From 5c59c36016d207dba861702c9cf79b371557c201 Mon Sep 17 00:00:00 2001
From: Quan Tian <qtian@vmware.com>
Date: Fri, 23 Jul 2021 18:27:39 +0800
Subject: [PATCH] Use ChainExists to reduce memory footprint
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ListChains was used to check if a chain exists. The method
used "iptables -t TABLE -S" to list all rules and filter chains from
the output. If there are massive iptables chains and rules configured,
it would cause a lot of space allocated.

benchmark comparison (with 15K iptables rules configured for 1000
services, each of which has 3 endpoints):

name            old time/op    new time/op    delta
EnsureChain-48    78.2ms ± 3%    27.0ms ± 1%  -65.43%  (p=0.008 n=5+5)

name            old alloc/op   new alloc/op   delta
EnsureChain-48    6.06MB ± 0%    0.01MB ± 0%  -99.84%  (p=0.016 n=4+5)

name            old allocs/op  new allocs/op  delta
EnsureChain-48     4.16k ± 0%     0.04k ± 0%     ~     (p=0.079 n=4+5)

Signed-off-by: Quan Tian <qtian@vmware.com>
---
 go.mod                              |  2 +-
 go.sum                              |  3 ++-
 pkg/agent/util/iptables/iptables.go | 23 +++++++----------------
 plugins/octant/go.sum               |  1 +
 4 files changed, 11 insertions(+), 18 deletions(-)

diff --git a/go.mod b/go.mod
index 112d3be926c..3ca5321b951 100644
--- a/go.mod
+++ b/go.mod
@@ -18,7 +18,7 @@ require (
 	github.com/containernetworking/plugins v0.8.7
 	github.com/contiv/libOpenflow v0.0.0-20210521033357-6b49eccb12e0
 	github.com/contiv/ofnet v0.0.0-00010101000000-000000000000
-	github.com/coreos/go-iptables v0.4.5
+	github.com/coreos/go-iptables v0.6.0
 	github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1 // indirect
 	github.com/go-openapi/spec v0.19.5
 	github.com/gogo/protobuf v1.3.2
diff --git a/go.sum b/go.sum
index fc4ff1a7b91..4175fc44a28 100644
--- a/go.sum
+++ b/go.sum
@@ -128,8 +128,9 @@ github.com/contiv/libovsdb v0.0.0-20170227191248-d0061a53e358/go.mod h1:+qKEHaNV
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-iptables v0.4.5 h1:DpHb9vJrZQEFMcVLFKAAGMUVX0XoRC0ptCthinRYm38=
 github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
+github.com/coreos/go-iptables v0.6.0 h1:is9qnZMPYjLd8LYqmm/qlE+wwEgJIkTYdhV3rfZo4jk=
+github.com/coreos/go-iptables v0.6.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=
diff --git a/pkg/agent/util/iptables/iptables.go b/pkg/agent/util/iptables/iptables.go
index 6840cf2d6f9..2c6a3fb74b4 100644
--- a/pkg/agent/util/iptables/iptables.go
+++ b/pkg/agent/util/iptables/iptables.go
@@ -102,12 +102,12 @@ func isRestoreWaitSupported(ipt *iptables.IPTables) bool {
 func (c *Client) EnsureChain(table string, chain string) error {
 	for idx := range c.ipts {
 		ipt := c.ipts[idx]
-		oriChains, err := ipt.ListChains(table)
+		exists, err := ipt.ChainExists(table, chain)
 		if err != nil {
-			return fmt.Errorf("error listing existing chains in table %s: %v", table, err)
+			return fmt.Errorf("error checking if chain %s exists in table %s: %v", chain, table, err)
 		}
-		if contains(oriChains, chain) {
-			return nil
+		if exists {
+			continue
 		}
 		if err := ipt.NewChain(table, chain); err != nil {
 			return fmt.Errorf("error creating chain %s in table %s: %v", chain, table, err)
@@ -120,11 +120,11 @@ func (c *Client) EnsureChain(table string, chain string) error {
 // ChainExists checks if a chain already exists in a table
 func (c *Client) ChainExists(table string, chain string) (bool, error) {
 	for idx := range c.ipts {
-		allChains, err := c.ipts[idx].ListChains(table)
+		exists, err := c.ipts[idx].ChainExists(table, chain)
 		if err != nil {
-			return false, fmt.Errorf("error listing existing chains in table %s: %v", table, err)
+			return false, fmt.Errorf("error checking if chain %s exists in table %s: %v", chain, table, err)
 		}
-		if contains(allChains, chain) {
+		if exists {
 			return true, nil
 		}
 	}
@@ -292,15 +292,6 @@ func (c *Client) Save() ([]byte, error) {
 	return output, nil
 }
 
-func contains(chains []string, targetChain string) bool {
-	for _, val := range chains {
-		if val == targetChain {
-			return true
-		}
-	}
-	return false
-}
-
 func MakeChainLine(chain string) string {
 	return fmt.Sprintf(":%s - [0:0]", chain)
 }
diff --git a/plugins/octant/go.sum b/plugins/octant/go.sum
index c8ae946d5da..47fd9090eed 100644
--- a/plugins/octant/go.sum
+++ b/plugins/octant/go.sum
@@ -141,6 +141,7 @@ github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkE
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
+github.com/coreos/go-iptables v0.6.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=