cache: add NFT_CACHE_UPDATE and NFT_CACHE_FLUSHED flags

NFT_CACHE_FLUSHED tells cache_update() to skip the netlink dump to
populate the cache, since the existing ruleset is going to flushed by
this batch.

NFT_CACHE_UPDATE tells rule_evaluate() to perform incremental updates to
the cache based on the existing batch, this is required by the rule
commands that use the index and the position selectors.

This patch removes cache_flush() which is not required anymore. This
cache removal is coming too late, in the evaluation phase, after the
initial cache_update() invocation.

Be careful with NFT_CACHE_UPDATE, this flag needs to be left in place if
NFT_CACHE_FLUSHED is set on.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 3 insertions, 5 deletions

diff --git a/src/evaluate.c b/src/evaluate.c
index e7f16ba6..48c65cd2 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3394,11 +3394,10 @@ static int rule_evaluate(struct eval_ctx *ctx, struct rule *rule,
 		return -1;
 	}
 
-	/* add rules to cache only if it is complete enough to contain them */
-	if (!cache_is_complete(&ctx->nft->cache, NFT_CACHE_RULE))
-		return 0;
+	if (cache_needs_update(&ctx->nft->cache))
+		return rule_cache_update(ctx, op);
 
-	return rule_cache_update(ctx, op);
+	return 0;
 }
 
 static uint32_t str2hooknum(uint32_t family, const char *hook)
@@ -3824,7 +3823,6 @@ static int cmd_evaluate_flush(struct eval_ctx *ctx, struct cmd *cmd)
 
 	switch (cmd->obj) {
 	case CMD_OBJ_RULESET:
-		cache_flush(ctx->nft, ctx->msgs);
 		break;
 	case CMD_OBJ_TABLE:
 		/* Flushing a table does not empty the sets in the table nor remove