summaryrefslogtreecommitdiffstats
path: root/iptables
diff options
context:
space:
mode:
authorPhil Sutter <phil@nwl.cc>2019-01-15 23:23:03 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2019-01-18 02:42:08 +0100
commit2b801fc515ae094d04207e840ed191196292b968 (patch)
tree2accbec133c0c11430d48dc55125077865b2b206 /iptables
parent41358d474357a39d616302c03cd7f943e19969a2 (diff)
nft: Add new builtin chains to cache immediately
Newly created builtin chains missing from cache was the sole reason for the immediate calls to nft_commit(). With nft_chain_builtin_add() inserting the new chain into the table's chain list, this is not needed anymore. Just make sure batch_obj_del() doesn't free the payload of NFT_COMPAT_CHAIN_ADD jobs since it contains the new chain which has been added to cache. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables')
-rw-r--r--iptables/nft.c30
1 files changed, 9 insertions, 21 deletions
diff --git a/iptables/nft.c b/iptables/nft.c
index 1ce1ecdd..73a99e5d 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -644,6 +644,7 @@ static void nft_chain_builtin_add(struct nft_handle *h,
return;
batch_chain_add(h, NFT_COMPAT_CHAIN_ADD, c);
+ nftnl_chain_list_add_tail(c, h->table[table->type].chain_cache);
}
/* find if built-in table already exists */
@@ -1216,8 +1217,11 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table,
h->ops->print_rule(r, 0, FMT_PRINT_RULE);
c = nft_chain_find(h, table, chain);
- if (c)
- nftnl_chain_rule_add_tail(r, c);
+ if (!c) {
+ errno = ENOENT;
+ return 0;
+ }
+ nftnl_chain_rule_add_tail(r, c);
return 1;
}
@@ -2280,16 +2284,8 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
bool found = false;
/* If built-in chains don't exist for this table, create them */
- if (nft_xtables_config_load(h, XTABLES_CONFIG_DEFAULT, 0) < 0) {
+ if (nft_xtables_config_load(h, XTABLES_CONFIG_DEFAULT, 0) < 0)
nft_xt_builtin_init(h, table);
- /* Force table and chain creation, otherwise first iptables -L
- * lists no table/chains.
- */
- if (!list_empty(&h->obj_list)) {
- nft_commit(h);
- flush_chain_cache(h, NULL);
- }
- }
ops = nft_family_ops_lookup(h->family);
@@ -2395,16 +2391,8 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain,
int ret = 0;
/* If built-in chains don't exist for this table, create them */
- if (nft_xtables_config_load(h, XTABLES_CONFIG_DEFAULT, 0) < 0) {
+ if (nft_xtables_config_load(h, XTABLES_CONFIG_DEFAULT, 0) < 0)
nft_xt_builtin_init(h, table);
- /* Force table and chain creation, otherwise first iptables -L
- * lists no table/chains.
- */
- if (!list_empty(&h->obj_list)) {
- nft_commit(h);
- flush_chain_cache(h, NULL);
- }
- }
if (!nft_is_table_compatible(h, table)) {
xtables_error(OTHER_PROBLEM, "table `%s' is incompatible, use 'nft' tool.\n", table);
@@ -2523,8 +2511,8 @@ static void batch_obj_del(struct nft_handle *h, struct obj_update *o)
break;
case NFT_COMPAT_CHAIN_ZERO:
case NFT_COMPAT_CHAIN_USER_ADD:
- break;
case NFT_COMPAT_CHAIN_ADD:
+ break;
case NFT_COMPAT_CHAIN_USER_DEL:
case NFT_COMPAT_CHAIN_USER_FLUSH:
case NFT_COMPAT_CHAIN_UPDATE: