not receive new
++features. New setups should use
++.BR nft (8).
++Existing setups should migrate to
++.BR nft (8)
++when possible. See
++.UR https://red.ht/nft_your_tables
++.UE
++for details. There is also
++.BR iptables\-restore\-translate (8)/ ip6tables\-restore\-translate (8)
++to help with the migration.
+ .PP
+ .B iptables-restore
+ and
+@@ -87,7 +100,9 @@ from Rusty Russell.
+ .br
+ Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-restore.
+ .SH SEE ALSO
+-\fBiptables\-apply\fP(8),\fBiptables\-save\fP(8), \fBiptables\fP(8)
++\fBiptables\-apply\fP(8), \fBiptables\-save\fP(8), \fBiptables\fP(8),
++\fBnft\fP(8), \fBiptables\-restore\-translate\fP(8),
++\fBip6tables\-restore\-translate\fP(8)
+ .PP
+ The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
+ which details NAT, and the netfilter-hacking-HOWTO which details the
 diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in
-index 7683fd3780f72..610be412a09c8 100644
+index 7683fd3780f72..6fe50b2d446e5 100644
 --- a/iptables/iptables-save.8.in
 +++ b/iptables/iptables-save.8.in
-@@ -53,6 +53,10 @@ module loading, an attempt will be made to load the appropriate module for
- that table if it is not already there.
+@@ -30,6 +30,18 @@ ip6tables-save \(em dump iptables rules
+ [\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
+ .SH DESCRIPTION
+ .PP
++These tools are
++.B deprecated
++in Red Hat Enterprise Linux. They are maintenance only and will not receive new
++features. New setups should use
++.BR nft (8).
++Existing setups should migrate to
++.BR nft (8)
++when possible. See
++.UR https://red.ht/nft_your_tables
++.UE
++for details.
++.PP
+ .B iptables-save
+ and
+ .B ip6tables-save
+@@ -62,7 +74,8 @@ Rusty Russell <rusty@rustcorp.com.au>
  .br
- If not specified, output includes all available tables.
-+.SH NOTES
-+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and
-+will not receive new features. New setups should use \fBnft\fP(8). Existing
-+setups should migrate to \fBnft\fP(8) when possible.
- .SH BUGS
- None known as of iptables-1.2.1 release
- .SH AUTHORS
+ Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-save.
+ .SH SEE ALSO
+-\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8)
++\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8),
++\fBnft\fP(8)
+ .PP
+ The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
+ which details NAT, and the netfilter-hacking-HOWTO which details the
 diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
-index 999cf339845f9..3aa008edcc4c6 100644
+index 999cf339845f9..895cc7b111eb9 100644
 --- a/iptables/iptables.8.in
 +++ b/iptables/iptables.8.in
-@@ -414,6 +414,11 @@ Various error messages are printed to standard error.  The exit code
- is 0 for correct functioning.  Errors which appear to be caused by
- invalid or abused command line parameters cause an exit code of 2, and
- other errors cause an exit code of 1.
-+.SH NOTES
-+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and
-+will not receive new features. New setups should use \fBnft\fP(8). Existing
-+setups should migrate to \fBnft\fP(8) when possible, see
-+\fBiptables\-translate\fP/\fBip6tables\-translate\fP for help doing so.
- .SH BUGS
- Bugs?  What's this? ;-)
- Well, you might want to have a look at http://bugzilla.netfilter.org/
-diff --git a/iptables/xtables-legacy.8 b/iptables/xtables-legacy.8
-index 6db7d2cb4357a..48099508a12ca 100644
---- a/iptables/xtables-legacy.8
-+++ b/iptables/xtables-legacy.8
-@@ -71,6 +71,12 @@ versions to work, it cannot display changes made using the
- .B iptables-legacy
- tools.
- 
-+.SH NOTES
-+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and
-+will not receive new features. New setups should use \fBnft\fP(8). Existing
-+setups should migrate to \fBnft\fP(8) when possible, see
-+\fBxtables-translate\fP(8) for help doing so.
