From: Phil Sutter <phil@nwl.cc>
Date: Wed, 25 Sep 2019 16:20:24 +0000 (+0200)
Subject: nft: Reduce cache overhead of nft_chain_builtin_init()
X-Git-Tag: v1.8.4~47
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7b64c50904ae1ab6366a78e01a272532fac8af8f;p=thirdparty%2Fiptables.git

nft: Reduce cache overhead of nft_chain_builtin_init()

There is no need for a full chain cache, fetch only the few builtin
chains that might need to be created.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/iptables/nft.c b/iptables/nft.c
index 775582aa..7e019d54 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -709,15 +709,16 @@ nft_chain_builtin_find(const struct builtin_table *t, const char *chain)
 static void nft_chain_builtin_init(struct nft_handle *h,
 				   const struct builtin_table *table)
 {
-	struct nftnl_chain_list *list = nft_chain_list_get(h, table->name, NULL);
+	struct nftnl_chain_list *list;
 	struct nftnl_chain *c;
 	int i;
 
-	if (!list)
-		return;
-
 	/* Initialize built-in chains if they don't exist yet */
 	for (i=0; i < NF_INET_NUMHOOKS && table->chains[i].name != NULL; i++) {
+		list = nft_chain_list_get(h, table->name,
+					  table->chains[i].name);
+		if (!list)
+			continue;
 
 		c = nftnl_chain_list_lookup_byname(list, table->chains[i].name);
 		if (c != NULL)