[iptables PATCH 0/4] Speed up iptables-nft-save

[iptables PATCH 0/4] Speed up iptables-nft-save

[Phil Sutter]

OpenShift tends to create huge rulesets[*] and consequently wonders why
iptables is slow. Anyway, iptables-nft-save really does odd things:

* For each jump target, it checks if such extension exists, despite
  already knowing whether the target is a chain or not. This is solved
  in patch 2, with patch 1 preparing nft_parse_immediate() to make the
  change simpler.

* Every l4proto match causes a call to getprotobynumber() which in turn
  opens /etc/protocols. One could cache the lookups, but preferring the
  builtin fallback list of protocol names and numbers is much simpler.
  Do that in patch 3, aligning said list with /etc/protocols to not
  change output unexpectedly.

[*] I have a "real-life" dump adding 50k chains and 130k rules. Dumping
    it to /dev/null took 45s on my testing VM, with these patches
    applied I'm down to 2.7s.

The last patch is fallout from the above, simplifying family ops
callbacks a bit given that there is only a single *tables_command_state
struct left.

Phil Sutter (4):
  nft: Simplify immediate parsing
  nft: Speed up immediate parsing
  xshared: Prefer xtables_chain_protos lookup over getprotoent
  nft: Don't pass command state opaque to family ops callbacks

 iptables/nft-arp.c    | 32 ++++++------------
 iptables/nft-bridge.c | 55 +++++++++++++------------------
 iptables/nft-ipv4.c   | 40 ++++++++---------------
 iptables/nft-ipv6.c   | 40 ++++++++---------------
 iptables/nft-shared.c | 75 ++++++++++++++++++++-----------------------
 iptables/nft-shared.h | 35 ++++++++++----------
 iptables/nft.c        |  4 +--
 iptables/nft.h        |  2 +-
 iptables/xshared.c    |  8 ++---
 libxtables/xtables.c  | 19 ++++-------
 10 files changed, 126 insertions(+), 184 deletions(-)

-- 
2.34.1

[iptables PATCH 1/4] nft: Simplify immediate parsing

[Phil Sutter]

Implementations of parse_immediate callback are mostly trivial, the only
relevant part is access to family-specific parts of struct
iptables_command_state when setting goto flag for iptables and
ip6tables. Refactor them into simple set_goto_flag callbacks.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/nft-arp.c    |  9 ---------
 iptables/nft-bridge.c |  9 ---------
 iptables/nft-ipv4.c   | 12 +++---------
 iptables/nft-ipv6.c   | 12 +++---------
 iptables/nft-shared.c | 17 +++++++----------
 iptables/nft-shared.h |  2 +-
 6 files changed, 14 insertions(+), 47 deletions(-)

diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 1472b11543239..78509ce9d87e8 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -182,14 +182,6 @@ static void nft_arp_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
 	fw->arp.invflags |= flags;
 }
 
-static void nft_arp_parse_immediate(const char *jumpto, bool nft_goto,
-				    void *data)
-{
-	struct iptables_command_state *cs = data;
-
-	cs->jumpto = jumpto;
-}
-
 static void parse_mask_ipv4(struct nft_xt_ctx *ctx, struct in_addr *mask)
 {
 	mask->s_addr = ctx->bitwise.mask[0];
@@ -797,7 +789,6 @@ struct nft_family_ops nft_family_ops_arp = {
 	.print_payload		= NULL,
 	.parse_meta		= nft_arp_parse_meta,
 	.parse_payload		= nft_arp_parse_payload,
-	.parse_immediate	= nft_arp_parse_immediate,
 	.print_header		= nft_arp_print_header,
 	.print_rule		= nft_arp_print_rule,
 	.save_rule		= nft_arp_save_rule,
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 90d55e441ab95..d6a0d6e518fcb 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -251,14 +251,6 @@ static void nft_bridge_parse_payload(struct nft_xt_ctx *ctx,
 	}
 }
 
-static void nft_bridge_parse_immediate(const char *jumpto, bool nft_goto,
-				       void *data)
-{
-	struct iptables_command_state *cs = data;
-
-	cs->jumpto = jumpto;
-}
-
 /* return 0 if saddr, 1 if daddr, -1 on error */
 static int
 lookup_check_ether_payload(uint32_t base, uint32_t offset, uint32_t len)
@@ -891,7 +883,6 @@ struct nft_family_ops nft_family_ops_bridge = {
 	.print_payload		= NULL,
 	.parse_meta		= nft_bridge_parse_meta,
 	.parse_payload		= nft_bridge_parse_payload,
-	.parse_immediate	= nft_bridge_parse_immediate,
 	.parse_lookup		= nft_bridge_parse_lookup,
 	.parse_match		= nft_bridge_parse_match,
 	.parse_target		= nft_bridge_parse_target,
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index f374d468d2ff4..bdb105f8eb683 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -215,15 +215,9 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx,
 	}
 }
 
-static void nft_ipv4_parse_immediate(const char *jumpto, bool nft_goto,
-				     void *data)
+static void nft_ipv4_set_goto_flag(struct iptables_command_state *cs)
 {
-	struct iptables_command_state *cs = data;
-
-	cs->jumpto = jumpto;
-
-	if (nft_goto)
-		cs->fw.ip.flags |= IPT_F_GOTO;
+	cs->fw.ip.flags |= IPT_F_GOTO;
 }
 
 static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r,
@@ -450,7 +444,7 @@ struct nft_family_ops nft_family_ops_ipv4 = {
 	.is_same		= nft_ipv4_is_same,
 	.parse_meta		= nft_ipv4_parse_meta,
 	.parse_payload		= nft_ipv4_parse_payload,
-	.parse_immediate	= nft_ipv4_parse_immediate,
+	.set_goto_flag		= nft_ipv4_set_goto_flag,
 	.print_header		= print_header,
 	.print_rule		= nft_ipv4_print_rule,
 	.save_rule		= nft_ipv4_save_rule,
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 9ecc754f37805..a5323171bb4bb 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -180,15 +180,9 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
 	}
 }
 
