firewall-util: probe firewall backend in fw_ctx_new()

FirewallContext is used by networkd and nspawn. Both allocates the
context when it is really necessary. Hence, it is not necessary to delay
probing backend.

Moreover, if iptables backend is not enabled on build, and nftables is
not supported by kernel, previously `fw_nftables_init()` is called
everytime when we try to configure masquerade or dnat. It causes
significant performance loss.

Fixes test-firewall-util issue in #19052.

diff --git a/src/shared/firewall-util.c b/src/shared/firewall-util.c
index 65a2250ed31a7e0ce9f58a8d505fe21e1f41a3b5..afa3e02b45463dfac980975f2642c10fab06d5be 100644 (file)
--- a/src/shared/firewall-util.c
+++ b/src/shared/firewall-util.c
@@ -48,18 +48,12 @@ int fw_ctx_new(FirewallContext **ret) {
         if (!ctx)
                 return -ENOMEM;
 
-        /* could probe here.  However, this means that we will load
-         * iptable_nat or nf_tables, both will enable connection tracking.
-         *
-         * Alternative would be to probe here but only call
-         * fw_ctx_new when nspawn/networkd know they will call
-         * fw_add_masquerade/local_dnat later anyway.
-         */
-
         *ctx = (FirewallContext) {
                 .backend = _FW_BACKEND_INVALID,
         };
 
+        firewall_backend_probe(ctx);
+
         *ret = TAKE_PTR(ctx);
         return 0;
 }
@@ -90,8 +84,6 @@ int fw_add_masquerade(
                         return r;
         }
 
-        firewall_backend_probe(*ctx);
-
         switch ((*ctx)->backend) {
 #if HAVE_LIBIPTC
         case FW_BACKEND_IPTABLES:
@@ -124,8 +116,6 @@ int fw_add_local_dnat(
                         return r;
         }
 
-        firewall_backend_probe(*ctx);
-
         switch ((*ctx)->backend) {
 #if HAVE_LIBIPTC
         case FW_BACKEND_IPTABLES: