From 66a5399b6a4383ea4081d99ae852eebc1d65f265 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 24 Jul 2013 20:11:52 +0200 Subject: nft: no need for rule lookup if no position specified via -I Improve (dc3d8a6 xtables: add -I chain rulenum) to avoid a look up for the rule if no rule number is specified via -I. Signed-off-by: Pablo Neira Ayuso --- iptables/nft.c | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) (limited to 'iptables') diff --git a/iptables/nft.c b/iptables/nft.c index c22e6c5b..9a857b9e 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -2162,7 +2162,8 @@ nft_rule_add(struct nft_handle *h, const char *chain, ret = 0; goto err; } - nft_rule_attr_set_u64(r, NFT_RULE_ATTR_POSITION, handle); + if (handle > 0) + nft_rule_attr_set_u64(r, NFT_RULE_ATTR_POSITION, handle); if (h->commit) { nft_rule_attr_set_u32(r, NFT_RULE_ATTR_FLAGS, @@ -2189,7 +2190,7 @@ int nft_rule_insert(struct nft_handle *h, const char *chain, { struct nft_rule_list *list; struct nft_rule *r; - uint64_t handle; + uint64_t handle = 0; /* If built-in chains don't exist for this table, create them */ if (nft_xtables_config_load(h, XTABLES_CONFIG_DEFAULT, 0) < 0) @@ -2197,26 +2198,23 @@ int nft_rule_insert(struct nft_handle *h, const char *chain, nft_fn = nft_rule_insert; - list = nft_rule_list_create(h); - if (list == NULL) - goto err; + if (rulenum > 0) { + list = nft_rule_list_create(h); + if (list == NULL) + goto err; - r = nft_rule_find(list, chain, table, cs, rulenum); - if (r == NULL) { - errno = ENOENT; - goto err; - } + r = nft_rule_find(list, chain, table, cs, rulenum); + if (r == NULL) { + errno = ENOENT; + goto err; + } - handle = nft_rule_attr_get_u64(r, NFT_RULE_ATTR_HANDLE); - DEBUGP("adding after rule handle %"PRIu64"\n", handle); + handle = nft_rule_attr_get_u64(r, NFT_RULE_ATTR_HANDLE); + DEBUGP("adding after rule handle %"PRIu64"\n", handle); - if (h->commit) { - nft_rule_attr_set_u32(r, NFT_RULE_ATTR_FLAGS, - NFT_RULE_F_COMMIT); + nft_rule_list_destroy(list); } - nft_rule_list_destroy(list); - return nft_rule_add(h, chain, table, cs, handle, verbose); err: nft_rule_list_destroy(list); -- cgit v1.2.3