-+
- .SH SEE ALSO
- \fBxtables\-nft(8)\fP, \fBxtables\-translate(8)\fP
- 
+@@ -55,6 +55,20 @@ match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP]
+ .PP
+ target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP]
+ .SH DESCRIPTION
++These tools are
++.B deprecated
++in Red Hat Enterprise Linux. They are maintenance only and will not receive new
++features. New setups should use
++.BR nft (8).
++Existing setups should migrate to
++.BR nft (8)
++when possible. See
++.UR https://red.ht/nft_your_tables
++.UE
++for details. There is also
++.BR iptables\-translate (8)/ ip6tables\-translate (8)
++to help with the migration.
++.PP
+ \fBIptables\fP and \fBip6tables\fP are used to set up, maintain, and inspect the
+ tables of IPv4 and IPv6 packet
+ filter rules in the Linux kernel.  Several different tables
+@@ -447,6 +461,9 @@ There are several other changes in iptables.
+ \fBiptables\-save\fP(8),
+ \fBiptables\-restore\fP(8),
+ \fBiptables\-extensions\fP(8),
++\fBnft\fP(8),
++\fBiptables\-translate\fP(8),
++\fBip6tables\-translate\fP(8)
+ .PP
+ The packet-filtering-HOWTO details iptables usage for
+ packet filtering, the NAT-HOWTO details NAT,
 diff --git a/iptables/xtables-monitor.8.in b/iptables/xtables-monitor.8.in
-index b647a79eb64ed..37485c5c89cff 100644
+index b647a79eb64ed..bbccf009e8269 100644
 --- a/iptables/xtables-monitor.8.in
 +++ b/iptables/xtables-monitor.8.in
-@@ -86,6 +86,10 @@ become active, i.e., the rule set changes are now active.  This also lists the p
+@@ -6,6 +6,17 @@ xtables-monitor \(em show changes to rule set and trace-events
+ .PP
+ \
+ .SH DESCRIPTION
++This tool is
++.B deprecated
++in Red Hat Enterprise Linux. It is maintenance only and will not receive new
++features. New setups should use
++.BR nft (8).
++Existing setups should migrate to
++.BR nft (8)
++when possible. See
++.UR https://red.ht/nft_your_tables
++.UE
++for details.
+ .PP
  .B xtables-monitor
- only works with rules added using iptables-nftables, rules added using
- iptables-legacy cannot be monitored.
-+.SH NOTES
-+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and
-+will not receive new features. New setups should use \fBnft\fP(8). Existing
-+setups should migrate to \fBnft\fP(8) when possible.
- .SH BUGS
- Should be reported or by sending email to netfilter-devel@vger.kernel.org or
- by filing a report on https://bugzilla.netfilter.org/.
-diff --git a/iptables/xtables-nft.8 b/iptables/xtables-nft.8
-index 702bf95408a1a..875f3abeb9b89 100644
---- a/iptables/xtables-nft.8
-+++ b/iptables/xtables-nft.8
-@@ -195,6 +195,12 @@ The CLUSTERIP target is not supported.
- To get up-to-date information about this, please head to
- \fBhttp://wiki.nftables.org/\fP.
- 
-+.SH NOTES
-+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and
-+will not receive new features. New setups should use \fBnft\fP(8). Existing
-+setups should migrate to \fBnft\fP(8) when possible, see
-+\fBxtables-translate\fP(8) for help doing so.
