nft: cache: Make nft_rebuild_cache() respect fake cache

If transaction needed a refresh in nft_action(), restore with flush
would fetch a full cache instead of merely refreshing table list
contained in "fake" cache.

To fix this, nft_rebuild_cache() must distinguish between fake cache and
full rule cache. Therefore introduce NFT_CL_FAKE to be distinguished
from NFT_CL_RULES.

Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index 6f21f2283e0fbb3471748c29c03538f2cbe154ea..e1b1e89c9e0d3138e685d749d7eb7847c5eb79d0 100644 (file)
--- a/iptables/nft-cache.c
+++ b/iptables/nft-cache.c
@@ -484,6 +484,7 @@ retry:
                        break;
                /* fall through */
        case NFT_CL_RULES:
+       case NFT_CL_FAKE:
                break;
        }
 
@@ -528,7 +529,7 @@ void nft_fake_cache(struct nft_handle *h)
 
                h->cache->table[type].chains = nftnl_chain_list_alloc();
        }
-       h->cache_level = NFT_CL_RULES;
+       h->cache_level = NFT_CL_FAKE;
        mnl_genid_get(h, &h->nft_genid);
 }
 
@@ -641,8 +642,12 @@ void nft_rebuild_cache(struct nft_handle *h)
        if (h->cache_level)
                __nft_flush_cache(h);
 
-       h->cache_level = NFT_CL_NONE;
-       __nft_build_cache(h, level, NULL, NULL, NULL);
+       if (h->cache_level == NFT_CL_FAKE) {
+               nft_fake_cache(h);
+       } else {
+               h->cache_level = NFT_CL_NONE;
+               __nft_build_cache(h, level, NULL, NULL, NULL);
+       }
 }
 
 void nft_release_cache(struct nft_handle *h)

diff --git a/iptables/nft.h b/iptables/nft.h
index 5cf260a6d2cd35fccf121d5d12b35bd371ce6f0c..2094b0145519485918a14721b44a1baa0e9382cb 100644 (file)
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -32,7 +32,8 @@ enum nft_cache_level {
        NFT_CL_TABLES,
        NFT_CL_CHAINS,
        NFT_CL_SETS,
-       NFT_CL_RULES
+       NFT_CL_RULES,
+       NFT_CL_FAKE     /* must be last entry */
 };
 
 struct nft_cache {