git.ipfire.org Git - thirdparty/iptables.git/commit

author	Phil Sutter <phil@nwl.cc>
	Wed, 10 Jan 2024 14:26:59 +0000 (15:26 +0100)
committer	Phil Sutter <phil@nwl.cc>
	Tue, 6 Feb 2024 23:25:03 +0000 (00:25 +0100)
commit	ff57cd48d2b0c01c1519fd8893fc0432ad211702
tree	96e5369c10d314f7b8aca0be375bded16affeb04	tree \| snapshot
parent	a369c736a7fa88a176dbdb17fd50cf30074f54ab	commit \| diff

iptables-save: Avoid /etc/protocols lookups

Instrument proto_to_name() to abort if given protocol number is not
among the well-known ones in xtables_chain_protos. Along with
xtables_parse_protocol() preferring said array for lookups as well, this
ensures reliable dump'n'restore regardless of /etc/protocols contents.

Another benefit is rule dump performance. A simple test-case dumping
100k rules matching on dccp protocol shows an 8s delta (2s vs. 10s for
legacy, 0.5s vs. 8s for nft) with this patch applied. For reference:

| for variant in nft legacy; do
| (
| echo "*filter"
| for ((i = 0; i < 100000; i++)); do
| echo "-A FORWARD -p dccp -j ACCEPT"
| done
| echo "COMMIT"
| ) | iptables-${variant}-restore
| time iptables-${variant}-save | wc -l
| iptables-${variant} -F
| done

Signed-off-by: Phil Sutter <phil@nwl.cc>

iptables/tests/shell/testcases/ipt-save/0001load-dumps_0		diff \| blob \| blame \| history
iptables/xshared.c		diff \| blob \| blame \| history