#!/bin/bash

# A bug in extension registration would leave unsupported older extension
# revisions in pending list and get compatibility checked again for each rule
# using them. With SELinux enabled, the resulting socket() call per rule leads
# to significant slowdown (~50% performance in worst cases).

set -e

strace --version >/dev/null || { echo "skip for missing strace"; exit 0; }

RULESET="$(
	echo "*filter"
	for ((i = 0; i < 100; i++)); do
		echo "-A FORWARD -m conntrack --ctstate NEW"
	done
	echo "COMMIT"
)"

cmd="$XT_MULTI iptables-restore"
socketcount=$(strace -esocket $cmd <<< "$RULESET" 2>&1 | wc -l)

# unpatched iptables-restore would open 111 sockets,
# patched only 12 but keep a certain margin for future changes
[[ $socketcount -lt 20 ]]