path: root/iptables/nft-cache.h
diff options
authorPhil Sutter <>2019-08-28 12:33:55 +0200
committerPhil Sutter <>2019-10-17 19:03:00 +0200
commitc41b98babd55f35834e5fea599a914d69d60a9bd (patch)
tree9ae60a41765df0d07b7863e98ef121ea5bef0ded /iptables/nft-cache.h
parent48a21d5c7af074bd502a4f6fa7d8a46cfa719732 (diff)
nft: Optimize flushing all chains of a table
Leverage nftables' support for flushing all chains of a table by omitting NFTNL_RULE_CHAIN attribute in NFT_MSG_DELRULE payload. The only caveat is with verbose output, as that still requires to have a list of (existing) chains to iterate over. Apart from that, implementing this shortcut is pretty straightforward: Don't retrieve a chain list and just call __nft_rule_flush() directly which doesn't set above attribute if chain name pointer is NULL. A bigger deal is keeping rule cache consistent: Instead of just clearing rule list for each flushed chain, flush_rule_cache() is updated to iterate over all cached chains of the given table, clearing their rule lists if not called for a specific chain. While being at it, sort local variable declarations in nft_rule_flush() from longest to shortest and drop the loop-local 'chain_name' variable (but instead use 'chain' function parameter which is not used at that point). Signed-off-by: Phil Sutter <> Acked-by: Pablo Neira Ayuso <>
Diffstat (limited to 'iptables/nft-cache.h')
1 files changed, 2 insertions, 1 deletions
diff --git a/iptables/nft-cache.h b/iptables/nft-cache.h
index 793a85f4..cb7a7688 100644
--- a/iptables/nft-cache.h
+++ b/iptables/nft-cache.h
@@ -8,7 +8,8 @@ void nft_build_cache(struct nft_handle *h, struct nftnl_chain *c);
void nft_rebuild_cache(struct nft_handle *h);
void nft_release_cache(struct nft_handle *h);
void flush_chain_cache(struct nft_handle *h, const char *tablename);
-void flush_rule_cache(struct nftnl_chain *c);
+int flush_rule_cache(struct nft_handle *h, const char *table,
+ struct nftnl_chain *c);
struct nftnl_chain_list *
nft_chain_list_get(struct nft_handle *h, const char *table, const char *chain);