From 40ad7793d1884f28767cf58c96e9d76ae0a18db1 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sat, 29 Feb 2020 02:08:26 +0100 Subject: nft: cache: Make nft_rebuild_cache() respect fake cache If transaction needed a refresh in nft_action(), restore with flush would fetch a full cache instead of merely refreshing table list contained in "fake" cache. To fix this, nft_rebuild_cache() must distinguish between fake cache and full rule cache. Therefore introduce NFT_CL_FAKE to be distinguished from NFT_CL_RULES. Signed-off-by: Phil Sutter --- iptables/nft-cache.c | 11 ++++++++--- iptables/nft.h | 3 ++- 2 files changed, 10 insertions(+), 4 deletions(-) (limited to 'iptables') diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c index 6f21f228..e1b1e89c 100644 --- a/iptables/nft-cache.c +++ b/iptables/nft-cache.c @@ -484,6 +484,7 @@ retry: break; /* fall through */ case NFT_CL_RULES: + case NFT_CL_FAKE: break; } @@ -528,7 +529,7 @@ void nft_fake_cache(struct nft_handle *h) h->cache->table[type].chains = nftnl_chain_list_alloc(); } - h->cache_level = NFT_CL_RULES; + h->cache_level = NFT_CL_FAKE; mnl_genid_get(h, &h->nft_genid); } @@ -641,8 +642,12 @@ void nft_rebuild_cache(struct nft_handle *h) if (h->cache_level) __nft_flush_cache(h); - h->cache_level = NFT_CL_NONE; - __nft_build_cache(h, level, NULL, NULL, NULL); + if (h->cache_level == NFT_CL_FAKE) { + nft_fake_cache(h); + } else { + h->cache_level = NFT_CL_NONE; + __nft_build_cache(h, level, NULL, NULL, NULL); + } } void nft_release_cache(struct nft_handle *h) diff --git a/iptables/nft.h b/iptables/nft.h index 5cf260a6..2094b014 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -32,7 +32,8 @@ enum nft_cache_level { NFT_CL_TABLES, NFT_CL_CHAINS, NFT_CL_SETS, - NFT_CL_RULES + NFT_CL_RULES, + NFT_CL_FAKE /* must be last entry */ }; struct nft_cache { -- cgit v1.2.3