diff options
author | Maciej Żenczykowski <maze@google.com> | 2021-04-02 22:56:05 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2021-04-02 22:56:05 +0000 |
commit | a0c4e21d18eea26129cd498e5b0b4fc29efea9ce (patch) | |
tree | 189adc3ab85f970608529f7326429d36883324c2 /iptables/tests/shell/testcases/ipt-restore/0017-pointless-compat-checks_0 | |
parent | 5a7265ae38c0dff54021c1424fd199a3b6a8ac77 (diff) | |
parent | 51119072b79a2fe79fe5ee639fbed63d7e3b0c74 (diff) | |
download | iptables-a0c4e21d18eea26129cd498e5b0b4fc29efea9ce.tar.gz |
Merge tag 'v1.8.7' of git://git.netfilter.org/iptables am: 28a74be8ec am: e3fbb32008 am: 51119072b7
Original change: https://android-review.googlesource.com/c/platform/external/iptables/+/1650935
Change-Id: Ic76a7e8ca9e382dff33157f3868178bece99116d
Diffstat (limited to 'iptables/tests/shell/testcases/ipt-restore/0017-pointless-compat-checks_0')
-rwxr-xr-x | iptables/tests/shell/testcases/ipt-restore/0017-pointless-compat-checks_0 | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/iptables/tests/shell/testcases/ipt-restore/0017-pointless-compat-checks_0 b/iptables/tests/shell/testcases/ipt-restore/0017-pointless-compat-checks_0 new file mode 100755 index 00000000..cf73de32 --- /dev/null +++ b/iptables/tests/shell/testcases/ipt-restore/0017-pointless-compat-checks_0 @@ -0,0 +1,25 @@ +#!/bin/bash + +# A bug in extension registration would leave unsupported older extension +# revisions in pending list and get compatibility checked again for each rule +# using them. With SELinux enabled, the resulting socket() call per rule leads +# to significant slowdown (~50% performance in worst cases). + +set -e + +strace --version >/dev/null || { echo "skip for missing strace"; exit 0; } + +RULESET="$( + echo "*filter" + for ((i = 0; i < 100; i++)); do + echo "-A FORWARD -m conntrack --ctstate NEW" + done + echo "COMMIT" +)" + +cmd="$XT_MULTI iptables-restore" +socketcount=$(strace -esocket $cmd <<< "$RULESET" 2>&1 | wc -l) + +# unpatched iptables-restore would open 111 sockets, +# patched only 12 but keep a certain margin for future changes +[[ $socketcount -lt 20 ]] |