From 947c51c95edbbf08d6b3c105177ac5cfa238aade Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 20 Dec 2018 16:09:12 +0100
Subject: xtables: Implement per chain rule cache

Use recently introduced support for rules inside chains in libnftnl to
introduce a rule cache per chain instead of a global one.

A tricky bit is to decide if cache should be updated or not. Previously,
the global rule cache was populated just once and then reused unless
being flushed completely (via call to flush_rule_cache() with
NULL-pointer table argument). Resemble this behaviour by introducing a
boolean indicating cache status and fetch rules for all chains when
updating the chain cache in nft_chain_list_get().

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 iptables/nft.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'iptables/nft.h')

diff --git a/iptables/nft.h b/iptables/nft.h
index bf60ab39..6568257f 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -42,7 +42,7 @@ struct nft_handle {
 		struct nftnl_chain_list *chain_cache;
 		bool			initialized;
 	} table[NFT_TABLE_MAX];
-	struct nftnl_rule_list	*rule_cache;
+	bool			have_cache;
 	bool			restore;
 	int8_t			config_done;
 
-- 
cgit v1.2.3