nft: cache: Sort chains on demand only

Mandatory sorted insert of chains into cache significantly slows down
restoring of large rulesets. Since the sorted list of user-defined
chains is needed for listing and verbose output only, introduce
nft_cache_sort_chains() and call it where needed.

Signed-off-by: Phil Sutter <phil@nwl.cc>

1 files changed, 12 insertions, 0 deletions

diff --git a/iptables/nft.c b/iptables/nft.c
index bde4ca72..8b14daea 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1754,6 +1754,8 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table,
 		return 1;
 	}
 
+	nft_cache_sort_chains(h, table);
+
 	ret = nft_chain_foreach(h, table, nft_rule_flush_cb, &d);
 
 	/* the core expects 1 for success and 0 for error */
@@ -1900,6 +1902,9 @@ int nft_chain_user_del(struct nft_handle *h, const char *chain,
 		goto out;
 	}
 
+	if (verbose)
+		nft_cache_sort_chains(h, table);
+
 	ret = nft_chain_foreach(h, table, __nft_chain_user_del, &d);
 out:
 	/* the core expects 1 for success and 0 for error */
@@ -2437,6 +2442,8 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
 		return 1;
 	}
 
+	nft_cache_sort_chains(h, table);
+
 	if (ops->print_table_header)
 		ops->print_table_header(table);
 
@@ -2540,6 +2547,8 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain,
 		return nft_rule_list_cb(c, &d);
 	}
 
+	nft_cache_sort_chains(h, table);
+
 	/* Dump policies and custom chains first */
 	nft_chain_foreach(h, table, nft_rule_list_chain_save, &counters);
 
@@ -3431,6 +3440,9 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain,
 		goto err;
 	}
 
+	if (verbose)
+		nft_cache_sort_chains(h, table);
+
 	ret = nft_chain_foreach(h, table, __nft_chain_zero_counters, &d);
 err:
 	/* the core expects 1 for success and 0 for error */