-+
- .SH SEE ALSO
- \fBnft(8)\fP, \fBxtables\-translate(8)\fP, \fBxtables\-monitor(8)\fP
- 
+ is used to monitor changes to the ruleset or to show rule evaluation events
 -- 
 2.31.1
 

0018-nft-cache-Sort-chains-on-demand-only.patch

@@ -0,0 +1,211 @@
+From 743bcc5a632c7f5058ac03794f82b7ba52091cea Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 25 Mar 2021 16:24:39 +0100
+Subject: [PATCH] nft: cache: Sort chains on demand only
+
+Mandatory sorted insert of chains into cache significantly slows down
+restoring of large rulesets. Since the sorted list of user-defined
+chains is needed for listing and verbose output only, introduce
+nft_cache_sort_chains() and call it where needed.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit fdf64dcdace989589bac441805082e3b1fe6a915)
+---
+ iptables/nft-cache.c    | 71 +++++++++++++++++++++++++++++++++--------
+ iptables/nft-cache.h    |  1 +
+ iptables/nft.c          | 12 +++++++
+ iptables/nft.h          |  1 +
+ iptables/xtables-save.c |  1 +
+ 5 files changed, 73 insertions(+), 13 deletions(-)
+
+diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
+index 7fd78654b280a..2c88301cc7445 100644
+--- a/iptables/nft-cache.c
++++ b/iptables/nft-cache.c
+@@ -223,24 +223,67 @@ int nft_cache_add_chain(struct nft_handle *h, const struct builtin_table *t,
+ 
+ 		h->cache->table[t->type].base_chains[hooknum] = nc;
+ 	} else {
+-		struct nft_chain_list *clist = h->cache->table[t->type].chains;
+-		struct list_head *pos = &clist->list;
+-		struct nft_chain *cur;
+-		const char *n;
+-
+-		list_for_each_entry(cur, &clist->list, head) {
+-			n = nftnl_chain_get_str(cur->nftnl, NFTNL_CHAIN_NAME);
+-			if (strcmp(cname, n) <= 0) {
+-				pos = &cur->head;
+-				break;
+-			}
+-		}
+-		list_add_tail(&nc->head, pos);
++		list_add_tail(&nc->head,
++			      &h->cache->table[t->type].chains->list);
+ 	}
+ 	hlist_add_head(&nc->hnode, chain_name_hlist(h, t, cname));
+ 	return 0;
+ }
+ 
++static void __nft_chain_list_sort(struct list_head *list,
++				  int (*cmp)(struct nft_chain *a,
++					     struct nft_chain *b))
++{
++	struct nft_chain *pivot, *cur, *sav;
++	LIST_HEAD(sublist);
++
++	if (list_empty(list))
++		return;
++
++	/* grab first item as pivot (dividing) value */
++	pivot = list_entry(list->next, struct nft_chain, head);
++	list_del(&pivot->head);
++
++	/* move any smaller value into sublist */
++	list_for_each_entry_safe(cur, sav, list, head) {
++		if (cmp(pivot, cur) > 0) {
++			list_del(&cur->head);
++			list_add_tail(&cur->head, &sublist);
++		}
++	}
++	/* conquer divided */
++	__nft_chain_list_sort(&sublist, cmp);
++	__nft_chain_list_sort(list, cmp);
++
++	/* merge divided and pivot again */
++	list_add_tail(&pivot->head, &sublist);
++	list_splice(&sublist, list);
++}
++
++static int nft_chain_cmp_byname(struct nft_chain *a, struct nft_chain *b)
++{
++	const char *aname = nftnl_chain_get_str(a->nftnl, NFTNL_CHAIN_NAME);
++	const char *bname = nftnl_chain_get_str(b->nftnl, NFTNL_CHAIN_NAME);
++
++	return strcmp(aname, bname);
++}
++
++int nft_cache_sort_chains(struct nft_handle *h, const char *table)
++{
++	const struct builtin_table *t = nft_table_builtin_find(h, table);
++
++	if (!t)
++		return -1;
++
++	if (h->cache->table[t->type].sorted)
++		return 0;
++
++	__nft_chain_list_sort(&h->cache->table[t->type].chains->list,
++			      nft_chain_cmp_byname);
++	h->cache->table[t->type].sorted = true;
++	return 0;
++}
++
+ struct nftnl_chain_list_cb_data {
+ 	struct nft_handle *h;
+ 	const struct builtin_table *t;
+@@ -663,6 +706,7 @@ static int flush_cache(struct nft_handle *h, struct nft_cache *c,
+ 
+ 		flush_base_chain_cache(c->table[table->type].base_chains);
+ 		nft_chain_foreach(h, tablename, __flush_chain_cache, NULL);
