diff options
| author | Phil Sutter <phil@nwl.cc> | 2018-11-15 14:53:02 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-11-17 18:09:10 +0100 |
| commit | c58ecf9f8bcb7619a27ef8ffaddf847a562475a5 (patch) | |
| tree | a1145f835bffbf0a8c9f12ce79a00e60e6b6c7ff /iptables/xtables-save.c | |
| parent | 7c8791edac3e74f6ce0bf21f98bc820db8e55e62 (diff) | |
xtables: Introduce per table chain caches
Being able to omit the previously obligatory table name check when
iterating over the chain cache might help restore performance with large
rulesets in xtables-save and -restore.
There is one subtle quirk in the code: flush_chain_cache() did free the
global chain cache if not called with a table name but didn't if a table
name was given even if it emptied the chain cache. In other places,
chain_cache being non-NULL prevented a cache update from happening, so
this patch establishes the same behaviour (for each individual chain
cache) since otherwise unexpected cache updates lead to weird problems.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/xtables-save.c')
| -rw-r--r-- | iptables/xtables-save.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c index bed3ee03..d121d50e 100644 --- a/iptables/xtables-save.c +++ b/iptables/xtables-save.c @@ -73,7 +73,9 @@ __do_output(struct nft_handle *h, const char *tablename, bool counters) return 0; } - chain_list = nft_chain_list_get(h); + chain_list = nft_chain_list_get(h, tablename); + if (!chain_list) + return 0; time_t now = time(NULL); @@ -83,7 +85,7 @@ __do_output(struct nft_handle *h, const char *tablename, bool counters) /* Dump out chain names first, * thereby preventing dependency conflicts */ - nft_chain_save(h, chain_list, tablename); + nft_chain_save(h, chain_list); nft_rule_save(h, tablename, counters ? 0 : FMT_NOCOUNTS); now = time(NULL); @@ -257,7 +259,7 @@ static int __ebt_save(struct nft_handle *h, const char *tablename, bool counters return 0; } - chain_list = nft_chain_list_get(h); + chain_list = nft_chain_list_get(h, tablename); if (first) { now = time(NULL); @@ -272,7 +274,7 @@ static int __ebt_save(struct nft_handle *h, const char *tablename, bool counters /* Dump out chain names first, * thereby preventing dependency conflicts */ - nft_chain_save(h, chain_list, tablename); + nft_chain_save(h, chain_list); nft_rule_save(h, tablename, format); printf("\n"); return 0; @@ -399,7 +401,7 @@ int xtables_arp_save_main(int argc, char **argv) } printf("*filter\n"); - nft_chain_save(&h, nft_chain_list_get(&h), "filter"); + nft_chain_save(&h, nft_chain_list_get(&h, "filter")); nft_rule_save(&h, "filter", show_counters ? 0 : FMT_NOCOUNTS); printf("\n"); nft_fini(&h); |