|
|
7cc531 |
From f5185f4efad409fc7ec4ae05267b642ee4103a6c Mon Sep 17 00:00:00 2001
|
|
|
7cc531 |
From: Phil Sutter <phil@nwl.cc>
|
|
|
7cc531 |
Date: Fri, 4 Dec 2020 17:44:51 +0100
|
|
|
7cc531 |
Subject: [PATCH] tests/shell: Test for fixed extension registration
|
|
|
7cc531 |
|
|
|
7cc531 |
Use strace to look at iptables-restore behaviour with typically
|
|
|
7cc531 |
problematic input (conntrack revision 0 is no longer supported by
|
|
|
7cc531 |
current kernels) to make sure the fix in commit a1eaaceb0460b
|
|
|
7cc531 |
("libxtables: Simplify pending extension registration") is still
|
|
|
7cc531 |
effective.
|
|
|
7cc531 |
|
|
|
7cc531 |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
7cc531 |
(cherry picked from commit 93d0c97e8b6713f51ba679e01a1338d4f9076e7c)
|
|
|
7cc531 |
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
|
7cc531 |
---
|
|
|
7cc531 |
.../0017-pointless-compat-checks_0 | 25 +++++++++++++++++++
|
|
|
7cc531 |
1 file changed, 25 insertions(+)
|
|
|
7cc531 |
create mode 100755 iptables/tests/shell/testcases/ipt-restore/0017-pointless-compat-checks_0
|
|
|
7cc531 |
|
|
|
7cc531 |
diff --git a/iptables/tests/shell/testcases/ipt-restore/0017-pointless-compat-checks_0 b/iptables/tests/shell/testcases/ipt-restore/0017-pointless-compat-checks_0
|
|
|
7cc531 |
new file mode 100755
|
|
|
7cc531 |
index 0000000000000..cf73de32df409
|
|
|
7cc531 |
--- /dev/null
|
|
|
7cc531 |
+++ b/iptables/tests/shell/testcases/ipt-restore/0017-pointless-compat-checks_0
|
|
|
7cc531 |
@@ -0,0 +1,25 @@
|
|
|
7cc531 |
+#!/bin/bash
|
|
|
7cc531 |
+
|
|
|
7cc531 |
+# A bug in extension registration would leave unsupported older extension
|
|
|
7cc531 |
+# revisions in pending list and get compatibility checked again for each rule
|
|
|
7cc531 |
+# using them. With SELinux enabled, the resulting socket() call per rule leads
|
|
|
7cc531 |
+# to significant slowdown (~50% performance in worst cases).
|
|
|
7cc531 |
+
|
|
|
7cc531 |
+set -e
|
|
|
7cc531 |
+
|
|
|
7cc531 |
+strace --version >/dev/null || { echo "skip for missing strace"; exit 0; }
|
|
|
7cc531 |
+
|
|
|
7cc531 |
+RULESET="$(
|
|
|
7cc531 |
+ echo "*filter"
|
|
|
7cc531 |
+ for ((i = 0; i < 100; i++)); do
|
|
|
7cc531 |
+ echo "-A FORWARD -m conntrack --ctstate NEW"
|
|
|
7cc531 |
+ done
|
|
|
7cc531 |
+ echo "COMMIT"
|
|
|
7cc531 |
+)"
|
|
|
7cc531 |
+
|
|
|
7cc531 |
+cmd="$XT_MULTI iptables-restore"
|
|
|
7cc531 |
+socketcount=$(strace -esocket $cmd <<< "$RULESET" 2>&1 | wc -l)
|
|
|
7cc531 |
+
|
|
|
7cc531 |
+# unpatched iptables-restore would open 111 sockets,
|
|
|
7cc531 |
+# patched only 12 but keep a certain margin for future changes
|
|
|
7cc531 |
+[[ $socketcount -lt 20 ]]
|
|
|
7cc531 |
--
|
|
|
7cc531 |
2.28.0
|
|
|
7cc531 |
|