-static void nft_ipv6_parse_immediate(const char *jumpto, bool nft_goto,
-				     void *data)
+static void nft_ipv6_set_goto_flag(struct iptables_command_state *cs)
 {
-	struct iptables_command_state *cs = data;
-
-	cs->jumpto = jumpto;
-
-	if (nft_goto)
-		cs->fw6.ipv6.flags |= IP6T_F_GOTO;
+	cs->fw6.ipv6.flags |= IP6T_F_GOTO;
 }
 
 static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r,
@@ -418,7 +412,7 @@ struct nft_family_ops nft_family_ops_ipv6 = {
 	.is_same		= nft_ipv6_is_same,
 	.parse_meta		= nft_ipv6_parse_meta,
 	.parse_payload		= nft_ipv6_parse_payload,
-	.parse_immediate	= nft_ipv6_parse_immediate,
+	.set_goto_flag		= nft_ipv6_set_goto_flag,
 	.print_header		= print_header,
 	.print_rule		= nft_ipv6_print_rule,
 	.save_rule		= nft_ipv6_save_rule,
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 746a948ccf96d..daa251ae0982a 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -906,9 +906,7 @@ static void nft_parse_counter(struct nftnl_expr *e, struct xt_counters *counters
 static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
 {
 	const char *chain = nftnl_expr_get_str(e, NFTNL_EXPR_IMM_CHAIN);
-	const char *jumpto = NULL;
-	bool nft_goto = false;
-	void *data = ctx->cs;
+	struct iptables_command_state *cs = ctx->cs;
 	int verdict;
 
 	if (nftnl_expr_is_set(e, NFTNL_EXPR_IMM_DATA)) {
@@ -931,23 +929,22 @@ static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
 	/* Standard target? */
 	switch(verdict) {
 	case NF_ACCEPT:
-		jumpto = "ACCEPT";
+		cs->jumpto = "ACCEPT";
 		break;
 	case NF_DROP:
-		jumpto = "DROP";
+		cs->jumpto = "DROP";
 		break;
 	case NFT_RETURN:
-		jumpto = "RETURN";
+		cs->jumpto = "RETURN";
 		break;;
 	case NFT_GOTO:
-		nft_goto = true;
+		if (ctx->h->ops->set_goto_flag)
+			ctx->h->ops->set_goto_flag(cs);
 		/* fall through */
 	case NFT_JUMP:
-		jumpto = chain;
+		cs->jumpto = chain;
 		break;
 	}
-
-	ctx->h->ops->parse_immediate(jumpto, nft_goto, data);
 }
 
 static void nft_parse_limit(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 0788e98a9f93a..04b1d97f950d5 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -93,7 +93,7 @@ struct nft_family_ops {
 			  void *data);
 	void (*parse_lookup)(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
 			     void *data);
-	void (*parse_immediate)(const char *jumpto, bool nft_goto, void *data);
+	void (*set_goto_flag)(struct iptables_command_state *cs);
 
 	void (*print_table_header)(const char *tablename);
 	void (*print_header)(unsigned int format, const char *chain,
-- 
2.34.1

[iptables PATCH 2/4] nft: Speed up immediate parsing

[Phil Sutter]

Parsing of rules which jump to a chain pointlessly causes a call to
xtables_find_target() despite the code already knowing the outcome.

Avoid the significant delay for rulesets with many chain jumps by
performing the (standard) target lookup only for accept/drop/return
verdicts.

From a biased test-case on my VM:

| # iptables-nft-save | grep -c -- '-j'
| 133943
| # time ./old/iptables-nft-save >/dev/null
| real	0m45.566s
| user	0m1.308s
| sys	0m8.430s
| # time ./new/iptables-nft-save >/dev/null
| real	0m3.547s
| user	0m0.762s
| sys	0m2.476s

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
The same benchmark completes in 1.7s with legacy, in case anyone
wonders.
---
 iptables/nft-bridge.c |  1 +
 iptables/nft-shared.c | 37 ++++++++++++++++++-------------------
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index d6a0d6e518fcb..d342858e1d9d8 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -502,6 +502,7 @@ static void nft_bridge_parse_target(struct xtables_target *t, void *data)
 	}
 
 	cs->target = t;
+	cs->jumpto = t->name;
 }
 
 static void nft_rule_to_ebtables_command_state(struct nft_handle *h,
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index daa251ae0982a..861aa0642061e 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -907,6 +907,8 @@ static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
 {
 	const char *chain = nftnl_expr_get_str(e, NFTNL_EXPR_IMM_CHAIN);
 	struct iptables_command_state *cs = ctx->cs;
+	struct xt_entry_target *t;
+	uint32_t size;
 	int verdict;
 
 	if (nftnl_expr_is_set(e, NFTNL_EXPR_IMM_DATA)) {
@@ -943,8 +945,21 @@ static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
 		/* fall through */
 	case NFT_JUMP:
 		cs->jumpto = chain;
-		break;
+		/* fall through */
+	default:
+		return;
 	}
+
+	cs->target = xtables_find_target(cs->jumpto, XTF_TRY_LOAD);
+	if (!cs->target)
+		return;
+
+	size = XT_ALIGN(sizeof(struct xt_entry_target)) + cs->target->size;
+	t = xtables_calloc(1, size);
+	t->u.target_size = size;
+	t->u.user.revision = cs->target->revision;
+	strcpy(t->u.user.name, cs->jumpto);
+	cs->target->t = t;
 }
 
 static void nft_parse_limit(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
@@ -1143,25 +1158,8 @@ void nft_rule_to_iptables_command_state(struct nft_handle *h,
 		}
 	}
 
