nft: Initialize a table only once

This helps to remove some runtime overhead, especially when running
xtables-restore.

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft.c b/iptables/nft.c
index 501c6d861cb17196003294d9e6f6d33486da9586..49322bdd03df045915f4a25c0ec294af6f9b0adf 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -436,6 +436,9 @@ nft_table_builtin_add(struct nft_handle *h, struct builtin_table *_t,
        struct nft_table *t;
        int ret;
 
+       if (_t->initialized)
+               return 0;
+
        t = nft_table_alloc();
        if (t == NULL)
                return -1;
@@ -464,6 +467,10 @@ nft_table_builtin_add(struct nft_handle *h, struct builtin_table *_t,
                if (errno != EEXIST)
                        perror("mnl-talk:nft_table_init_one");
        }
+
+       if (ret == 0 || errno == EEXIST)
+               _t->initialized = true;
+
        return ret;
 }
 
@@ -2414,6 +2421,9 @@ int nft_xtables_config_load(struct nft_handle *h, const char *filename,
        uint32_t table_family, chain_family;
        bool found = false;
 
+       if (h->restore)
+               return 0;
+
        if (xtables_config_parse(filename, table_list, chain_list) < 0) {
                if (errno == ENOENT) {
                        xtables_config_perror(flags,

diff --git a/iptables/nft.h b/iptables/nft.h
index 3b58d5146ee779a66843a842548d91f1754c4647..c31371c03c322b7993d80ba3cf7290b3a7f9bfa2 100644 (file)
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -22,6 +22,7 @@ struct builtin_chain {
 struct builtin_table {
        const char *name;
        struct builtin_chain chains[NF_INET_NUMHOOKS];
+       bool initialized;
 };
 
 struct nft_handle {