git.ipfire.org Git - thirdparty/iptables.git/commit

author	Phil Sutter <phil@nwl.cc>
	Mon, 27 Apr 2020 10:08:59 +0000 (12:08 +0200)
committer	Phil Sutter <phil@nwl.cc>
	Mon, 11 May 2020 12:28:29 +0000 (14:28 +0200)
commit	ea8bb5100a69d1fd39cf737e3bf3acd6631a10f3
tree	05eb1696f028d446f498635c24d8c7a21e24b810	tree \| snapshot
parent	f806ee67b5178342d18c8cd3e9201190d8a82c41	commit \| diff

nft: cache: Optimize caching for flush command

When flushing all chains and verbose mode is not enabled,
nft_rule_flush() uses a shortcut: It doesn't specify a chain name for
NFT_MSG_DELRULE, so the kernel will flush all existing chains without
user space needing to know which they are.

The above allows to avoid a chain cache, but there's a caveat:
nft_xt_builtin_init() will create base chains as it assumes they are
missing and thereby possibly overrides any non-default chain policies.

Solve this by making nft_xt_builtin_init() cache-aware: If a command
doesn't need a chain cache, there's no need to bother with creating any
non-existing builtin chains, either. For the sake of completeness, also
do nothing if cache is not initialized (although that shouldn't happen).

Signed-off-by: Phil Sutter <phil@nwl.cc>

iptables/nft-cmd.c		diff \| blob \| blame \| history
iptables/nft.c		diff \| blob \| blame \| history
iptables/tests/shell/testcases/nft-only/0006-policy-override_0	[new file with mode: 0755]	blob