-	if (cs->target != NULL) {
-		cs->jumpto = cs->target->name;
-	} else if (cs->jumpto != NULL) {
-		struct xt_entry_target *t;
-		uint32_t size;
-
-		cs->target = xtables_find_target(cs->jumpto, XTF_TRY_LOAD);
-		if (!cs->target)
-			return;
-
-		size = XT_ALIGN(sizeof(struct xt_entry_target)) + cs->target->size;
-		t = xtables_calloc(1, size);
-		t->u.target_size = size;
-		t->u.user.revision = cs->target->revision;
-		strcpy(t->u.user.name, cs->jumpto);
-		cs->target->t = t;
-	} else {
+	if (!cs->jumpto)
 		cs->jumpto = "";
-	}
 }
 
 void nft_clear_iptables_command_state(struct iptables_command_state *cs)
@@ -1326,6 +1324,7 @@ void nft_ipv46_parse_target(struct xtables_target *t, void *data)
 	struct iptables_command_state *cs = data;
 
 	cs->target = t;
+	cs->jumpto = t->name;
 }
 
 void nft_check_xt_legacy(int family, bool is_ipt_save)
-- 
2.34.1

[iptables PATCH 3/4] xshared: Prefer xtables_chain_protos lookup over getprotoent

[Phil Sutter]

When dumping a large ruleset, common protocol matches such as for TCP
port number significantly slow down rule printing due to repeated calls
for getprotobynumber(). The latter does not involve any caching, so
/etc/protocols is consulted over and over again.

As a simple countermeasure, make functions converting between proto
number and name prefer the built-in list of "well-known" protocols. This
is not a perfect solution, repeated rules for protocol names libxtables
does not cache (e.g. igmp or dccp) will still be slow. Implementing
getprotoent() result caching could solve this.

As a side-effect, explicit check for pseudo-protocol "all" may be
dropped as it is contained in the built-in list and therefore immutable.

Also update xtables_chain_protos entries a bit to align with typical
/etc/protocols contents. The testsuite assumes those names, so the
preferred ones prior to this patch are indeed uncommon nowadays.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/xshared.c   |  8 ++++----
 libxtables/xtables.c | 19 ++++++-------------
 2 files changed, 10 insertions(+), 17 deletions(-)

diff --git a/iptables/xshared.c b/iptables/xshared.c
index 50a1d48a55ebe..43321d3b5358c 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -53,16 +53,16 @@ proto_to_name(uint16_t proto, int nolookup)
 {
 	unsigned int i;
 
+	for (i = 0; xtables_chain_protos[i].name != NULL; ++i)
+		if (xtables_chain_protos[i].num == proto)
+			return xtables_chain_protos[i].name;
+
 	if (proto && !nolookup) {
 		struct protoent *pent = getprotobynumber(proto);
 		if (pent)
 			return pent->p_name;
 	}
 
-	for (i = 0; xtables_chain_protos[i].name != NULL; ++i)
-		if (xtables_chain_protos[i].num == proto)
-			return xtables_chain_protos[i].name;
-
 	return NULL;
 }
 
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 87424d045466b..094cbd87ec1ed 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -2101,10 +2101,11 @@ const struct xtables_pprot xtables_chain_protos[] = {
 	{"udp",       IPPROTO_UDP},
 	{"udplite",   IPPROTO_UDPLITE},
 	{"icmp",      IPPROTO_ICMP},
-	{"icmpv6",    IPPROTO_ICMPV6},
 	{"ipv6-icmp", IPPROTO_ICMPV6},
+	{"icmpv6",    IPPROTO_ICMPV6},
 	{"esp",       IPPROTO_ESP},
 	{"ah",        IPPROTO_AH},
+	{"mobility-header", IPPROTO_MH},
 	{"ipv6-mh",   IPPROTO_MH},
 	{"mh",        IPPROTO_MH},
 	{"all",       0},
@@ -2120,23 +2121,15 @@ xtables_parse_protocol(const char *s)
 	if (xtables_strtoui(s, NULL, &proto, 0, UINT8_MAX))
 		return proto;
 
-	/* first deal with the special case of 'all' to prevent
-	 * people from being able to redefine 'all' in nsswitch
-	 * and/or provoke expensive [not working] ldap/nis/...
-	 * lookups */
-	if (strcmp(s, "all") == 0)
-		return 0;
+	for (i = 0; xtables_chain_protos[i].name != NULL; ++i) {
+		if (strcmp(s, xtables_chain_protos[i].name) == 0)
+			return xtables_chain_protos[i].num;
+	}
 
 	pent = getprotobyname(s);
 	if (pent != NULL)
 		return pent->p_proto;
 
-	for (i = 0; i < ARRAY_SIZE(xtables_chain_protos); ++i) {
-		if (xtables_chain_protos[i].name == NULL)
-			continue;
-		if (strcmp(s, xtables_chain_protos[i].name) == 0)
-			return xtables_chain_protos[i].num;
-	}
 	xt_params->exit_err(PARAMETER_PROBLEM,
 		"unknown protocol \"%s\" specified", s);
 	return -1;
-- 
2.34.1

[iptables PATCH 4/4] nft: Don't pass command state opaque to family ops callbacks

[Phil Sutter]

There are no family-specific versions of struct iptables_command_state
anymore, so no need to hide it behind void pointer. Pass the type as-is
and save a few casts.

