From: Yu Watanabe Date: Tue, 23 Mar 2021 05:38:18 +0000 (+0900) Subject: firewall-util: probe firewall backend in fw_ctx_new() X-Git-Tag: v248-2~23^2~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=dfb433f2a77a04d44aaa64d8364805e36cb25f5a;p=thirdparty%2Fsystemd.git firewall-util: probe firewall backend in fw_ctx_new() FirewallContext is used by networkd and nspawn. Both allocates the context when it is really necessary. Hence, it is not necessary to delay probing backend. Moreover, if iptables backend is not enabled on build, and nftables is not supported by kernel, previously `fw_nftables_init()` is called everytime when we try to configure masquerade or dnat. It causes significant performance loss. Fixes test-firewall-util issue in #19052. --- diff --git a/src/shared/firewall-util.c b/src/shared/firewall-util.c index 65a2250ed31..afa3e02b454 100644 --- a/src/shared/firewall-util.c +++ b/src/shared/firewall-util.c @@ -48,18 +48,12 @@ int fw_ctx_new(FirewallContext **ret) { if (!ctx) return -ENOMEM; - /* could probe here. However, this means that we will load - * iptable_nat or nf_tables, both will enable connection tracking. - * - * Alternative would be to probe here but only call - * fw_ctx_new when nspawn/networkd know they will call - * fw_add_masquerade/local_dnat later anyway. - */ - *ctx = (FirewallContext) { .backend = _FW_BACKEND_INVALID, }; + firewall_backend_probe(ctx); + *ret = TAKE_PTR(ctx); return 0; } @@ -90,8 +84,6 @@ int fw_add_masquerade( return r; } - firewall_backend_probe(*ctx); - switch ((*ctx)->backend) { #if HAVE_LIBIPTC case FW_BACKEND_IPTABLES: @@ -124,8 +116,6 @@ int fw_add_local_dnat( return r; } - firewall_backend_probe(*ctx); - switch ((*ctx)->backend) { #if HAVE_LIBIPTC case FW_BACKEND_IPTABLES: