diff options
author | Phil Sutter <phil@nwl.cc> | 2018-11-15 14:53:02 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-11-17 18:09:10 +0100 |
commit | c58ecf9f8bcb7619a27ef8ffaddf847a562475a5 (patch) | |
tree | a1145f835bffbf0a8c9f12ce79a00e60e6b6c7ff /iptables/xtables-restore.c | |
parent | 7c8791edac3e74f6ce0bf21f98bc820db8e55e62 (diff) |
xtables: Introduce per table chain caches
Being able to omit the previously obligatory table name check when
iterating over the chain cache might help restore performance with large
rulesets in xtables-save and -restore.
There is one subtle quirk in the code: flush_chain_cache() did free the
global chain cache if not called with a table name but didn't if a table
name was given even if it emptied the chain cache. In other places,
chain_cache being non-NULL prevented a cache update from happening, so
this patch establishes the same behaviour (for each individual chain
cache) since otherwise unexpected cache updates lead to weird problems.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/xtables-restore.c')
-rw-r--r-- | iptables/xtables-restore.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c index f5297740..a46a9295 100644 --- a/iptables/xtables-restore.c +++ b/iptables/xtables-restore.c @@ -56,11 +56,12 @@ static void print_usage(const char *name, const char *version) " [ --ipv6 ]\n", name); } -static struct nftnl_chain_list *get_chain_list(struct nft_handle *h) +static struct nftnl_chain_list *get_chain_list(struct nft_handle *h, + const char *table) { struct nftnl_chain_list *chain_list; - chain_list = nft_chain_list_get(h); + chain_list = nft_chain_list_get(h, table); if (chain_list == NULL) xtables_error(OTHER_PROBLEM, "cannot retrieve chain list\n"); @@ -72,7 +73,7 @@ static void chain_delete(struct nftnl_chain_list *clist, const char *curtable, { struct nftnl_chain *chain_obj; - chain_obj = nft_chain_list_find(clist, curtable, chain); + chain_obj = nft_chain_list_find(clist, chain); /* This chain has been found, delete from list. Later * on, unvisited chains will be purged out. */ @@ -112,9 +113,6 @@ void xtables_restore_parse(struct nft_handle *h, line = 0; - if (cb->chain_list) - chain_list = cb->chain_list(h); - /* Grab standard input. */ while (fgets(buffer, sizeof(buffer), p->in)) { int ret = 0; @@ -165,6 +163,9 @@ void xtables_restore_parse(struct nft_handle *h, if (p->tablename && (strcmp(p->tablename, table) != 0)) continue; + if (cb->chain_list) + chain_list = cb->chain_list(h, table); + if (noflush == 0) { DEBUGP("Cleaning all chains of table '%s'\n", table); @@ -197,8 +198,7 @@ void xtables_restore_parse(struct nft_handle *h, if (cb->chain_del) cb->chain_del(chain_list, curtable->name, chain); - } else if (nft_chain_list_find(chain_list, - curtable->name, chain)) { + } else if (nft_chain_list_find(chain_list, chain)) { chain_exists = true; /* Apparently -n still flushes existing user * defined chains that are redefined. Otherwise, |