Phil Sutter <phil@xxxxxx> wrote: > This is kind of a double-edged blade: the obvious downside is that > *tables-restore won't detect user-defined chain name and extension > clashes anymore. The upside is a tremendous performance improvement > restoring large rulesets. The same crooked ruleset as mentioned in > earlier patches (50k chains, 130k rules of which 90k jump to a chain) > yields these numbers: > > variant unoptimized non-targets cache announced chains > ---------------------------------------------------------------- > legacy 1m12s 37s 2.5s > nft 1m35s 53s 8s I think the benefits outweight the possible issues. > Note that iptables-legacy-restore allows the clashes already as long as > the name does not match a standard target, but with this patch it stops > warning about it. Hmm. That seems fixable by refusing the announce in the clash case? > iptables-nft-restore does not care at all, even allows > adding a chain named 'ACCEPT' (and rules can't reach it because '-j > ACCEPT' translates to a native nftables verdict). The latter is a bug by > itself. Agree, thats a bug, it should not allow users to do that.
