diff options
author | Phil Sutter <phil@nwl.cc> | 2020-12-04 17:44:51 +0100 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2020-12-07 15:47:20 +0100 |
commit | 93d0c97e8b6713f51ba679e01a1338d4f9076e7c (patch) | |
tree | b6417dd35540c13a725c967db7dfc137dedb72f6 | |
parent | 8bd4b4f79b5de483353a8c0d0962e71934b7bdd2 (diff) |
tests/shell: Test for fixed extension registration
Use strace to look at iptables-restore behaviour with typically
problematic input (conntrack revision 0 is no longer supported by
current kernels) to make sure the fix in commit a1eaaceb0460b
("libxtables: Simplify pending extension registration") is still
effective.
Signed-off-by: Phil Sutter <phil@nwl.cc>
-rwxr-xr-x | iptables/tests/shell/testcases/ipt-restore/0017-pointless-compat-checks_0 | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/iptables/tests/shell/testcases/ipt-restore/0017-pointless-compat-checks_0 b/iptables/tests/shell/testcases/ipt-restore/0017-pointless-compat-checks_0 new file mode 100755 index 00000000..cf73de32 --- /dev/null +++ b/iptables/tests/shell/testcases/ipt-restore/0017-pointless-compat-checks_0 @@ -0,0 +1,25 @@ +#!/bin/bash + +# A bug in extension registration would leave unsupported older extension +# revisions in pending list and get compatibility checked again for each rule +# using them. With SELinux enabled, the resulting socket() call per rule leads +# to significant slowdown (~50% performance in worst cases). + +set -e + +strace --version >/dev/null || { echo "skip for missing strace"; exit 0; } + +RULESET="$( + echo "*filter" + for ((i = 0; i < 100; i++)); do + echo "-A FORWARD -m conntrack --ctstate NEW" + done + echo "COMMIT" +)" + +cmd="$XT_MULTI iptables-restore" +socketcount=$(strace -esocket $cmd <<< "$RULESET" 2>&1 | wc -l) + +# unpatched iptables-restore would open 111 sockets, +# patched only 12 but keep a certain margin for future changes +[[ $socketcount -lt 20 ]] |