From c58ecf9f8bcb7619a27ef8ffaddf847a562475a5 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Thu, 15 Nov 2018 14:53:02 +0100 Subject: xtables: Introduce per table chain caches Being able to omit the previously obligatory table name check when iterating over the chain cache might help restore performance with large rulesets in xtables-save and -restore. There is one subtle quirk in the code: flush_chain_cache() did free the global chain cache if not called with a table name but didn't if a table name was given even if it emptied the chain cache. In other places, chain_cache being non-NULL prevented a cache update from happening, so this patch establishes the same behaviour (for each individual chain cache) since otherwise unexpected cache updates lead to weird problems. Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso --- iptables/nft-shared.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'iptables/nft-shared.h') diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h index e3ecdb4d..9a61d8d2 100644 --- a/iptables/nft-shared.h +++ b/iptables/nft-shared.h @@ -251,7 +251,8 @@ struct nftnl_chain_list; struct nft_xt_restore_cb { void (*table_new)(struct nft_handle *h, const char *table); - struct nftnl_chain_list *(*chain_list)(struct nft_handle *h); + struct nftnl_chain_list *(*chain_list)(struct nft_handle *h, + const char *table); void (*chain_del)(struct nftnl_chain_list *clist, const char *curtable, const char *chain); int (*chain_user_flush)(struct nft_handle *h, -- cgit v1.2.3