++		c->table[table->type].sorted = false;
+ 
+ 		if (c->table[table->type].sets)
+ 			nftnl_set_list_foreach(c->table[table->type].sets,
+@@ -678,6 +722,7 @@ static int flush_cache(struct nft_handle *h, struct nft_cache *c,
+ 		if (c->table[i].chains) {
+ 			nft_chain_list_free(c->table[i].chains);
+ 			c->table[i].chains = NULL;
++			c->table[i].sorted = false;
+ 		}
+ 
+ 		if (c->table[i].sets) {
+diff --git a/iptables/nft-cache.h b/iptables/nft-cache.h
+index 20d96beede876..58a015265056c 100644
+--- a/iptables/nft-cache.h
++++ b/iptables/nft-cache.h
+@@ -16,6 +16,7 @@ int flush_rule_cache(struct nft_handle *h, const char *table,
+ void nft_cache_build(struct nft_handle *h);
+ int nft_cache_add_chain(struct nft_handle *h, const struct builtin_table *t,
+ 			struct nftnl_chain *c);
++int nft_cache_sort_chains(struct nft_handle *h, const char *table);
+ 
+ struct nft_chain *
+ nft_chain_find(struct nft_handle *h, const char *table, const char *chain);
+diff --git a/iptables/nft.c b/iptables/nft.c
+index bde4ca72d3fcc..8b14daeaed610 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -1754,6 +1754,8 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table,
+ 		return 1;
+ 	}
+ 
++	nft_cache_sort_chains(h, table);
++
+ 	ret = nft_chain_foreach(h, table, nft_rule_flush_cb, &d);
+ 
+ 	/* the core expects 1 for success and 0 for error */
+@@ -1900,6 +1902,9 @@ int nft_chain_user_del(struct nft_handle *h, const char *chain,
+ 		goto out;
+ 	}
+ 
++	if (verbose)
++		nft_cache_sort_chains(h, table);
++
+ 	ret = nft_chain_foreach(h, table, __nft_chain_user_del, &d);
+ out:
+ 	/* the core expects 1 for success and 0 for error */
+@@ -2437,6 +2442,8 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
+ 		return 1;
+ 	}
+ 
++	nft_cache_sort_chains(h, table);
++
+ 	if (ops->print_table_header)
+ 		ops->print_table_header(table);
+ 
+@@ -2540,6 +2547,8 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain,
+ 		return nft_rule_list_cb(c, &d);
+ 	}
+ 
++	nft_cache_sort_chains(h, table);
++
+ 	/* Dump policies and custom chains first */
+ 	nft_chain_foreach(h, table, nft_rule_list_chain_save, &counters);
+ 
+@@ -3431,6 +3440,9 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain,
+ 		goto err;
+ 	}
+ 
++	if (verbose)
++		nft_cache_sort_chains(h, table);
++
+ 	ret = nft_chain_foreach(h, table, __nft_chain_zero_counters, &d);
+ err:
+ 	/* the core expects 1 for success and 0 for error */
+diff --git a/iptables/nft.h b/iptables/nft.h
+index 0910f82a2773c..4ac7e0099d567 100644
+--- a/iptables/nft.h
++++ b/iptables/nft.h
+@@ -44,6 +44,7 @@ struct nft_cache {
+ 		struct nft_chain_list	*chains;
+ 		struct nftnl_set_list	*sets;
+ 		bool			exists;
++		bool			sorted;
+ 	} table[NFT_TABLE_MAX];
+ };
+ 
+diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
+index d7901c650ea70..cfce0472f3ee8 100644
+--- a/iptables/xtables-save.c
++++ b/iptables/xtables-save.c
+@@ -87,6 +87,7 @@ __do_output(struct nft_handle *h, const char *tablename, void *data)
+ 	printf("*%s\n", tablename);
+ 	/* Dump out chain names first,
+ 	 * thereby preventing dependency conflicts */
++	nft_cache_sort_chains(h, tablename);
+ 	nft_chain_foreach(h, tablename, nft_chain_save, h);
+ 	nft_rule_save(h, tablename, d->format);
+ 	if (d->commit)
+-- 
+2.31.1
+

0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch

@@ -0,0 +1,56 @@
+From 663151585d25996baee985b9b77b58627de16531 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 6 Apr 2021 10:51:20 +0200
+Subject: [PATCH] nft: Increase BATCH_PAGE_SIZE to support huge rulesets
+
+In order to support the same ruleset sizes as legacy iptables, the
+kernel's limit of 1024 iovecs has to be overcome. Therefore increase
+each iovec's size from 128KB to 2MB.
