diff options
author | Phil Sutter <phil@nwl.cc> | 2018-12-12 20:04:12 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-01-29 23:08:23 +0100 |
commit | a5f517a41d72794fae3d1332e6e0e413a5cd16c1 (patch) | |
tree | 37d33411a37cd15e8262c939877e2c755773e80a | |
parent | 7ea0b7d809229973d950ed99845bdd0b2eb4cbb7 (diff) |
xtables: Speed up chain deletion in large rulesets
Kernel prefers to identify chain by handle if it was given which causes
manual traversal of the chain list. In contrast, chain lookup by name in
kernel makes use of a hash table so is considerably faster. Force this
code path by removing the cached chain's handle when removing it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | iptables/nft.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/iptables/nft.c b/iptables/nft.c index 83d373c9..2fa973cf 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1670,6 +1670,8 @@ static int __nft_chain_user_del(struct nftnl_chain *c, void *data) fprintf(stdout, "Deleting chain `%s'\n", nftnl_chain_get_str(c, NFTNL_CHAIN_NAME)); + /* XXX This triggers a fast lookup from the kernel. */ + nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE); ret = batch_chain_add(h, NFT_COMPAT_CHAIN_USER_DEL, c); if (ret) return -1; |