While at it, drop unused callbacks parse_bitwise and parse_cmp.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/nft-arp.c    | 23 ++++++++++------------
 iptables/nft-bridge.c | 45 +++++++++++++++++++++----------------------
 iptables/nft-ipv4.c   | 28 +++++++++++----------------
 iptables/nft-ipv6.c   | 28 +++++++++++----------------
 iptables/nft-shared.c | 23 ++++++++++------------
 iptables/nft-shared.h | 33 ++++++++++++++++---------------
 iptables/nft.c        |  4 ++--
 iptables/nft.h        |  2 +-
 8 files changed, 84 insertions(+), 102 deletions(-)

diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 78509ce9d87e8..028b06a608e4e 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -54,9 +54,9 @@ static bool need_devaddr(struct arpt_devaddr_info *info)
 	return false;
 }
 
-static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
+static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r,
+		       struct iptables_command_state *cs)
 {
-	struct iptables_command_state *cs = data;
 	struct arpt_entry *fw = &cs->arp;
 	uint32_t op;
 	int ret = 0;
@@ -169,9 +169,8 @@ static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
 }
 
 static void nft_arp_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
-			       void *data)
+			       struct iptables_command_state *cs)
 {
-	struct iptables_command_state *cs = data;
 	struct arpt_entry *fw = &cs->arp;
 	uint8_t flags = 0;
 
@@ -213,9 +212,9 @@ static bool nft_arp_parse_devaddr(struct nft_xt_ctx *ctx,
 }
 
 static void nft_arp_parse_payload(struct nft_xt_ctx *ctx,
-				  struct nftnl_expr *e, void *data)
+				  struct nftnl_expr *e,
+				  struct iptables_command_state *cs)
 {
-	struct iptables_command_state *cs = data;
 	struct arpt_entry *fw = &cs->arp;
 	struct in_addr addr;
 	uint16_t ar_hrd, ar_pro, ar_op;
@@ -464,10 +463,8 @@ after_devdst:
 }
 
 static void
-nft_arp_save_rule(const void *data, unsigned int format)
+nft_arp_save_rule(const struct iptables_command_state *cs, unsigned int format)
 {
-	const struct iptables_command_state *cs = data;
-
 	format |= FMT_NUMERIC;
 
 	printf(" ");
@@ -504,11 +501,11 @@ nft_arp_print_rule(struct nft_handle *h, struct nftnl_rule *r,
 	nft_clear_iptables_command_state(&cs);
 }
 
-static bool nft_arp_is_same(const void *data_a,
-			    const void *data_b)
+static bool nft_arp_is_same(const struct iptables_command_state *cs_a,
+			    const struct iptables_command_state *cs_b)
 {
-	const struct arpt_entry *a = data_a;
-	const struct arpt_entry *b = data_b;
+	const struct arpt_entry *a = &cs_a->arp;
+	const struct arpt_entry *b = &cs_b->arp;
 
 	if (a->arp.src.s_addr != b->arp.src.s_addr
 	    || a->arp.tgt.s_addr != b->arp.tgt.s_addr
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index d342858e1d9d8..d4b66a25c740e 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -97,9 +97,9 @@ static int _add_action(struct nftnl_rule *r, struct iptables_command_state *cs)
 }
 
 static int nft_bridge_add(struct nft_handle *h,
-			  struct nftnl_rule *r, void *data)
+			  struct nftnl_rule *r,
+			  struct iptables_command_state *cs)
 {
-	struct iptables_command_state *cs = data;
 	struct ebt_match *iter;
 	struct ebt_entry *fw = &cs->eb;
 	uint32_t op;
@@ -164,9 +164,9 @@ static int nft_bridge_add(struct nft_handle *h,
 }
 
 static void nft_bridge_parse_meta(struct nft_xt_ctx *ctx,
-				  struct nftnl_expr *e, void *data)
+				  struct nftnl_expr *e,
+				  struct iptables_command_state *cs)
 {
-	struct iptables_command_state *cs = data;
 	struct ebt_entry *fw = &cs->eb;
 	uint8_t invflags = 0;
 	char iifname[IFNAMSIZ] = {}, oifname[IFNAMSIZ] = {};
@@ -200,9 +200,9 @@ static void nft_bridge_parse_meta(struct nft_xt_ctx *ctx,
 }
 
 static void nft_bridge_parse_payload(struct nft_xt_ctx *ctx,
-				     struct nftnl_expr *e, void *data)
+				     struct nftnl_expr *e,
+				     struct iptables_command_state *cs)
 {
-	struct iptables_command_state *cs = data;
 	struct ebt_entry *fw = &cs->eb;
 	unsigned char addr[ETH_ALEN];
 	unsigned short int ethproto;
@@ -397,7 +397,7 @@ static struct nftnl_set *set_from_lookup_expr(struct nft_xt_ctx *ctx,
 }
 
 static void nft_bridge_parse_lookup(struct nft_xt_ctx *ctx,
-				    struct nftnl_expr *e, void *data)
+				    struct nftnl_expr *e)
 {
 	struct xtables_match *match = NULL;
 	struct nft_among_data *among_data;
@@ -483,17 +483,15 @@ static void parse_watcher(void *object, struct ebt_match **match_list,
 		(*match_list)->next = m;
 }
 
