From c58ecf9f8bcb7619a27ef8ffaddf847a562475a5 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Thu, 15 Nov 2018 14:53:02 +0100 Subject: xtables: Introduce per table chain caches Being able to omit the previously obligatory table name check when iterating over the chain cache might help restore performance with large rulesets in xtables-save and -restore. There is one subtle quirk in the code: flush_chain_cache() did free the global chain cache if not called with a table name but didn't if a table name was given even if it emptied the chain cache. In other places, chain_cache being non-NULL prevented a cache update from happening, so this patch establishes the same behaviour (for each individual chain cache) since otherwise unexpected cache updates lead to weird problems. Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index 9b4ba5f9..980b38dc 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -25,6 +25,7 @@ struct builtin_table { const char *name; struct builtin_chain chains[NF_INET_NUMHOOKS]; bool initialized; + struct nftnl_chain_list *chain_cache; }; struct nft_handle { @@ -38,7 +39,6 @@ struct nft_handle { struct list_head err_list; struct nft_family_ops *ops; struct builtin_table *tables; - struct nftnl_chain_list *chain_cache; struct nftnl_rule_list *rule_cache; bool restore; int8_t config_done; @@ -78,9 +78,11 @@ struct builtin_table *nft_table_builtin_find(struct nft_handle *h, const char *t struct nftnl_chain; int nft_chain_set(struct nft_handle *h, const char *table, const char *chain, const char *policy, const struct xt_counters *counters); -struct nftnl_chain_list *nft_chain_list_get(struct nft_handle *h); -struct nftnl_chain *nft_chain_list_find(struct nftnl_chain_list *list, const char *table, const char *chain); -int nft_chain_save(struct nft_handle *h, struct nftnl_chain_list *list, const char *table); +struct nftnl_chain_list *nft_chain_list_get(struct nft_handle *h, + const char *table); +struct nftnl_chain *nft_chain_list_find(struct nftnl_chain_list *list, + const char *chain); +int nft_chain_save(struct nft_handle *h, struct nftnl_chain_list *list); int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *table); int nft_chain_user_del(struct nft_handle *h, const char *chain, const char *table, bool verbose); int nft_chain_user_flush(struct nft_handle *h, struct nftnl_chain_list *list, -- cgit v1.2.3