|
 |
8cce6c |
From 0925419844d77e7216067208f270cd1d8279b523 Mon Sep 17 00:00:00 2001
|
|
|
8cce6c |
From: Phil Sutter <phil@nwl.cc>
|
|
|
8cce6c |
Date: Wed, 12 Dec 2018 20:04:12 +0100
|
|
|
8cce6c |
Subject: [PATCH] xtables: Speed up chain deletion in large rulesets
|
|
|
8cce6c |
|
|
|
8cce6c |
Kernel prefers to identify chain by handle if it was given which causes
|
|
|
8cce6c |
manual traversal of the chain list. In contrast, chain lookup by name in
|
|
|
8cce6c |
kernel makes use of a hash table so is considerably faster. Force this
|
|
|
8cce6c |
code path by removing the cached chain's handle when removing it.
|
|
|
8cce6c |
|
|
|
8cce6c |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
8cce6c |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
8cce6c |
(cherry picked from commit a5f517a41d72794fae3d1332e6e0e413a5cd16c1)
|
|
|
8cce6c |
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
|
8cce6c |
---
|
|
|
8cce6c |
iptables/nft.c | 2 ++
|
|
|
8cce6c |
1 file changed, 2 insertions(+)
|
|
|
8cce6c |
|
|
|
8cce6c |
diff --git a/iptables/nft.c b/iptables/nft.c
|
|
|
8cce6c |
index 1ce1ecdd276be..9c0ad9a2d054f 100644
|
|
|
8cce6c |
--- a/iptables/nft.c
|
|
|
8cce6c |
+++ b/iptables/nft.c
|
|
|
8cce6c |
@@ -1660,6 +1660,8 @@ static int __nft_chain_user_del(struct nftnl_chain *c, void *data)
|
|
|
8cce6c |
fprintf(stdout, "Deleting chain `%s'\n",
|
|
|
8cce6c |
nftnl_chain_get_str(c, NFTNL_CHAIN_NAME));
|
|
|
8cce6c |
|
|
|
8cce6c |
+ /* XXX This triggers a fast lookup from the kernel. */
|
|
|
8cce6c |
+ nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE);
|
|
|
8cce6c |
ret = batch_chain_add(h, NFT_COMPAT_CHAIN_USER_DEL, c);
|
|
|
8cce6c |
if (ret)
|
|
|
8cce6c |
return -1;
|
|
|
8cce6c |
--
|
|
|
8cce6c |
2.20.1
|
|
|
8cce6c |
|