-static void nft_bridge_parse_match(struct xtables_match *m, void *data)
+static void nft_bridge_parse_match(struct xtables_match *m,
+				   struct iptables_command_state *cs)
 {
-	struct iptables_command_state *cs = data;
-
 	parse_watcher(m, &cs->match_list, true);
 }
 
-static void nft_bridge_parse_target(struct xtables_target *t, void *data)
+static void nft_bridge_parse_target(struct xtables_target *t,
+				    struct iptables_command_state *cs)
 {
-	struct iptables_command_state *cs = data;
-
 	/* harcoded names :-( */
 	if (strcmp(t->name, "log") == 0 ||
 	    strcmp(t->name, "nflog") == 0) {
@@ -594,10 +592,9 @@ static void print_protocol(uint16_t ethproto, bool invert, unsigned int bitmask)
 		printf("%s ", ent->e_name);
 }
 
-static void __nft_bridge_save_rule(const void *data, unsigned int format)
+static void __nft_bridge_save_rule(const struct iptables_command_state *cs,
+				   unsigned int format)
 {
-	const struct iptables_command_state *cs = data;
-
 	if (cs->eb.ethproto)
 		print_protocol(cs->eb.ethproto, cs->eb.invflags & EBT_IPROTO,
 			       cs->eb.bitmask);
@@ -645,10 +642,11 @@ static void __nft_bridge_save_rule(const void *data, unsigned int format)
 		fputc('\n', stdout);
 }
 
-static void nft_bridge_save_rule(const void *data, unsigned int format)
+static void nft_bridge_save_rule(const struct iptables_command_state *cs,
+				 unsigned int format)
 {
 	printf(" ");
-	__nft_bridge_save_rule(data, format);
+	__nft_bridge_save_rule(cs, format);
 }
 
 static void nft_bridge_print_rule(struct nft_handle *h, struct nftnl_rule *r,
@@ -672,10 +670,11 @@ static void nft_bridge_save_chain(const struct nftnl_chain *c,
 	printf(":%s %s\n", chain, policy ?: "ACCEPT");
 }
 
-static bool nft_bridge_is_same(const void *data_a, const void *data_b)
+static bool nft_bridge_is_same(const struct iptables_command_state *cs_a,
+			       const struct iptables_command_state *cs_b)
 {
-	const struct ebt_entry *a = data_a;
-	const struct ebt_entry *b = data_b;
+	const struct ebt_entry *a = &cs_a->eb;
+	const struct ebt_entry *b = &cs_b->eb;
 	int i;
 
 	if (a->ethproto != b->ethproto ||
@@ -821,9 +820,9 @@ static void nft_bridge_xlate_mac(struct xt_xlate *xl, const char *type, bool inv
 	xt_xlate_add(xl, " ");
 }
 
-static int nft_bridge_xlate(const void *data, struct xt_xlate *xl)
+static int nft_bridge_xlate(const struct iptables_command_state *cs,
+			    struct xt_xlate *xl)
 {
-	const struct iptables_command_state *cs = data;
 	int ret;
 
 	xlate_ifname(xl, "iifname", cs->eb.in,
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index bdb105f8eb683..af3d0c98b7989 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -26,9 +26,9 @@
 #include "nft.h"
 #include "nft-shared.h"
 
-static int nft_ipv4_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
+static int nft_ipv4_add(struct nft_handle *h, struct nftnl_rule *r,
+			struct iptables_command_state *cs)
 {
-	struct iptables_command_state *cs = data;
 	struct xtables_rule_match *matchp;
 	uint32_t op;
 	int ret;
@@ -93,12 +93,9 @@ static int nft_ipv4_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
 	return add_action(r, cs, !!(cs->fw.ip.flags & IPT_F_GOTO));
 }
 
-static bool nft_ipv4_is_same(const void *data_a,
-			     const void *data_b)
+static bool nft_ipv4_is_same(const struct iptables_command_state *a,
+			     const struct iptables_command_state *b)
 {
-	const struct iptables_command_state *a = data_a;
-	const struct iptables_command_state *b = data_b;
-
 	if (a->fw.ip.src.s_addr != b->fw.ip.src.s_addr
 	    || a->fw.ip.dst.s_addr != b->fw.ip.dst.s_addr
 	    || a->fw.ip.smsk.s_addr != b->fw.ip.smsk.s_addr
@@ -135,10 +132,8 @@ static void get_frag(struct nft_xt_ctx *ctx, struct nftnl_expr *e, bool *inv)
 }
 
 static void nft_ipv4_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
-				void *data)
+				struct iptables_command_state *cs)
 {
-	struct iptables_command_state *cs = data;
-
 	switch (ctx->meta.key) {
 	case NFT_META_L4PROTO:
 		cs->fw.ip.proto = nftnl_expr_get_u8(e, NFTNL_EXPR_CMP_DATA);
@@ -160,9 +155,9 @@ static void parse_mask_ipv4(struct nft_xt_ctx *ctx, struct in_addr *mask)
 }
 
 static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx,
-				   struct nftnl_expr *e, void *data)
+				   struct nftnl_expr *e,
+				   struct iptables_command_state *cs)
 {
-	struct iptables_command_state *cs = data;
 	struct in_addr addr;
 	uint8_t proto;
 	bool inv;
@@ -250,10 +245,9 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r,
 	nft_clear_iptables_command_state(&cs);
 }
 
