nft: no need for rule lookup if no position specified via -I

Improve (dc3d8a6 xtables: add -I chain rulenum) to avoid a look
up for the rule if no rule number is specified via -I.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft.c b/iptables/nft.c
index c22e6c5b81e8ffcc78cc9cee761440ef35d83c45..9a857b9e1290bd16e0da139aac23e1589ddadce0 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2162,7 +2162,8 @@ nft_rule_add(struct nft_handle *h, const char *chain,
                ret = 0;
                goto err;
        }
-       nft_rule_attr_set_u64(r, NFT_RULE_ATTR_POSITION, handle);
+       if (handle > 0)
+               nft_rule_attr_set_u64(r, NFT_RULE_ATTR_POSITION, handle);
 
        if (h->commit) {
                nft_rule_attr_set_u32(r, NFT_RULE_ATTR_FLAGS,
@@ -2189,7 +2190,7 @@ int nft_rule_insert(struct nft_handle *h, const char *chain,
 {
        struct nft_rule_list *list;
        struct nft_rule *r;
-       uint64_t handle;
+       uint64_t handle = 0;
 
        /* If built-in chains don't exist for this table, create them */
        if (nft_xtables_config_load(h, XTABLES_CONFIG_DEFAULT, 0) < 0)
@@ -2197,26 +2198,23 @@ int nft_rule_insert(struct nft_handle *h, const char *chain,
 
        nft_fn = nft_rule_insert;
 
-       list = nft_rule_list_create(h);
-       if (list == NULL)
-               goto err;
+       if (rulenum > 0) {
+               list = nft_rule_list_create(h);
+               if (list == NULL)
+                       goto err;
 
-       r = nft_rule_find(list, chain, table, cs, rulenum);
-       if (r == NULL) {
-               errno = ENOENT;
-               goto err;
-       }
+               r = nft_rule_find(list, chain, table, cs, rulenum);
+               if (r == NULL) {
+                       errno = ENOENT;
+                       goto err;
+               }
 
-       handle = nft_rule_attr_get_u64(r, NFT_RULE_ATTR_HANDLE);
-       DEBUGP("adding after rule handle %"PRIu64"\n", handle);
+               handle = nft_rule_attr_get_u64(r, NFT_RULE_ATTR_HANDLE);
+               DEBUGP("adding after rule handle %"PRIu64"\n", handle);
 
-       if (h->commit) {
-               nft_rule_attr_set_u32(r, NFT_RULE_ATTR_FLAGS,
-                                     NFT_RULE_F_COMMIT);
+               nft_rule_list_destroy(list);
        }
 
-       nft_rule_list_destroy(list);
-
        return nft_rule_add(h, chain, table, cs, handle, verbose);
 err:
        nft_rule_list_destroy(list);