From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 29 Aug 2024 10:42:14 +0000 (+0200)
Subject: cache: relax requirement for replace rule command
X-Git-Tag: v1.0.6.1~167
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b3c2df6432592fabe793cad5119cb590f370f717;p=thirdparty%2Fnftables.git

cache: relax requirement for replace rule command

commit 4984da8cc427974ea63796fa60a791b714a71440 upstream.

No need for full cache, this command relies on the rule handle which is
not validated from userspace. Cache requirements are similar to those
of add/create/delete rule commands.

This speeds up incremental updates with large rulesets.

Extend tests/coverage for rule replacement.

Fixes: 01e5c6f0ed03 ("src: add cache level flags")
Tested-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/cache.c b/src/cache.c
index 207ed514..d3d6e834 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -386,8 +386,8 @@ int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds,
 		case CMD_CREATE:
 			flags = evaluate_cache_add(cmd, flags);
 			break;
-		case CMD_REPLACE:
-			flags = NFT_CACHE_FULL;
+		case CMD_REPLACE:	/* only for rule */
+			flags = NFT_CACHE_TABLE | NFT_CACHE_SET;
 			break;
 		case CMD_DELETE:
 			flags = evaluate_cache_del(cmd, flags);