diff options
| author | Phil Sutter <phil@nwl.cc> | 2024-01-10 15:26:59 +0100 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2024-02-07 00:25:03 +0100 |
| commit | ff57cd48d2b0c01c1519fd8893fc0432ad211702 (patch) | |
| tree | 96e5369c10d314f7b8aca0be375bded16affeb04 /iptables/xshared.c | |
| parent | a369c736a7fa88a176dbdb17fd50cf30074f54ab (diff) | |
iptables-save: Avoid /etc/protocols lookups
Instrument proto_to_name() to abort if given protocol number is not
among the well-known ones in xtables_chain_protos. Along with
xtables_parse_protocol() preferring said array for lookups as well, this
ensures reliable dump'n'restore regardless of /etc/protocols contents.
Another benefit is rule dump performance. A simple test-case dumping
100k rules matching on dccp protocol shows an 8s delta (2s vs. 10s for
legacy, 0.5s vs. 8s for nft) with this patch applied. For reference:
| for variant in nft legacy; do
| (
| echo "*filter"
| for ((i = 0; i < 100000; i++)); do
| echo "-A FORWARD -p dccp -j ACCEPT"
| done
| echo "COMMIT"
| ) | iptables-${variant}-restore
| time iptables-${variant}-save | wc -l
| iptables-${variant} -F
| done
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables/xshared.c')
| -rw-r--r-- | iptables/xshared.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/iptables/xshared.c b/iptables/xshared.c index 75ab2a63..bff7d60c 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -1103,7 +1103,7 @@ void save_rule_details(const char *iniface, const char *outiface, } if (proto > 0) { - const char *pname = proto_to_name(proto, 0); + const char *pname = proto_to_name(proto, true); if (invflags & XT_INV_PROTO) printf(" !"); |