From d5f15282382b3974e49eaf89e1989272df1527d5 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Fri, 2 Jul 2021 18:26:15 +0200 Subject: [PATCH] iptables-1.8.7-15.el9 - doc: Improve deprecation notices a bit - nft: cache: Sort chains on demand only - nft: Increase BATCH_PAGE_SIZE to support huge rulesets Related: rhbz#1945151 Resolves: rhbz#1978362 --- ...ion-notices-to-all-relevant-man-page.patch | 385 +++++++++++------- ...nft-cache-Sort-chains-on-demand-only.patch | 211 ++++++++++ ...CH_PAGE_SIZE-to-support-huge-ruleset.patch | 56 +++ iptables.spec | 9 +- 4 files changed, 524 insertions(+), 137 deletions(-) create mode 100644 0018-nft-cache-Sort-chains-on-demand-only.patch create mode 100644 0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch diff --git a/0017-doc-Add-deprecation-notices-to-all-relevant-man-page.patch b/0017-doc-Add-deprecation-notices-to-all-relevant-man-page.patch index 73135ad..87c0ca8 100644 --- a/0017-doc-Add-deprecation-notices-to-all-relevant-man-page.patch +++ b/0017-doc-Add-deprecation-notices-to-all-relevant-man-page.patch @@ -1,58 +1,105 @@ -From 735e255367c6dde404bddd4e7f8290a779d278cd Mon Sep 17 00:00:00 2001 +From cbe4ed2b8d13b1d86e71b4d4fa434d1762f80463 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Thu, 17 Jun 2021 18:44:28 +0200 Subject: [PATCH] doc: Add deprecation notices to all relevant man pages This is RHEL9 trying to friendly kick people towards nftables. --- - iptables/arptables-nft-restore.8 | 4 ++++ - iptables/arptables-nft-save.8 | 4 ++++ - iptables/arptables-nft.8 | 4 ++++ - iptables/ebtables-nft.8 | 4 ++++ - iptables/iptables-apply.8.in | 4 ++++ - iptables/iptables-restore.8.in | 6 ++++++ - iptables/iptables-save.8.in | 4 ++++ - iptables/iptables.8.in | 5 +++++ - iptables/xtables-legacy.8 | 6 ++++++ - iptables/xtables-monitor.8.in | 4 ++++ - iptables/xtables-nft.8 | 6 ++++++ - 11 files changed, 51 insertions(+) + iptables/arptables-nft-restore.8 | 13 ++++++++++++- + iptables/arptables-nft-save.8 | 14 +++++++++++++- + iptables/arptables-nft.8 | 19 ++++++++++++++++++- + iptables/ebtables-nft.8 | 15 ++++++++++++++- + iptables/iptables-apply.8.in | 14 +++++++++++++- + iptables/iptables-restore.8.in | 17 ++++++++++++++++- + iptables/iptables-save.8.in | 15 ++++++++++++++- + iptables/iptables.8.in | 17 +++++++++++++++++ + iptables/xtables-monitor.8.in | 11 +++++++++++ + 9 files changed, 128 insertions(+), 7 deletions(-) diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8 -index 09d9082cf9fd3..986c448f4d589 100644 +index 09d9082cf9fd3..b1bf02998f9cc 100644 --- a/iptables/arptables-nft-restore.8 +++ b/iptables/arptables-nft-restore.8 -@@ -32,6 +32,10 @@ Use I/O redirection provided by your shell to read from a file - .TP +@@ -24,6 +24,17 @@ arptables-restore \- Restore ARP Tables (nft-based) + .SH SYNOPSIS + \fBarptables\-restore + .SH DESCRIPTION ++This tool is ++.B deprecated ++in Red Hat Enterprise Linux. It is maintenance only and will not receive new ++features. New setups should use ++.BR nft (8). ++Existing setups should migrate to ++.BR nft (8) ++when possible. See ++.UR https://red.ht/nft_your_tables ++.UE ++for details. + .PP .B arptables-restore - flushes (deletes) all previous contents of the respective ARP Table. -+.SH NOTES -+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and -+will not receive new features. New setups should use \fBnft\fP(8). Existing -+setups should migrate to \fBnft\fP(8) when possible. + is used to restore ARP Tables from data specified on STDIN or +@@ -35,5 +46,5 @@ flushes (deletes) all previous contents of the respective ARP Table. .SH AUTHOR Jesper Dangaard Brouer .SH SEE ALSO +-\fBarptables\-save\fP(8), \fBarptables\fP(8) ++\fBarptables\-save\fP(8), \fBarptables\fP(8), \fBnft\fP(8) + .PP diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8 -index 905e59854cc28..438955098aafc 100644 +index 905e59854cc28..49bb0f6260f2f 100644 --- a/iptables/arptables-nft-save.8 +++ b/iptables/arptables-nft-save.8 -@@ -40,6 +40,10 @@ Include the current values of all packet and byte counters in the output. - .TP - \fB\-V\fR, \fB\-\-version\fR - Print version information and exit. -+.SH NOTES -+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and -+will not receive new features. New setups should use \fBnft\fP(8). Existing -+setups should migrate to \fBnft\fP(8) when possible. +@@ -27,6 +27,18 @@ arptables-save \- dump arptables rules to stdout (nft-based) + \fBarptables\-save\fP [\fB\-V\fP] + .SH DESCRIPTION + .PP ++This tool is ++.B deprecated ++in Red Hat Enterprise Linux. It is maintenance only and will not receive new ++features. New setups should use ++.BR nft (8). ++Existing setups should migrate to ++.BR nft (8) ++when possible. See ++.UR https://red.ht/nft_your_tables ++.UE ++for details. ++.PP + .B arptables-save + is used to dump the contents of an ARP Table in easily parseable format + to STDOUT. Use I/O-redirection provided by your shell to write to a file. +@@ -43,5 +55,5 @@ Print version information and exit. .SH AUTHOR Jesper Dangaard Brouer .SH SEE ALSO +-\fBarptables\-restore\fP(8), \fBarptables\fP(8) ++\fBarptables\-restore\fP(8), \fBarptables\fP(8), \fBnft\fP(8) + .PP diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8 -index ea31e0842acd4..81b79740c82f3 100644 +index ea31e0842acd4..ec5b993a41e8b 100644 --- a/iptables/arptables-nft.8 +++ b/iptables/arptables-nft.8 -@@ -340,6 +340,10 @@ bridges, the same may be achieved using +@@ -39,6 +39,19 @@ arptables \- ARP table administration (nft-based) + .BR "arptables " [ "-t table" ] " -P chain target " [ options ] + + .SH DESCRIPTION ++.PP ++This tool is ++.B deprecated ++in Red Hat Enterprise Linux. It is maintenance only and will not receive new ++features. New setups should use ++.BR nft (8). ++Existing setups should migrate to ++.BR nft (8) ++when possible. See ++.UR https://red.ht/nft_your_tables ++.UE ++for details. ++.PP + .B arptables + is a user space tool, it is used to set up and maintain the + tables of ARP rules in the Linux kernel. These rules inspect +@@ -340,9 +353,13 @@ bridges, the same may be achieved using chain in .BR ebtables . @@ -63,133 +110,199 @@ index ea31e0842acd4..81b79740c82f3 100644 .SH MAILINGLISTS .BR "" "See " http://netfilter.org/mailinglists.html .SH SEE ALSO +-.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip (8) ++.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip "(8), " nft (8) + .PP + .BR "" "See " https://wiki.nftables.org diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8 -index 1fa5ad9388cc0..1444ddafdccb6 100644 +index 1fa5ad9388cc0..5bdc0bb8a939e 100644 --- a/iptables/ebtables-nft.8 +++ b/iptables/ebtables-nft.8 -@@ -1104,6 +1104,10 @@ arp message and the hardware address length in the arp header is 6 bytes. - .I EBTABLES_ATOMIC_FILE - .SH MAILINGLISTS - .BR "" "See " http://netfilter.org/mailinglists.html -+.SH NOTES -+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and -+will not receive new features. New setups should use \fBnft\fP(8). Existing -+setups should migrate to \fBnft\fP(8) when possible. - .SH BUGS - The version of ebtables this man page ships with does not support the - .B broute +@@ -52,6 +52,19 @@ ebtables \- Ethernet bridge frame table administration (nft-based) + .br + + .SH DESCRIPTION ++.PP ++This tool is ++.B deprecated ++in Red Hat Enterprise Linux. It is maintenance only and will not receive new ++features. New setups should use ++.BR nft (8). ++Existing setups should migrate to ++.BR nft (8) ++when possible. See ++.UR https://red.ht/nft_your_tables ++.UE ++for details. ++.PP + .B ebtables + is an application program used to set up and maintain the + tables of rules (inside the Linux kernel) that inspect +@@ -1111,6 +1124,6 @@ table. Also there is no support for + .B string + match. And finally, this list is probably not complete. + .SH SEE ALSO +-.BR xtables-nft "(8), " iptables "(8), " ip (8) ++.BR xtables-nft "(8), " iptables "(8), " ip "(8), " nft (8) + .PP + .BR "" "See " https://wiki.nftables.org diff --git a/iptables/iptables-apply.8.in b/iptables/iptables-apply.8.in -index f0ed4e5f8d450..5df8cc99d6733 100644 +index f0ed4e5f8d450..7f99a21ed2b61 100644 --- a/iptables/iptables-apply.8.in +++ b/iptables/iptables-apply.8.in -@@ -45,6 +45,10 @@ Display usage information. - .TP - \fB\-V\fP, \fB\-\-version\fP +@@ -11,6 +11,18 @@ iptables-apply \- a safer way to update iptables remotely + \fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] [\fB-w\fP \fIsavefile\fP] {[\fIrulesfile]|-c [runcmd]}\fP + .SH "DESCRIPTION" + .PP ++This tool is ++.B deprecated ++in Red Hat Enterprise Linux. It is maintenance only and will not receive new ++features. New setups should use ++.BR nft (8). ++Existing setups should migrate to ++.BR nft (8) ++when possible. See ++.UR https://red.ht/nft_your_tables ++.UE ++for details. ++.PP + iptables\-apply will try to apply a new rulesfile (as output by + iptables-save, read by iptables-restore) or run a command to configure + iptables and then prompt the user whether the changes are okay. If the +@@ -47,7 +59,7 @@ Display usage information. Display version information. -+.SH NOTES -+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and -+will not receive new features. New setups should use \fBnft\fP(8). Existing -+setups should migrate to \fBnft\fP(8) when possible. .SH "SEE ALSO" .PP - \fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8). +-\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8). ++\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8), \fBnft\fP(8). + .SH LEGALESE + .PP + Original iptables-apply - Copyright 2006 Martin F. Krafft . diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in -index b4b62f92740d1..de7d2e8efc069 100644 +index b4b62f92740d1..1bbf7a0d98d0a 100644 --- a/iptables/iptables-restore.8.in +++ b/iptables/iptables-restore.8.in -@@ -79,6 +79,12 @@ inspect /proc/sys/kernel/modprobe to determine the executable's path. - .TP - \fB\-T\fP, \fB\-\-table\fP \fIname\fP - Restore only the named table even if the input stream contains other ones. -+.SH NOTES -+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and -+will not receive new features. New setups should use \fBnft\fP(8). Existing -+setups should migrate to \fBnft\fP(8) when possible, see -+\fBiptables\-restore\-translate\fP/\fBip6tables\-restore\-translate\fP for help -+doing so. - .SH BUGS - None known as of iptables-1.2.1 release - .SH AUTHORS +@@ -31,6 +31,19 @@ ip6tables-restore \(em Restore IPv6 Tables + [\fB\-W\fP \fIusecs\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP] + [\fBfile\fP] + .SH DESCRIPTION ++These tools are ++.B deprecated ++in Red Hat Enterprise Linux. They are maintenance only and will not receive new ++features. New setups should use ++.BR nft (8). ++Existing setups should migrate to ++.BR nft (8) ++when possible. See ++.UR https://red.ht/nft_your_tables ++.UE ++for details. There is also ++.BR iptables\-restore\-translate (8)/ ip6tables\-restore\-translate (8) ++to help with the migration. + .PP + .B iptables-restore + and +@@ -87,7 +100,9 @@ from Rusty Russell. + .br + Andras Kis-Szabo contributed ip6tables-restore. + .SH SEE ALSO +-\fBiptables\-apply\fP(8),\fBiptables\-save\fP(8), \fBiptables\fP(8) ++\fBiptables\-apply\fP(8), \fBiptables\-save\fP(8), \fBiptables\fP(8), ++\fBnft\fP(8), \fBiptables\-restore\-translate\fP(8), ++\fBip6tables\-restore\-translate\fP(8) + .PP + The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, + which details NAT, and the netfilter-hacking-HOWTO which details the diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in -index 7683fd3780f72..610be412a09c8 100644 +index 7683fd3780f72..6fe50b2d446e5 100644 --- a/iptables/iptables-save.8.in +++ b/iptables/iptables-save.8.in -@@ -53,6 +53,10 @@ module loading, an attempt will be made to load the appropriate module for - that table if it is not already