Bug 188251

Summary: huge time creating a thousand of rules
Product: Networking Reporter: Sergey (a_s_y)
Component: Netfilter/IptablesAssignee: networking_netfilter-iptables (networking_netfilter-iptables)
Status: NEW ---    
Severity: normal    
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.4 Subsystem:
Regression: No Bisected commit-id:
Attachments: random ip list for test

Description Sergey 2016-11-21 14:09:36 UTC 
A large number of rules are generated too long. For example about 18000.

For kernel 4.1 time about 9 minutes
For kernel 4.4 time about 3 hours

I understand that ipset more appropriate here but the slowdown for iptables seems too big.
Comment 1 Sergey 2016-11-21 14:30:01 UTC 
Created attachment 245271 [details]
random ip list for test

simply script for test

========
iptables -t nat -N TEST_CHAIN
iptables -t nat -F TEST_CHAIN

IP_LIST=/tmp/iplist.txt

for IP in `cat $IP_LIST`; do
        echo iptables -t nat -A TEST_CHAIN -d $IP -j DNAT --to 127.0.0.2
        iptables -t nat -A TEST_CHAIN -d $IP -j DNAT --to 127.0.0.2
done
========