From c58ecf9f8bcb7619a27ef8ffaddf847a562475a5 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Thu, 15 Nov 2018 14:53:02 +0100 Subject: xtables: Introduce per table chain caches Being able to omit the previously obligatory table name check when iterating over the chain cache might help restore performance with large rulesets in xtables-save and -restore. There is one subtle quirk in the code: flush_chain_cache() did free the global chain cache if not called with a table name but didn't if a table name was given even if it emptied the chain cache. In other places, chain_cache being non-NULL prevented a cache update from happening, so this patch establishes the same behaviour (for each individual chain cache) since otherwise unexpected cache updates lead to weird problems. Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso --- iptables/xtables-save.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'iptables/xtables-save.c') diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c index bed3ee03..d121d50e 100644 --- a/iptables/xtables-save.c +++ b/iptables/xtables-save.c @@ -73,7 +73,9 @@ __do_output(struct nft_handle *h, const char *tablename, bool counters) return 0; } - chain_list = nft_chain_list_get(h); + chain_list = nft_chain_list_get(h, tablename); + if (!chain_list) + return 0; time_t now = time(NULL); @@ -83,7 +85,7 @@ __do_output(struct nft_handle *h, const char *tablename, bool counters) /* Dump out chain names first, * thereby preventing dependency conflicts */ - nft_chain_save(h, chain_list, tablename); + nft_chain_save(h, chain_list); nft_rule_save(h, tablename, counters ? 0 : FMT_NOCOUNTS); now = time(NULL); @@ -257,7 +259,7 @@ static int __ebt_save(struct nft_handle *h, const char *tablename, bool counters return 0; } - chain_list = nft_chain_list_get(h); + chain_list = nft_chain_list_get(h, tablename); if (first) { now = time(NULL); @@ -272,7 +274,7 @@ static int __ebt_save(struct nft_handle *h, const char *tablename, bool counters /* Dump out chain names first, * thereby preventing dependency conflicts */ - nft_chain_save(h, chain_list, tablename); + nft_chain_save(h, chain_list); nft_rule_save(h, tablename, format); printf("\n"); return 0; @@ -399,7 +401,7 @@ int xtables_arp_save_main(int argc, char **argv) } printf("*filter\n"); - nft_chain_save(&h, nft_chain_list_get(&h), "filter"); + nft_chain_save(&h, nft_chain_list_get(&h, "filter")); nft_rule_save(&h, "filter", show_counters ? 0 : FMT_NOCOUNTS); printf("\n"); nft_fini(&h); -- cgit v1.2.3