f4dc77713f
The dummy ruleset I used to test the original validation change was broken,
most rules were unreachable and were not tested by mark_source_chains().
In some cases rulesets that used to load in a few seconds now require
several minutes.
sample ruleset that shows the behaviour:
echo "*filter"
for i in $(seq 0 100000);do
printf ":chain_%06x - [0:0]\n" $i
done
for i in $(seq 0 100000);do
printf -- "-A INPUT -j chain_%06x\n" $i
printf -- "-A INPUT -j chain_%06x\n" $i
printf -- "-A INPUT -j chain_%06x\n" $i
done
echo COMMIT
[ pipe result into iptables-restore ]
This ruleset will be about 74mbyte in size, with ~500k searches
though all 500k[1] rule entries. iptables-restore will take forever
(gave up after 10 minutes)
Instead of always searching the entire blob for a match, fill an
array with the start offsets of every single ipt_entry struct,
then do a binary search to check if the jump target is present or not.
After this change ruleset restore times get again close to what one
gets when reverting
|
||
|---|---|---|
| .. | ||
| ip6_tables.c | ||
| ip6t_ah.c | ||
| ip6t_eui64.c | ||
| ip6t_frag.c | ||
| ip6t_hbh.c | ||
| ip6t_ipv6header.c | ||
| ip6t_MASQUERADE.c | ||
| ip6t_mh.c | ||
| ip6t_NPT.c | ||
| ip6t_REJECT.c | ||
| ip6t_rpfilter.c | ||
| ip6t_rt.c | ||
| ip6t_SYNPROXY.c | ||
| ip6table_filter.c | ||
| ip6table_mangle.c | ||
| ip6table_nat.c | ||
| ip6table_raw.c | ||
| ip6table_security.c | ||
| Kconfig | ||
| Makefile | ||
| nf_conntrack_l3proto_ipv6.c | ||
| nf_conntrack_proto_icmpv6.c | ||
| nf_conntrack_reasm.c | ||
| nf_defrag_ipv6_hooks.c | ||
| nf_dup_ipv6.c | ||
| nf_log_ipv6.c | ||
| nf_nat_l3proto_ipv6.c | ||
| nf_nat_masquerade_ipv6.c | ||
| nf_nat_proto_icmpv6.c | ||
| nf_reject_ipv6.c | ||
| nf_tables_ipv6.c | ||
| nft_chain_nat_ipv6.c | ||
| nft_chain_route_ipv6.c | ||
| nft_dup_ipv6.c | ||
| nft_masq_ipv6.c | ||
| nft_redir_ipv6.c | ||
| nft_reject_ipv6.c | ||