nft: Reduce cache overhead of nft_chain_builtin_init()

There is no need for a full chain cache, fetch only the few builtin
chains that might need to be created.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft.c b/iptables/nft.c
index 775582aab79558a600d9371a85da3f9997b3c55a..7e019d54ee475d9c0e559c0e7fbd26cb47993578 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -709,15 +709,16 @@ nft_chain_builtin_find(const struct builtin_table *t, const char *chain)
 static void nft_chain_builtin_init(struct nft_handle *h,
                                   const struct builtin_table *table)
 {
-       struct nftnl_chain_list *list = nft_chain_list_get(h, table->name, NULL);
+       struct nftnl_chain_list *list;
        struct nftnl_chain *c;
        int i;
 
-       if (!list)
-               return;
-
        /* Initialize built-in chains if they don't exist yet */
        for (i=0; i < NF_INET_NUMHOOKS && table->chains[i].name != NULL; i++) {
+               list = nft_chain_list_get(h, table->name,
+                                         table->chains[i].name);
+               if (!list)
+                       continue;
 
                c = nftnl_chain_list_lookup_byname(list, table->chains[i].name);
                if (c != NULL)