summaryrefslogtreecommitdiffstats
path: root/src/libnftables.c
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2019-06-04 12:02:18 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2019-06-06 11:16:25 +0200
commit7df42800cf89e994b5179200825592d9b95c5fab (patch)
tree7e43c4623433a7b4ce1ca80da7d0d204ceca31e9 /src/libnftables.c
parent89bae935180a50f4ea827f5facc41459557380ef (diff)
src: single cache_update() call to build cache before evaluation
This patch allows us to make one single cache_update() call. Thus, there is not need to rebuild an incomplete cache from the middle of the batch processing. Note that nft_run_cmd_from_filename() does not need a full netlink dump to build the cache anymore, this should speed nft -f with incremental updates and very large rulesets. cache_evaluate() calculates the netlink dump to populate the cache that this batch needs. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/libnftables.c')
-rw-r--r--src/libnftables.c9
1 files changed, 5 insertions, 4 deletions
diff --git a/src/libnftables.c b/src/libnftables.c
index f459ecd5..4bb770c0 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -381,8 +381,13 @@ static int nft_parse_bison_filename(struct nft_ctx *nft, const char *filename,
static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs,
struct list_head *cmds)
{
+ unsigned int completeness;
struct cmd *cmd;
+ completeness = cache_evaluate(nft, cmds);
+ if (cache_update(nft, completeness, msgs) < 0)
+ return -1;
+
list_for_each_entry(cmd, cmds, list) {
struct eval_ctx ectx = {
.nft = nft,
@@ -454,10 +459,6 @@ int nft_run_cmd_from_filename(struct nft_ctx *nft, const char *filename)
LIST_HEAD(msgs);
LIST_HEAD(cmds);
- rc = cache_update(nft, CMD_INVALID, &msgs);
- if (rc < 0)
- return -1;
-
if (!strcmp(filename, "-"))
filename = "/dev/stdin";