there. +@@ -30,6 +30,18 @@ ip6tables-save \(em dump iptables rules + [\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP] + .SH DESCRIPTION + .PP ++These tools are ++.B deprecated ++in Red Hat Enterprise Linux. They are maintenance only and will not receive new ++features. New setups should use ++.BR nft (8). ++Existing setups should migrate to ++.BR nft (8) ++when possible. See ++.UR https://red.ht/nft_your_tables ++.UE ++for details. ++.PP + .B iptables-save + and + .B ip6tables-save +@@ -62,7 +74,8 @@ Rusty Russell .br - If not specified, output includes all available tables. -+.SH NOTES -+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and -+will not receive new features. New setups should use \fBnft\fP(8). Existing -+setups should migrate to \fBnft\fP(8) when possible. - .SH BUGS - None known as of iptables-1.2.1 release - .SH AUTHORS + Andras Kis-Szabo contributed ip6tables-save. + .SH SEE ALSO +-\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8) ++\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8), ++\fBnft\fP(8) + .PP + The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, + which details NAT, and the netfilter-hacking-HOWTO which details the diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in -index 999cf339845f9..3aa008edcc4c6 100644 +index 999cf339845f9..895cc7b111eb9 100644 --- a/iptables/iptables.8.in +++ b/iptables/iptables.8.in -@@ -414,6 +414,11 @@ Various error messages are printed to standard error. The exit code - is 0 for correct functioning. Errors which appear to be caused by - invalid or abused command line parameters cause an exit code of 2, and - other errors cause an exit code of 1. -+.SH NOTES -+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and -+will not receive new features. New setups should use \fBnft\fP(8). Existing -+setups should migrate to \fBnft\fP(8) when possible, see -+\fBiptables\-translate\fP/\fBip6tables\-translate\fP for help doing so. - .SH BUGS - Bugs? What's this? ;-) - Well, you might want to have a look at http://bugzilla.netfilter.org/ -diff --git a/iptables/xtables-legacy.8 b/iptables/xtables-legacy.8 -index 6db7d2cb4357a..48099508a12ca 100644 ---- a/iptables/xtables-legacy.8 -+++ b/iptables/xtables-legacy.8 -@@ -71,6 +71,12 @@ versions to work, it cannot display changes made using the - .B iptables-legacy - tools. - -+.SH NOTES -+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and -+will not receive new features. New setups should use \fBnft\fP(8). Existing -+setups should migrate to \fBnft\fP(8) when possible, see -+\fBxtables-translate\fP(8) for help doing so. -+ - .SH SEE ALSO - \fBxtables\-nft(8)\fP, \fBxtables\-translate(8)\fP - +@@ -55,6 +55,20 @@ match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP] + .PP + target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP] + .SH DESCRIPTION ++These tools are ++.B deprecated ++in Red Hat Enterprise Linux. They are maintenance only and will not receive new ++features. New setups should use ++.BR nft (8). ++Existing setups should migrate to ++.BR nft (8) ++when possible. See ++.UR https://red.ht/nft_your_tables ++.UE ++for details. There is also ++.BR iptables\-translate (8)/ ip6tables\-translate (8) ++to help with the migration. ++.PP + \fBIptables\fP and \fBip6tables\fP are used to set up, maintain, and inspect the + tables of IPv4 and IPv6 packet + filter rules in the Linux kernel. Several different tables +@@ -447,6 +461,9 @@ There are several other changes in iptables. + \fBiptables\-save\fP(8), + \fBiptables\-restore\fP(8), + \fBiptables\-extensions\fP(8), ++\fBnft\fP(8), ++\fBiptables\-translate\fP(8), ++\fBip6tables\-translate\fP(8) + .PP + The packet-filtering-HOWTO details iptables usage for + packet filtering, the NAT-HOWTO details NAT, diff --git a/iptables/xtables-monitor.8.in b/iptables/xtables-monitor.8.in -index b647a79eb64ed..37485c5c89cff 100644 +index b647a79eb64ed..bbccf009e8269 100644 --- a/iptables/xtables-monitor.8.in +++ b/iptables/xtables-monitor.8.in -@@ -86,6 +86,10 @@ become active, i.e., the rule set changes are now active. This also lists the p +@@ -6,6 +6,17 @@ xtables-monitor \(em show changes to rule set and trace-events + .PP + \ + .SH DESCRIPTION ++This tool is ++.B deprecated ++in Red Hat Enterprise Linux. It is maintenance only and will not receive new ++features. New setups should use ++.BR nft (8). ++Existing setups should migrate to ++.BR nft (8) ++when possible. See ++.UR https://red.ht/nft_your_tables ++.UE ++for details. + .PP .B xtables-monitor - only works with rules added using iptables-nftables, rules added using - iptables-legacy cannot be monitored. -+.SH NOTES -+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and -+will not receive new features. New setups should use \fBnft\fP(8). Existing -+setups should migrate to \fBnft\fP(8) when possible. - .SH BUGS - Should be reported or by sending email to netfilter-devel@vger.kernel.org or - by filing a report on https://bugzilla.netfilter.org/. -diff --git a/iptables/xtables-nft.8 b/iptables/xtables-nft.8 -index 702bf95408a1a..875f3abeb9b89 100644 ---- a/iptables/xtables-nft.8 -+++ b/iptables/xtables-nft.8 -@@ -195,6 +195,12 @@ The CLUSTERIP target is not supported. - To get up-to-date information about this, please head to - \fBhttp://wiki.nftables.org/\fP. - -+.SH NOTES -+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and -+will not receive new features. New setups should use \fBnft\fP(8). Existing -+setups should migrate to \fBnft\fP(8) when possible, see -+\fBxtables-translate\fP(8) for help doing so. -+ - .SH SEE ALSO - \fBnft(8)\fP, \fBxtables\-translate(8)\fP, \fBxtables\-monitor(8)\fP - + is used to monitor changes to the ruleset or to show rule evaluation events -- 2.31.1 diff --git a/0018-nft-cache-Sort-chains-on-demand-only.patch b/0018-nft-cache-Sort-chains-on-demand-only.patch new file mode 100644 index 0000000..22f0f2b --- /dev/null +++ b/0018-nft-cache-Sort-chains-on-demand-only.patch @@ -0,0 +1,211 @@ +From 743bcc5a632c7f5058ac03794f82b7ba52091cea Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 25 Mar 2021 16:24:39 +0100 +Subject: [PATCH] nft: cache: Sort chains on demand only + +Mandatory sorted insert of chains into cache significantly slows down +restoring of large rulesets. Since the sorted list of user-defined +chains is needed for listing and verbose output only, introduce +nft_cache_sort_chains() and call it where needed. + +Signed-off-by: Phil Sutter +(cherry picked from commit fdf64dcdace989589bac441805082e3b1fe6a915) +--- + iptables/nft-cache.c | 71 +++++++++++++++++++++++++++++++++-------- + iptables/nft-cache.h | 1 + + iptables/nft.c | 12 +++++++ + iptables/nft.h | 1 + + iptables/xtables-save.c | 1 + + 5 files changed, 73 insertions(+), 13 deletions(-) + +diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c +index 7fd78654b280a..2c88301cc7445 100644 +--- a/iptables/nft-cache.c ++++ b/iptables/nft-cache.c +@@ -223,24 +223,67 @@ int nft_cache_add_chain(struct nft_handle *h, const struct builtin_table *t, + + h->cache->table[t->type].base_chains[hooknum] = nc; + } else { +- struct nft_chain_list *clist = h->cache->table[t->type].chains; +- struct list_head *pos = &clist->list; +- struct nft_chain *cur; +- const char *n; +- +- list_for_each_entry(cur, &clist->list, head) { +- n = nftnl_chain_get_str(cur->nftnl, NFTNL_CHAIN_NAME); +- if (strcmp(cname, n) <= 0) { +- pos = &cur->head; +- break; +- } +- } +- list_add_tail(&nc->head, pos); ++ list_add_tail(&nc->head, ++ &h->cache->table[t->type].chains->list); + } + hlist_add_head(&nc->hnode, chain_name_hlist(h, t, cname)); + return 0; + } + ++static void __nft_chain_list_sort(struct list_head *list, ++ int (*cmp)(struct nft_chain *a, ++ struct nft_chain *b)) ++{ ++ struct nft_chain *pivot, *cur, *sav; ++ LIST_HEAD(sublist); ++ ++ if (list_empty(list)) ++ return; ++ ++ /* grab first item as pivot (dividing) value */ ++ pivot = list_entry(list->next, struct nft_chain, head); ++ list_del(&pivot->head); ++ ++ /* move any smaller value into sublist */ ++ list_for_each_entry_safe(cur, sav, list, head) { ++ if (cmp(pivot, cur) > 0) { ++ list_del(&cur->head); ++ list_add_tail(&cur->head, &sublist); ++ } ++ } ++ /* conquer divided */ ++ __nft_chain_list_sort(&sublist, cmp); ++ __nft_chain_list_sort(list, cmp); ++ ++ /* merge divided and pivot again */ ++ list_add_tail(&pivot->head, &sublist); ++ list_splice(&sublist, list); ++} ++ ++static int nft_chain_cmp_byname(struct nft_chain *a, struct nft_chain *b) ++{ ++ const char *aname = nftnl_chain_get_str(a->nftnl, NFTNL_CHAIN_NAME); ++ const char *bname = nftnl_chain_get_str(b->nftnl, NFTNL_CHAIN_NAME); ++ ++ return strcmp(aname, bname); ++} ++ ++int nft_cache_sort_chains(struct nft_handle *h, const char *table) ++{ ++ const struct builtin_table *t = nft_table_builtin_find(h, table); ++ ++ if (!t) ++ return -1; ++ ++ if (h->cache->table[t->type].sorted) ++ return 0; ++ ++ __nft_chain_list_sort(&h->cache->table[t->type].chains->list, ++ nft_chain_cmp_byname); ++ h->cache->table[t->type].sorted = true; ++ return 0; ++} ++ + struct nftnl_chain_list_cb_data { + struct nft_handle *h; + const struct builtin_table *t; +@@ -663,6 +706,7 @@ static int flush_cache(struct nft_handle *h, struct nft_cache *c, + + flush_base_chain_cache(c->table[table->type].base_chains); + nft_chain_foreach(h, tablename, __flush_chain_cache, NULL); ++ c->table[table->type].sorted = false; + + if (c->table[table->type].sets) + nftnl_set_list_foreach(c->table[table->type].sets, +@@ -678,6 +722,7 @@ static int flush_cache(struct nft_handle *h, struct nft_cache *c, + if (c->table[i].chains) { + nft_chain_list_free(c->table[i].chains); + c->table[i].chains = NULL; ++ c->table[i].sorted = false; + } + + if (c->table[i].sets) { +diff --git a/iptables/nft-cache.h b/iptables/nft-cache.h +index 20d96beede876..58a015265056c 100644 +--- a/iptables/nft-cache.h ++++ b/iptables/nft-cache.h +@@ -16,6 +16,7 @@ int flush_rule_cache(struct nft_handle *h, const char *table, + void nft_cache_build(struct nft_handle *h); + int nft_cache_add_chain(struct nft_handle *h, const struct builtin_table *t, + struct nftnl_chain *c); ++int nft_cache_sort_chains(struct nft_handle *h, const char *table); + + struct nft_chain * + nft_chain_find(struct nft_handle *h, const char *table, const char *chain); +diff --git a/iptables/nft.c b/iptables/nft.c +index bde4ca72d3fcc..8b14daeaed610 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -1754,6 +1754,8 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table, + return 1; + } + ++ nft_cache_sort_chains(h, table); ++ + ret = nft_chain_foreach(h, table, nft_rule_flush_cb, &d); + + /* the core expects 1 for success and 0 for error */ +@@ -1900,6 +1902,9 @@ int nft_chain_user_del(struct nft_handle *h, const char *chain, + goto out; + } + ++ if (verbose) ++ nft_cache_sort_chains(h, table); ++ + ret = nft_chain_foreach(h, table, __nft_chain_user_del, &d); + out: + /* the core expects 1 for success and 0 for error */ +@@ -2437,6 +2442,8 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table, + return 1; + } + ++ nft_cache_sort_chains(h, table); ++ + if (ops->print_table_header) + ops->print_table_header(table); + +@@ -2540,6 +2547,8 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain, + return nft_rule_list_cb(c, &d); + } + ++ nft_cache_sort_chains(h, table); ++ + /* Dump policies and custom chains first */ + nft_chain_foreach(h, table, nft_rule_list_chain_save, &counters); + +@@ -3431,6 +3440,9 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain, + goto err; + } + ++ if (verbose) ++ nft_cache_sort_chains(h, table); ++ + ret = nft_chain_foreach(h, table, __nft_chain_zero_counters, &d); + err: + /* the core expects 1 for success and 0 for error */ +diff --git a/iptables/nft.h b/iptables/nft.h +index 0910f82a2773c..4ac7e0099d567 100644 +--- a/iptables/nft.h ++++ b/iptables/nft.h +@@ -44,6 +44,7 @@ struct nft_cache { + struct nft_chain_list *chains; + struct nftnl_set_list *sets; + bool exists; ++ bool sorted; + } table[NFT_TABLE_MAX]; + }; + +diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c +index d7901c650ea70..cfce0472f3ee8 100644 +--- a/iptables/xtables-save.c ++++ b/iptables/xtables-save.c +@@ -87,6 +87,7 @@ __do_output(struct nft_handle *h, const char *tablename, void *data) + printf("*%s\n", tablename); + /* Dump out chain names first, + * thereby preventing dependency conflicts */ ++ nft_cache_sort_chains(h, tablename); + nft_chain_foreach(h, tablename, nft_chain_save, h); + nft_rule_save(h, tablename, d->format); + if (d->commit) +-- +2.31.1 + diff --git a/0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch b/0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch new file mode 100644 index 0000000..cca6d8c --- /dev/null +++ b/0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch @@ -0,0 +1,56 @@ +From 663151585d25996baee985b9b77b58627de16531 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 6 Apr 2021 10:51:20 +0200 +Subject: [PATCH] nft: Increase BATCH_PAGE_SIZE to support huge rulesets + +In order to support the same ruleset sizes as legacy iptables, the +kernel's limit of 1024 iovecs has to be overcome. Therefore increase +each iovec's size from 128KB to 2MB. + +While being at it, add a log message for failing sendmsg() call. This is +not supposed to happen, even if the transaction fails. Yet if it does, +users are left with only a "line XXX failed" message (with line number +being the COMMIT line). + +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +(cherry picked from commit a3e81c62e8c5abb4158f1f66df6bbcffd1b33240) +--- + iptables/nft.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/iptables/nft.c b/iptables/nft.c +index 8b14daeaed610..f1deb82f87576 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -88,11 +88,11 @@ int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh, + + #define NFT_NLMSG_MAXSIZE (UINT16_MAX + getpagesize()) + +-/* selected batch page is 256 Kbytes long to load ruleset of +- * half a million rules without hitting -EMSGSIZE due to large +- * iovec. ++/* Selected batch page is 2 Mbytes long to support loading a ruleset of 3.5M ++ * rules matching on source and destination address as well as input and output ++ * interfaces. This is what legacy iptables supports. + */ +-#define BATCH_PAGE_SIZE getpagesize() * 32 ++#define BATCH_PAGE_SIZE 2 * 1024 * 1024 + + static struct nftnl_batch *mnl_batch_init(void) + { +@@ -220,8 +220,10 @@ static int mnl_batch_talk(struct nft_handle *h, int numcmds) + int err = 0; + + ret = mnl_nft_socket_sendmsg(h, numcmds); +- if (ret == -1) ++ if (ret == -1) { ++ fprintf(stderr, "sendmsg() failed: %s\n", strerror(errno)); + return -1; ++ } + + FD_ZERO(&readfds); + FD_SET(fd, &readfds); +-- +2.31.1 + diff --git a/iptables.spec b/iptables.spec index db1f296..065925d 100644 --- a/iptables.spec +++ b/iptables.spec @@ -14,7 +14,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: https://www.netfilter.org/projects/iptables Version: 1.8.7 -Release: 14%{?dist} +Release: 15%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -44,6 +44,8 @@ Patch14: 0014-iptables-nft-fix-Z-option.patch Patch15: 0015-nft-Fix-bitwise-expression-avoidance-detection.patch Patch16: 0016-extensions-sctp-Fix-nftables-translation.patch Patch17: 0017-doc-Add-deprecation-notices-to-all-relevant-man-page.patch +Patch18: 0018-nft-cache-Sort-chains-on-demand-only.patch +Patch19: 0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch # pf.os: ISC license # iptables-apply: Artistic 2.0 @@ -446,6 +448,11 @@ fi %changelog +* Fri Jul 02 2021 Phil Sutter - 1.8.7-15 +- doc: Improve deprecation notices a bit +- nft: cache: Sort chains on demand only +- nft: Increase BATCH_PAGE_SIZE to support huge rulesets + * Fri Jun 25 2021 Phil Sutter - 1.8.7-14 - doc: Add deprecation notices to all relevant man pages