nft-cache: Fetch only chains in nft_chain_list_get()

The function is used to return the given table's chains, so fetching
chain cache is enough.

Add calls to nft_build_cache() in places where a rule cache is required.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index 04f42e0f8ad352bf6803b9030bb261fc69dfbf07..22468d70fec57e7b4bfc5fcf1eb2942770c39eaf 100644 (file)
--- a/iptables/nft-cache.c
+++ b/iptables/nft-cache.c
@@ -393,7 +393,7 @@ struct nftnl_chain_list *nft_chain_list_get(struct nft_handle *h,
        if (!t)
                return NULL;
 
-       nft_build_cache(h);
+       __nft_build_cache(h, NFT_CL_CHAINS);
 
        return h->cache->table[t->type].chains;
 }

diff --git a/iptables/nft.c b/iptables/nft.c
index 81de10d8a0892b2618064d88f77709106005754c..94fabd78e527ec1444e8668f504ed104ac0a2744 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1173,6 +1173,14 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table,
 
        nft_xt_builtin_init(h, table);
 
+       /* Since ebtables user-defined chain policies are implemented as last
+        * rule in nftables, rule cache is required here to treat them right. */
+       if (h->family == NFPROTO_BRIDGE) {
+               c = nft_chain_find(h, table, chain);
+               if (c && !nft_chain_builtin(c))
+                       nft_build_cache(h);
+       }
+
        nft_fn = nft_rule_append;
 
        r = nft_rule_new(h, chain, table, data);
@@ -1397,6 +1405,8 @@ int nft_rule_save(struct nft_handle *h, const char *table, unsigned int format)
        struct nftnl_chain *c;
        int ret = 0;
 
+       nft_build_cache(h);
+
        list = nft_chain_list_get(h, table);
        if (!list)
                return 0;
@@ -1595,6 +1605,10 @@ static int __nft_chain_user_del(struct nftnl_chain *c, void *data)
                fprintf(stdout, "Deleting chain `%s'\n",
                        nftnl_chain_get_str(c, NFTNL_CHAIN_NAME));
 
+       /* This triggers required policy rule deletion. */
+       if (h->family == NFPROTO_BRIDGE)
+               nft_build_cache(h);
+
        /* XXX This triggers a fast lookup from the kernel. */
        nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE);
        ret = batch_chain_add(h, NFT_COMPAT_CHAIN_USER_DEL, c);
@@ -1876,6 +1890,8 @@ nft_rule_find(struct nft_handle *h, struct nftnl_chain *c, void *data, int rulen
        struct nftnl_rule_iter *iter;
        bool found = false;
 
+       nft_build_cache(h);
+
        if (rulenum >= 0)
                /* Delete by rule number case */
                return nftnl_rule_lookup_byindex(c, rulenum);
@@ -2701,6 +2717,8 @@ int ebt_set_user_chain_policy(struct nft_handle *h, const char *table,
        else
                return 0;
 
+       nft_build_cache(h);
+
        nftnl_chain_set_u32(c, NFTNL_CHAIN_POLICY, pval);
        return 1;
 }
@@ -3038,6 +3056,8 @@ static int nft_is_chain_compatible(struct nftnl_chain *c, void *data)
        enum nf_inet_hooks hook;
        int prio;
 
+       nft_build_cache(h);
+
        if (nftnl_rule_foreach(c, nft_is_rule_compatible, NULL))
                return -1;