From 3ab02db5f836ae0cf9fe7fba616d7eb52139d537 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 23 Jul 2019 15:03:23 +0200
Subject: cache: add NFT_CACHE_UPDATE and NFT_CACHE_FLUSHED flags

NFT_CACHE_FLUSHED tells cache_update() to skip the netlink dump to
populate the cache, since the existing ruleset is going to flushed by
this batch.

NFT_CACHE_UPDATE tells rule_evaluate() to perform incremental updates to
the cache based on the existing batch, this is required by the rule
commands that use the index and the position selectors.

This patch removes cache_flush() which is not required anymore. This
cache removal is coming too late, in the evaluation phase, after the
initial cache_update() invocation.

Be careful with NFT_CACHE_UPDATE, this flag needs to be left in place if
NFT_CACHE_FLUSHED is set on.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/cache.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'src/cache.c')

diff --git a/src/cache.c b/src/cache.c
index e04ead85..0d38034e 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -41,7 +41,7 @@ static unsigned int evaluate_cache_add(struct cmd *cmd, unsigned int flags)
 
 		if (cmd->handle.index.id ||
 		    cmd->handle.position.id)
-			flags |= NFT_CACHE_RULE;
+			flags |= NFT_CACHE_RULE | NFT_CACHE_UPDATE;
 		break;
 	default:
 		break;
@@ -72,6 +72,8 @@ static unsigned int evaluate_cache_flush(struct cmd *cmd, unsigned int flags)
 		flags |= NFT_CACHE_SET;
 		break;
 	case CMD_OBJ_RULESET:
+		flags |= NFT_CACHE_FLUSHED;
+		break;
 	default:
 		flags = NFT_CACHE_EMPTY;
 		break;
-- 
cgit v1.2.3