diff options
| author | Phil Sutter <phil@nwl.cc> | 2019-10-02 21:13:47 +0200 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2019-10-17 19:02:46 +0200 |
| commit | 026109dbece39ad27c43ebc31a17a22e5b581987 (patch) | |
| tree | 88545600249bdf767776aced847e30359b0b5d29 /iptables/nft.c | |
| parent | e2883c5531e6ee269845a8a11e09dd07efa2088f (diff) | |
nft-cache: Support partial rule cache per chain
Accept an additional chain name pointer in __nft_build_cache() and pass
it along to fetch only that specific chain and its rules.
Enhance nft_build_cache() to take an optional nftnl_chain pointer to
fetch rules for.
Enhance nft_chain_list_get() to take an optional chain name. If cache
level doesn't include chains already, it will fetch only the specified
chain from kernel (if existing) and add that to table's chain list which
is returned. This keeps operations for all chains of a table or a
specific one within the same code path in nft.c.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/nft.c')
| -rw-r--r-- | iptables/nft.c | 35 |
1 files changed, 17 insertions, 18 deletions
diff --git a/iptables/nft.c b/iptables/nft.c index 94fabd78..775582aa 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -709,7 +709,7 @@ nft_chain_builtin_find(const struct builtin_table *t, const char *chain) static void nft_chain_builtin_init(struct nft_handle *h, const struct builtin_table *table) { - struct nftnl_chain_list *list = nft_chain_list_get(h, table->name); + struct nftnl_chain_list *list = nft_chain_list_get(h, table->name, NULL); struct nftnl_chain *c; int i; @@ -1178,7 +1178,7 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table, if (h->family == NFPROTO_BRIDGE) { c = nft_chain_find(h, table, chain); if (c && !nft_chain_builtin(c)) - nft_build_cache(h); + nft_build_cache(h, c); } nft_fn = nft_rule_append; @@ -1405,9 +1405,7 @@ int nft_rule_save(struct nft_handle *h, const char *table, unsigned int format) struct nftnl_chain *c; int ret = 0; - nft_build_cache(h); - - list = nft_chain_list_get(h, table); + list = nft_chain_list_get(h, table, NULL); if (!list) return 0; @@ -1417,6 +1415,7 @@ int nft_rule_save(struct nft_handle *h, const char *table, unsigned int format) c = nftnl_chain_list_iter_next(iter); while (c) { + nft_build_cache(h, c); ret = nft_chain_save_rules(h, c, format); if (ret != 0) break; @@ -1468,7 +1467,7 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table, nft_fn = nft_rule_flush; - list = nft_chain_list_get(h, table); + list = nft_chain_list_get(h, table, chain); if (list == NULL) { ret = 1; goto err; @@ -1533,7 +1532,7 @@ int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *tabl ret = batch_chain_add(h, NFT_COMPAT_CHAIN_USER_ADD, c); - list = nft_chain_list_get(h, table); + list = nft_chain_list_get(h, table, chain); if (list) nftnl_chain_list_add(c, list); @@ -1573,7 +1572,7 @@ int nft_chain_restore(struct nft_handle *h, const char *chain, const char *table ret = batch_chain_add(h, NFT_COMPAT_CHAIN_USER_ADD, c); - list = nft_chain_list_get(h, table); + list = nft_chain_list_get(h, table, chain); if (list) nftnl_chain_list_add(c, list); @@ -1607,7 +1606,7 @@ static int __nft_chain_user_del(struct nftnl_chain *c, void *data) /* This triggers required policy rule deletion. */ if (h->family == NFPROTO_BRIDGE) - nft_build_cache(h); + nft_build_cache(h, c); /* XXX This triggers a fast lookup from the kernel. */ nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE); @@ -1632,7 +1631,7 @@ int nft_chain_user_del(struct nft_handle *h, const char *chain, nft_fn = nft_chain_user_del; - list = nft_chain_list_get(h, table); + list = nft_chain_list_get(h, table, chain); if (list == NULL) return 0; @@ -1660,7 +1659,7 @@ nft_chain_find(struct nft_handle *h, const char *table, const char *chain) { struct nftnl_chain_list *list; - list = nft_chain_list_get(h, table); + list = nft_chain_list_get(h, table, chain); if (list == NULL) return NULL; @@ -1890,7 +1889,7 @@ nft_rule_find(struct nft_handle *h, struct nftnl_chain *c, void *data, int rulen struct nftnl_rule_iter *iter; bool found = false; - nft_build_cache(h); + nft_build_cache(h, c); if (rulenum >= 0) /* Delete by rule number case */ @@ -2198,7 +2197,7 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table, if (!nft_is_table_compatible(h, table)) xtables_error(OTHER_PROBLEM, "table `%s' is incompatible, use 'nft' tool.\n", table); - list = nft_chain_list_get(h, table); + list = nft_chain_list_get(h, table, chain); if (!list) return 0; @@ -2299,7 +2298,7 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain, if (!nft_is_table_compatible(h, table)) xtables_error(OTHER_PROBLEM, "table `%s' is incompatible, use 'nft' tool.\n", table); - list = nft_chain_list_get(h, table); + list = nft_chain_list_get(h, table, chain); if (!list) return 0; @@ -2717,7 +2716,7 @@ int ebt_set_user_chain_policy(struct nft_handle *h, const char *table, else return 0; - nft_build_cache(h); + nft_build_cache(h, c); nftnl_chain_set_u32(c, NFTNL_CHAIN_POLICY, pval); return 1; @@ -2983,7 +2982,7 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain, struct nftnl_chain *c; int ret = 0; - list = nft_chain_list_get(h, table); + list = nft_chain_list_get(h, table, chain); if (list == NULL) goto err; @@ -3056,7 +3055,7 @@ static int nft_is_chain_compatible(struct nftnl_chain *c, void *data) enum nf_inet_hooks hook; int prio; - nft_build_cache(h); + nft_build_cache(h, c); if (nftnl_rule_foreach(c, nft_is_rule_compatible, NULL)) return -1; @@ -3089,7 +3088,7 @@ bool nft_is_table_compatible(struct nft_handle *h, const char *tablename) { struct nftnl_chain_list *clist; - clist = nft_chain_list_get(h, tablename); + clist = nft_chain_list_get(h, tablename, NULL); if (clist == NULL) return false; |