0017-pointless-compat-checks_0 763 Bytes
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#!/bin/bash

# A bug in extension registration would leave unsupported older extension
# revisions in pending list and get compatibility checked again for each rule
# using them. With SELinux enabled, the resulting socket() call per rule leads
# to significant slowdown (~50% performance in worst cases).

set -e

strace --version >/dev/null || { echo "skip for missing strace"; exit 0; }

RULESET="$(
	echo "*filter"
	for ((i = 0; i < 100; i++)); do
		echo "-A FORWARD -m conntrack --ctstate NEW"
	done
	echo "COMMIT"
)"

cmd="$XT_MULTI iptables-restore"
socketcount=$(strace -esocket $cmd <<< "$RULESET" 2>&1 | wc -l)

# unpatched iptables-restore would open 111 sockets,
# patched only 12 but keep a certain margin for future changes
[[ $socketcount -lt 20 ]]