xtables: Speed up chain deletion in large rulesets

Kernel prefers to identify chain by handle if it was given which causes
manual traversal of the chain list. In contrast, chain lookup by name in
kernel makes use of a hash table so is considerably faster. Force this
code path by removing the cached chain's handle when removing it.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft.c b/iptables/nft.c
index 83d373c95ce9e3c1398966c769e377aeca9164be..2fa973cf0397521b1dab9b5d85fb6408ec11975b 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1670,6 +1670,8 @@ static int __nft_chain_user_del(struct nftnl_chain *c, void *data)
                fprintf(stdout, "Deleting chain `%s'\n",
                        nftnl_chain_get_str(c, NFTNL_CHAIN_NAME));
 
+       /* XXX This triggers a fast lookup from the kernel. */
+       nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE);
        ret = batch_chain_add(h, NFT_COMPAT_CHAIN_USER_DEL, c);
        if (ret)
                return -1;