nft-cache: Cover for multiple fetcher invocation

Preparing for partial caches, it is necessary to make sure these
functions don't cause harm if called repeatedly.

* Use h->cache->tables pointer as indicator for existing table cache,
  return immediately from fetch_table_cache() if non-NULL.

* Initialize table's chain list only if non-NULL.

* Search for chain in table's chain list before adding it.

* Don't fetch rules for a chain if it has any rules already. With rule
  list being embedded in struct nftnl_chain, this is the best way left
  to check if rules have been fetched already or not. It will fail for
  empty chains, but causes no harm in that case, either.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index 22468d70fec57e7b4bfc5fcf1eb2942770c39eaf..afb2126b51495c6b4016b67afb6ce989cdb2e7fb 100644 (file)
--- a/iptables/nft-cache.c
+++ b/iptables/nft-cache.c
@@ -86,6 +86,9 @@ static int fetch_table_cache(struct nft_handle *h)
        struct nftnl_table_list *list;
        int ret;
 
+       if (h->cache->tables)
+               return 0;
+
        list = nftnl_table_list_alloc();
        if (list == NULL)
                return 0;
@@ -106,7 +109,9 @@ static int nftnl_chain_list_cb(const struct nlmsghdr *nlh, void *data)
 {
        struct nft_handle *h = data;
        const struct builtin_table *t;
+       struct nftnl_chain_list *list;
        struct nftnl_chain *c;
+       const char *cname;
 
        c = nftnl_chain_alloc();
        if (c == NULL)
@@ -120,7 +125,13 @@ static int nftnl_chain_list_cb(const struct nlmsghdr *nlh, void *data)
        if (!t)
                goto out;
 
-       nftnl_chain_list_add_tail(c, h->cache->table[t->type].chains);
+       list = h->cache->table[t->type].chains;
+       cname = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
+
+       if (nftnl_chain_list_lookup_byname(list, cname))
+               goto out;
+
+       nftnl_chain_list_add_tail(c, list);
 
        return MNL_CB_OK;
 out:
@@ -141,6 +152,9 @@ static int fetch_chain_cache(struct nft_handle *h)
                if (!h->tables[i].name)
                        continue;
 
+               if (h->cache->table[type].chains)
+                       continue;
+
                h->cache->table[type].chains = nftnl_chain_list_alloc();
                if (!h->cache->table[type].chains)
                        return -1;
@@ -182,6 +196,9 @@ static int nft_rule_list_update(struct nftnl_chain *c, void *data)
        struct nftnl_rule *rule;
        int ret;
 
+       if (nftnl_rule_lookup_byindex(c, 0))
+               return 0;
+
        rule = nftnl_rule_alloc();
        if (!rule)
                return -1;