nft: Make use of nftnl_rule_lookup_byindex()

Use the function where suitable to potentially speedup rule cache lookup
by rule number.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 18 insertions, 13 deletions

diff --git a/iptables/nft.c b/iptables/nft.c
index e0455eab..1fd3837f 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1976,27 +1976,21 @@ nft_rule_find(struct nft_handle *h, struct nftnl_chain *c, void *data, int rulen
 {
 	struct nftnl_rule *r;
 	struct nftnl_rule_iter *iter;
-	int rule_ctr = 0;
 	bool found = false;
 
+	if (rulenum >= 0)
+		/* Delete by rule number case */
+		return nftnl_rule_lookup_byindex(c, rulenum);
+
 	iter = nftnl_rule_iter_create(c);
 	if (iter == NULL)
 		return 0;
 
 	r = nftnl_rule_iter_next(iter);
 	while (r != NULL) {
-		if (rulenum >= 0) {
-			/* Delete by rule number case */
-			if (rule_ctr == rulenum) {
-			    found = true;
-			    break;
-			}
-		} else {
-			found = h->ops->rule_find(h->ops, r, data);
-			if (found)
-				break;
-		}
-		rule_ctr++;
+		found = h->ops->rule_find(h->ops, r, data);
+		if (found)
+			break;
 		r = nftnl_rule_iter_next(iter);
 	}
 
@@ -2202,6 +2196,17 @@ __nft_rule_list(struct nft_handle *h, struct nftnl_chain *c,
 	struct nftnl_rule *r;
 	int rule_ctr = 0;
 
+	if (rulenum > 0) {
+		r = nftnl_rule_lookup_byindex(c, rulenum - 1);
+		if (!r)
+			/* iptables-legacy returns 0 when listing for
+			 * valid chain but invalid rule number
+			 */
+			return 1;
+		cb(r, rulenum, format);
+		return 1;
+	}
+
 	iter = nftnl_rule_iter_create(c);
 	if (iter == NULL)
 		return 0;