-static void nft_ipv4_save_rule(const void *data, unsigned int format)
+static void nft_ipv4_save_rule(const struct iptables_command_state *cs,
+			       unsigned int format)
 {
-	const struct iptables_command_state *cs = data;
-
 	save_ipv4_addr('s', &cs->fw.ip.src, &cs->fw.ip.smsk,
 		       cs->fw.ip.invflags & IPT_INV_SRCIP);
 	save_ipv4_addr('d', &cs->fw.ip.dst, &cs->fw.ip.dmsk,
@@ -296,9 +290,9 @@ static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr,
 	}
 }
 
-static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
+static int nft_ipv4_xlate(const struct iptables_command_state *cs,
+			  struct xt_xlate *xl)
 {
-	const struct iptables_command_state *cs = data;
 	const char *comment;
 	int ret;
 
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index a5323171bb4bb..892a485415933 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -25,9 +25,9 @@
 #include "nft.h"
 #include "nft-shared.h"
 
-static int nft_ipv6_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
+static int nft_ipv6_add(struct nft_handle *h, struct nftnl_rule *r,
+			struct iptables_command_state *cs)
 {
-	struct iptables_command_state *cs = data;
 	struct xtables_rule_match *matchp;
 	uint32_t op;
 	int ret;
@@ -82,12 +82,9 @@ static int nft_ipv6_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
 	return add_action(r, cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO));
 }
 
-static bool nft_ipv6_is_same(const void *data_a,
-			     const void *data_b)
+static bool nft_ipv6_is_same(const struct iptables_command_state *a,
+			     const struct iptables_command_state *b)
 {
-	const struct iptables_command_state *a = data_a;
-	const struct iptables_command_state *b = data_b;
-
 	if (memcmp(a->fw6.ipv6.src.s6_addr, b->fw6.ipv6.src.s6_addr,
 		   sizeof(struct in6_addr)) != 0
 	    || memcmp(a->fw6.ipv6.dst.s6_addr, b->fw6.ipv6.dst.s6_addr,
@@ -108,10 +105,8 @@ static bool nft_ipv6_is_same(const void *data_a,
 }
 
 static void nft_ipv6_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
-				void *data)
+				struct iptables_command_state *cs)
 {
-	struct iptables_command_state *cs = data;
-
 	switch (ctx->meta.key) {
 	case NFT_META_L4PROTO:
 		cs->fw6.ipv6.proto = nftnl_expr_get_u8(e, NFTNL_EXPR_CMP_DATA);
@@ -133,9 +128,9 @@ static void parse_mask_ipv6(struct nft_xt_ctx *ctx, struct in6_addr *mask)
 }
 
 static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
-				   struct nftnl_expr *e, void *data)
+				   struct nftnl_expr *e,
+				   struct iptables_command_state *cs)
 {
-	struct iptables_command_state *cs = data;
 	struct in6_addr addr;
 	uint8_t proto;
 	bool inv;
@@ -213,10 +208,9 @@ static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r,
 	nft_clear_iptables_command_state(&cs);
 }
 
-static void nft_ipv6_save_rule(const void *data, unsigned int format)
+static void nft_ipv6_save_rule(const struct iptables_command_state *cs,
+			       unsigned int format)
 {
-	const struct iptables_command_state *cs = data;
-
 	save_ipv6_addr('s', &cs->fw6.ipv6.src, &cs->fw6.ipv6.smsk,
 		       cs->fw6.ipv6.invflags & IP6T_INV_SRCIP);
 	save_ipv6_addr('d', &cs->fw6.ipv6.dst, &cs->fw6.ipv6.dmsk,
@@ -257,9 +251,9 @@ static void xlate_ipv6_addr(const char *selector, const struct in6_addr *addr,
 	}
 }
 
-static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl)
+static int nft_ipv6_xlate(const struct iptables_command_state *cs,
+			  struct xt_xlate *xl)
 {
-	const struct iptables_command_state *cs = data;
 	const char *comment;
 	int ret;
 
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 861aa0642061e..c57218542c964 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -319,7 +319,6 @@ static void nft_parse_target(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
 	struct xtables_target *target;
 	struct xt_entry_target *t;
 	size_t size;
-	void *data = ctx->cs;
 
 	target = xtables_find_target(targname, XTF_TRY_LOAD);
 	if (target == NULL)
@@ -335,7 +334,7 @@ static void nft_parse_target(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
 
 	target->t = t;
 
-	ctx->h->ops->parse_target(target, data);
+	ctx->h->ops->parse_target(target, ctx->cs);
 }
 
 static void nft_parse_match(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
@@ -767,9 +766,9 @@ static void nft_parse_tcp_flags(struct nft_xt_ctx *ctx,
 }
 
 static void nft_parse_transport(struct nft_xt_ctx *ctx,
-				struct nftnl_expr *e, void *data)
+				struct nftnl_expr *e,
+				struct iptables_command_state *cs)
 {
-	struct iptables_command_state *cs = data;
 	uint32_t sdport;
 	uint16_t port;
 	uint8_t proto, op;
@@ -869,7 +868,6 @@ static void nft_parse_transport_range(struct nft_xt_ctx *ctx,
 
 static void nft_parse_cmp(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
 {
-	void *data = ctx->cs;
 	uint32_t reg;
 
 	reg = nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_SREG);
@@ -877,7 +875,7 @@ static void nft_parse_cmp(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
 		return;
 
 	if (ctx->flags & NFT_XT_CTX_META) {
-		ctx->h->ops->parse_meta(ctx, e, data);
+		ctx->h->ops->parse_meta(ctx, e, ctx->cs);
 		ctx->flags &= ~NFT_XT_CTX_META;
 	}
 	/* bitwise context is interpreted from payload */
@@ -885,13 +883,13 @@ static void nft_parse_cmp(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
 		switch (ctx->payload.base) {
 		case NFT_PAYLOAD_LL_HEADER:
 			if (ctx->h->family == NFPROTO_BRIDGE)
-				ctx->h->ops->parse_payload(ctx, e, data);
+				ctx->h->ops->parse_payload(ctx, e, ctx->cs);
 			break;
 		case NFT_PAYLOAD_NETWORK_HEADER:
-			ctx->h->ops->parse_payload(ctx, e, data);
+			ctx->h->ops->parse_payload(ctx, e, ctx->cs);
 			break;
 		case NFT_PAYLOAD_TRANSPORT_HEADER:
-			nft_parse_transport(ctx, e, data);
+			nft_parse_transport(ctx, e, ctx->cs);
 			break;
 		}
 	}
@@ -1055,7 +1053,7 @@ static void nft_parse_lookup(struct nft_xt_ctx *ctx, struct nft_handle *h,
 			     struct nftnl_expr *e)
 {
 	if (ctx->h->ops->parse_lookup)
-		ctx->h->ops->parse_lookup(ctx, e, NULL);
+		ctx->h->ops->parse_lookup(ctx, e);
 }
 
 static void nft_parse_range(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
@@ -1319,10 +1317,9 @@ bool compare_targets(struct xtables_target *tg1, struct xtables_target *tg2)
 	return true;
 }
 
-void nft_ipv46_parse_target(struct xtables_target *t, void *data)
+void nft_ipv46_parse_target(struct xtables_target *t,
+			    struct iptables_command_state *cs)
 {
-	struct iptables_command_state *cs = data;
-
 	cs->target = t;
 	cs->jumpto = t->name;
 }
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 04b1d97f950d5..7b337943836a4 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -78,21 +78,17 @@ struct nft_xt_ctx {
 };
 
 struct nft_family_ops {
-	int (*add)(struct nft_handle *h, struct nftnl_rule *r, void *data);
-	bool (*is_same)(const void *data_a,
-			const void *data_b);
+	int (*add)(struct nft_handle *h, struct nftnl_rule *r,
+		   struct iptables_command_state *cs);
+	bool (*is_same)(const struct iptables_command_state *cs_a,
+			const struct iptables_command_state *cs_b);
 	void (*print_payload)(struct nftnl_expr *e,
 			      struct nftnl_expr_iter *iter);
 	void (*parse_meta)(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
-			   void *data);
+			   struct iptables_command_state *cs);
 	void (*parse_payload)(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
-			      void *data);
-	void (*parse_bitwise)(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
-			      void *data);
-	void (*parse_cmp)(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
-			  void *data);
-	void (*parse_lookup)(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
-			     void *data);
+			      struct iptables_command_state *cs);
+	void (*parse_lookup)(struct nft_xt_ctx *ctx, struct nftnl_expr *e);
 	void (*set_goto_flag)(struct iptables_command_state *cs);
 
 	void (*print_table_header)(const char *tablename);
@@ -102,16 +98,20 @@ struct nft_family_ops {
 			     int refs, uint32_t entries);
 	void (*print_rule)(struct nft_handle *h, struct nftnl_rule *r,
 			   unsigned int num, unsigned int format);
-	void (*save_rule)(const void *data, unsigned int format);
+	void (*save_rule)(const struct iptables_command_state *cs,
+			  unsigned int format);
 	void (*save_chain)(const struct nftnl_chain *c, const char *policy);
 	struct xt_cmd_parse_ops cmd_parse;
-	void (*parse_match)(struct xtables_match *m, void *data);
-	void (*parse_target)(struct xtables_target *t, void *data);
+	void (*parse_match)(struct xtables_match *m,
+			    struct iptables_command_state *cs);
+	void (*parse_target)(struct xtables_target *t,
+			     struct iptables_command_state *cs);
 	void (*init_cs)(struct iptables_command_state *cs);
 	void (*rule_to_cs)(struct nft_handle *h, const struct nftnl_rule *r,
 			   struct iptables_command_state *cs);
 	void (*clear_cs)(struct iptables_command_state *cs);
-	int (*xlate)(const void *data, struct xt_xlate *xl);
+	int (*xlate)(const struct iptables_command_state *cs,
+		     struct xt_xlate *xl);
 	int (*add_entry)(struct nft_handle *h,
 			 const char *chain, const char *table,
 			 struct iptables_command_state *cs,
@@ -173,7 +173,8 @@ void save_matches_and_target(const struct iptables_command_state *cs,
 
 struct nft_family_ops *nft_family_ops_lookup(int family);
 
-void nft_ipv46_parse_target(struct xtables_target *t, void *data);
+void nft_ipv46_parse_target(struct xtables_target *t,
+			    struct iptables_command_state *cs);
 
 bool compare_matches(struct xtables_rule_match *mt1, struct xtables_rule_match *mt2);
 bool compare_targets(struct xtables_target *tg1, struct xtables_target *tg2);
diff --git a/iptables/nft.c b/iptables/nft.c
index d011d7c88da12..6883662fa28d2 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1648,7 +1648,7 @@ void add_compat(struct nftnl_rule *r, uint32_t proto, bool inv)
 
 struct nftnl_rule *
 nft_rule_new(struct nft_handle *h, const char *chain, const char *table,
-	     void *data)
+	     struct iptables_command_state *cs)
 {
 	struct nftnl_rule *r;
 
@@ -1660,7 +1660,7 @@ nft_rule_new(struct nft_handle *h, const char *chain, const char *table,
 	nftnl_rule_set_str(r, NFTNL_RULE_TABLE, table);
 	nftnl_rule_set_str(r, NFTNL_RULE_CHAIN, chain);
 