+
+While being at it, add a log message for failing sendmsg() call. This is
+not supposed to happen, even if the transaction fails. Yet if it does,
+users are left with only a "line XXX failed" message (with line number
+being the COMMIT line).
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+(cherry picked from commit a3e81c62e8c5abb4158f1f66df6bbcffd1b33240)
+---
+ iptables/nft.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/iptables/nft.c b/iptables/nft.c
+index 8b14daeaed610..f1deb82f87576 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -88,11 +88,11 @@ int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh,
+ 
+ #define NFT_NLMSG_MAXSIZE (UINT16_MAX + getpagesize())
+ 
+-/* selected batch page is 256 Kbytes long to load ruleset of
+- * half a million rules without hitting -EMSGSIZE due to large
+- * iovec.
++/* Selected batch page is 2 Mbytes long to support loading a ruleset of 3.5M
++ * rules matching on source and destination address as well as input and output
++ * interfaces. This is what legacy iptables supports.
+  */
+-#define BATCH_PAGE_SIZE getpagesize() * 32
++#define BATCH_PAGE_SIZE 2 * 1024 * 1024
+ 
+ static struct nftnl_batch *mnl_batch_init(void)
+ {
+@@ -220,8 +220,10 @@ static int mnl_batch_talk(struct nft_handle *h, int numcmds)
+ 	int err = 0;
+ 
+ 	ret = mnl_nft_socket_sendmsg(h, numcmds);
+-	if (ret == -1)
++	if (ret == -1) {
++		fprintf(stderr, "sendmsg() failed: %s\n", strerror(errno));
+ 		return -1;
++	}
+ 
+ 	FD_ZERO(&readfds);
+ 	FD_SET(fd, &readfds);
+-- 
+2.31.1
+

iptables.spec

@@ -14,7 +14,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: https://www.netfilter.org/projects/iptables
 Version: 1.8.7
-Release: 14%{?dist}
+Release: 15%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@@ -44,6 +44,8 @@ Patch14: 0014-iptables-nft-fix-Z-option.patch
 Patch15: 0015-nft-Fix-bitwise-expression-avoidance-detection.patch
 Patch16: 0016-extensions-sctp-Fix-nftables-translation.patch
 Patch17: 0017-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
+Patch18: 0018-nft-cache-Sort-chains-on-demand-only.patch
+Patch19: 0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch
 
 # pf.os: ISC license
 # iptables-apply: Artistic 2.0
@@ -446,6 +448,11 @@ fi
 
 
 %changelog
+* Fri Jul 02 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-15
+- doc: Improve deprecation notices a bit
+- nft: cache: Sort chains on demand only
+- nft: Increase BATCH_PAGE_SIZE to support huge rulesets
+
 * Fri Jun 25 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-14
 - doc: Add deprecation notices to all relevant man pages