|
 |
aca4c4 |
From 4d61a3ea7bc6cbef8d4ea021e4998137cfca1453 Mon Sep 17 00:00:00 2001
|
|
|
aca4c4 |
From: Phil Sutter <phil@nwl.cc>
|
|
|
aca4c4 |
Date: Thu, 2 Jun 2022 13:44:45 +0200
|
|
|
aca4c4 |
Subject: [PATCH] tests: shell: Check overhead in iptables-save and -restore
|
|
|
aca4c4 |
|
|
|
aca4c4 |
Some repeated calls have been reduced recently, assert this in a test
|
|
|
aca4c4 |
evaluating strace output.
|
|
|
aca4c4 |
|
|
|
aca4c4 |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
aca4c4 |
(cherry picked from commit 0416ae5dea134b33e22c97e68b64010d679debe1)
|
|
|
aca4c4 |
---
|
|
|
aca4c4 |
.../shell/testcases/ipt-save/0007-overhead_0 | 37 +++++++++++++++++++
|
|
|
aca4c4 |
1 file changed, 37 insertions(+)
|
|
|
aca4c4 |
create mode 100755 iptables/tests/shell/testcases/ipt-save/0007-overhead_0
|
|
|
aca4c4 |
|
|
|
aca4c4 |
diff --git a/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0
|
|
|
aca4c4 |
new file mode 100755
|
|
|
aca4c4 |
index 0000000000000..b86d71f209471
|
|
|
aca4c4 |
--- /dev/null
|
|
|
aca4c4 |
+++ b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0
|
|
|
aca4c4 |
@@ -0,0 +1,37 @@
|
|
|
aca4c4 |
+#!/bin/bash
|
|
|
aca4c4 |
+
|
|
|
aca4c4 |
+# Test recent performance improvements in iptables-save due to reduced
|
|
|
aca4c4 |
+# overhead.
|
|
|
aca4c4 |
+
|
|
|
aca4c4 |
+strace --version >/dev/null || { echo "skip for missing strace"; exit 0; }
|
|
|
aca4c4 |
+
|
|
|
aca4c4 |
+RULESET=$(
|
|
|
aca4c4 |
+ echo "*filter"
|
|
|
aca4c4 |
+ for ((i = 0; i < 100; i++)); do
|
|
|
aca4c4 |
+ echo ":mychain$i -"
|
|
|
aca4c4 |
+ echo "-A FORWARD -p tcp --dport 22 -j mychain$i"
|
|
|
aca4c4 |
+ done
|
|
|
aca4c4 |
+ echo "COMMIT"
|
|
|
aca4c4 |
+)
|
|
|
aca4c4 |
+
|
|
|
aca4c4 |
+RESTORE_STRACE=$(strace $XT_MULTI iptables-restore <<< "$RULESET" 2>&1 >/dev/null)
|
|
|
aca4c4 |
+SAVE_STRACE=$(strace $XT_MULTI iptables-save 2>&1 >/dev/null)
|
|
|
aca4c4 |
+
|
|
|
aca4c4 |
+do_grep() { # (name, threshold, pattern)
|
|
|
aca4c4 |
+ local cnt=$(grep -c "$3")
|
|
|
aca4c4 |
+ [[ $cnt -le $2 ]] && return 0
|
|
|
aca4c4 |
+ echo "ERROR: Too many $3 lookups for $1: $cnt > $2"
|
|
|
aca4c4 |
+ exit 1
|
|
|
aca4c4 |
+}
|
|
|
aca4c4 |
+
|
|
|
aca4c4 |
+# iptables prefers hard-coded protocol names instead of looking them up first
|
|
|
aca4c4 |
+
|
|
|
aca4c4 |
+do_grep "$XT_MULTI iptables-restore" 0 /etc/protocols <<< "$RESTORE_STRACE"
|
|
|
aca4c4 |
+do_grep "$XT_MULTI iptables-save" 0 /etc/protocols <<< "$SAVE_STRACE"
|
|
|
aca4c4 |
+
|
|
|
aca4c4 |
+# iptables-nft-save pointlessly checked whether chain jumps are targets
|
|
|
aca4c4 |
+
|
|
|
aca4c4 |
+do_grep "$XT_MULTI iptables-restore" 10 libxt_ <<< "$RESTORE_STRACE"
|
|
|
aca4c4 |
+do_grep "$XT_MULTI iptables-save" 10 libxt_ <<< "$SAVE_STRACE"
|
|
|
aca4c4 |
+
|
|
|
aca4c4 |
+exit 0
|
|
|
aca4c4 |
--
|
|
|
aca4c4 |
2.34.1
|
|
|
aca4c4 |
|