-	if (h->ops->add(h, r, data) < 0)
+	if (h->ops->add(h, r, cs) < 0)
 		goto err;
 
 	return r;
diff --git a/iptables/nft.h b/iptables/nft.h
index fd116c2e3e198..68b0910c8e182 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -173,7 +173,7 @@ struct nftnl_set *nft_set_batch_lookup_byid(struct nft_handle *h,
  */
 struct nftnl_rule;
 
-struct nftnl_rule *nft_rule_new(struct nft_handle *h, const char *chain, const char *table, void *data);
+struct nftnl_rule *nft_rule_new(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cs);
 int nft_rule_append(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, struct nftnl_rule *ref, bool verbose);
 int nft_rule_insert(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, int rulenum, bool verbose);
 int nft_rule_check(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, bool verbose);
-- 
2.34.1

Re: [iptables PATCH 1/4] nft: Simplify immediate parsing

[Florian Westphal]

Phil Sutter <phil@nwl.cc> wrote:
> Implementations of parse_immediate callback are mostly trivial, the only
> relevant part is access to family-specific parts of struct
> iptables_command_state when setting goto flag for iptables and
> ip6tables. Refactor them into simple set_goto_flag callbacks.
> 
> Signed-off-by: Phil Sutter <phil@nwl.cc>

Reviewed-by: Florian Westphal <fw@strlen.de>

Re: [iptables PATCH 3/4] xshared: Prefer xtables_chain_protos lookup over getprotoent

[Florian Westphal]

Phil Sutter <phil@nwl.cc> wrote:
> When dumping a large ruleset, common protocol matches such as for TCP
> port number significantly slow down rule printing due to repeated calls
> for getprotobynumber(). The latter does not involve any caching, so
> /etc/protocols is consulted over and over again.

> As a simple countermeasure, make functions converting between proto
> number and name prefer the built-in list of "well-known" protocols. This
> is not a perfect solution, repeated rules for protocol names libxtables
> does not cache (e.g. igmp or dccp) will still be slow. Implementing
> getprotoent() result caching could solve this.

Hmm, I think we could just extend xtables_chain_protos[].
Anyway, this looks safe to me, so

Acked-by: Florian Westphal <fw@strlen.de>

Re: [iptables PATCH 4/4] nft: Don't pass command state opaque to family ops callbacks

[Florian Westphal]

Phil Sutter <phil@nwl.cc> wrote:
> There are no family-specific versions of struct iptables_command_state
> anymore, so no need to hide it behind void pointer. Pass the type as-is
> and save a few casts.

Thanks, that is a good improvement to have.

Acked-by: Florian Westphal <fw@strlen.de>

Re: [iptables PATCH 3/4] xshared: Prefer xtables_chain_protos lookup over getprotoent

[Phil Sutter]

On Thu, Mar 10, 2022 at 01:11:55PM +0100, Florian Westphal wrote:
> Phil Sutter <phil@nwl.cc> wrote:
> > When dumping a large ruleset, common protocol matches such as for TCP
> > port number significantly slow down rule printing due to repeated calls
> > for getprotobynumber(). The latter does not involve any caching, so
> > /etc/protocols is consulted over and over again.
> 
> > As a simple countermeasure, make functions converting between proto
> > number and name prefer the built-in list of "well-known" protocols. This
> > is not a perfect solution, repeated rules for protocol names libxtables
> > does not cache (e.g. igmp or dccp) will still be slow. Implementing
> > getprotoent() result caching could solve this.
> 
> Hmm, I think we could just extend xtables_chain_protos[].

Statically, i.e. add more entries based on "usual" /etc/protocols
contents or dynamically from getprotoent() results?

> Anyway, this looks safe to me, so
> 
> Acked-by: Florian Westphal <fw@strlen.de>

Thanks!

Re: [iptables PATCH 3/4] xshared: Prefer xtables_chain_protos lookup over getprotoent

[Phil Sutter]

[restored Cc list]

On Thu, Mar 10, 2022 at 01:23:03PM +0100, Florian Westphal wrote:
> Phil Sutter <phil@nwl.cc> wrote:
> > On Thu, Mar 10, 2022 at 01:11:55PM +0100, Florian Westphal wrote:
> > > Phil Sutter <phil@nwl.cc> wrote:
> > > > When dumping a large ruleset, common protocol matches such as for TCP
> > > > port number significantly slow down rule printing due to repeated calls
> > > > for getprotobynumber(). The latter does not involve any caching, so
> > > > /etc/protocols is consulted over and over again.
> > > 
> > > > As a simple countermeasure, make functions converting between proto
> > > > number and name prefer the built-in list of "well-known" protocols. This
> > > > is not a perfect solution, repeated rules for protocol names libxtables
> > > > does not cache (e.g. igmp or dccp) will still be slow. Implementing
> > > > getprotoent() result caching could solve this.
> > > 
> > > Hmm, I think we could just extend xtables_chain_protos[].
> > 
> > Statically, i.e. add more entries based on "usual" /etc/protocols
> > contents or dynamically from getprotoent() results?
> 
> I meant statically, I don't see why you'd need to do that for igmp or
> dccp (or any other well-known protocol for that matter).

I hesitated because we take users' ability to override the definitions.
Yet giving it another thought, you're right:

When translating name to number, it is very unlikely users would reuse
a common name ('tcp' for instance) for another protocol value. They'll
probably just add new ones.

In reverse direction, it is inconvenient at most: People may prefer
'ipv6-icmp' over 'icmpv6', but whatever name libxtables has stored will
at least parse OK later.

Thanks, Phil