cache: relax requirement for replace rule command

commit 4984da8cc427974ea63796fa60a791b714a71440 upstream.

No need for full cache, this command relies on the rule handle which is
not validated from userspace. Cache requirements are similar to those
of add/create/delete rule commands.

This speeds up incremental updates with large rulesets.

Extend tests/coverage for rule replacement.

Fixes: 01e5c6f0ed03 ("src: add cache level flags")
Tested-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/cache.c b/src/cache.c
index 207ed514cb3103e9175f58dcf55e20d910c3e3ea..d3d6e834bc171d8e2b1faa17a744f1f0c02599fc 100644 (file)
--- a/src/cache.c
+++ b/src/cache.c
@@ -386,8 +386,8 @@ int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds,
                case CMD_CREATE:
                        flags = evaluate_cache_add(cmd, flags);
                        break;
-               case CMD_REPLACE:
-                       flags = NFT_CACHE_FULL;
+               case CMD_REPLACE:       /* only for rule */
+                       flags = NFT_CACHE_TABLE | NFT_CACHE_SET;
                        break;
                case CMD_DELETE:
                        flags = evaluate_cache_del(cmd, flags);