|
 |
8cce6c |
From 96b7b6eb3c963dc835a3f132f037050d032aaa77 Mon Sep 17 00:00:00 2001
|
|
|
8cce6c |
From: Phil Sutter <phil@nwl.cc>
|
|
|
8cce6c |
Date: Thu, 20 Dec 2018 16:09:14 +0100
|
|
|
8cce6c |
Subject: [PATCH] xtables: Optimize flushing a specific chain
|
|
|
8cce6c |
|
|
|
8cce6c |
If a chain name is given to nft_rule_flush(), make use of
|
|
|
8cce6c |
nftnl_chain_list_lookup_byname().
|
|
|
8cce6c |
|
|
|
8cce6c |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
8cce6c |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
8cce6c |
(cherry picked from commit 196841c9597eff536b59655b60df088ee1929904)
|
|
|
8cce6c |
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
|
8cce6c |
---
|
|
|
8cce6c |
iptables/nft.c | 30 +++++++++++++++++-------------
|
|
|
8cce6c |
1 file changed, 17 insertions(+), 13 deletions(-)
|
|
|
8cce6c |
|
|
|
8cce6c |
diff --git a/iptables/nft.c b/iptables/nft.c
|
|
|
8cce6c |
index 883fb3db2c671..a23acbcc9b100 100644
|
|
|
8cce6c |
--- a/iptables/nft.c
|
|
|
8cce6c |
+++ b/iptables/nft.c
|
|
|
8cce6c |
@@ -1496,10 +1496,14 @@ int nft_rule_save(struct nft_handle *h, const char *table, unsigned int format)
|
|
|
8cce6c |
}
|
|
|
8cce6c |
|
|
|
8cce6c |
static void
|
|
|
8cce6c |
-__nft_rule_flush(struct nft_handle *h, const char *table, const char *chain)
|
|
|
8cce6c |
+__nft_rule_flush(struct nft_handle *h, const char *table,
|
|
|
8cce6c |
+ const char *chain, bool verbose)
|
|
|
8cce6c |
{
|
|
|
8cce6c |
struct nftnl_rule *r;
|
|
|
8cce6c |
|
|
|
8cce6c |
+ if (verbose)
|
|
|
8cce6c |
+ fprintf(stdout, "Flushing chain `%s'\n", chain);
|
|
|
8cce6c |
+
|
|
|
8cce6c |
r = nftnl_rule_alloc();
|
|
|
8cce6c |
if (r == NULL)
|
|
|
8cce6c |
return;
|
|
|
8cce6c |
@@ -1533,7 +1537,7 @@ static int __nft_chain_user_flush(struct nftnl_chain *c, void *data)
|
|
|
8cce6c |
return 0;
|
|
|
8cce6c |
|
|
|
8cce6c |
if (!nftnl_chain_is_set(c, NFTNL_CHAIN_HOOKNUM))
|
|
|
8cce6c |
- __nft_rule_flush(h, table, chain);
|
|
|
8cce6c |
+ __nft_rule_flush(h, table, chain, false);
|
|
|
8cce6c |
|
|
|
8cce6c |
return 0;
|
|
|
8cce6c |
}
|
|
|
8cce6c |
@@ -1573,6 +1577,16 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table,
|
|
|
8cce6c |
goto err;
|
|
|
8cce6c |
}
|
|
|
8cce6c |
|
|
|
8cce6c |
+ if (chain) {
|
|
|
8cce6c |
+ c = nftnl_chain_list_lookup_byname(list, chain);
|
|
|
8cce6c |
+ if (!c)
|
|
|
8cce6c |
+ return 0;
|
|
|
8cce6c |
+
|
|
|
8cce6c |
+ __nft_rule_flush(h, table, chain, verbose);
|
|
|
8cce6c |
+ flush_rule_cache(c);
|
|
|
8cce6c |
+ return 1;
|
|
|
8cce6c |
+ }
|
|
|
8cce6c |
+
|
|
|
8cce6c |
iter = nftnl_chain_list_iter_create(list);
|
|
|
8cce6c |
if (iter == NULL) {
|
|
|
8cce6c |
ret = 1;
|
|
|
8cce6c |
@@ -1584,18 +1598,8 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table,
|
|
|
8cce6c |
const char *chain_name =
|
|
|
8cce6c |
nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
|
|
|
8cce6c |
|
|
|
8cce6c |
- if (chain != NULL && strcmp(chain, chain_name) != 0)
|
|
|
8cce6c |
- goto next;
|
|
|
8cce6c |
-
|
|
|
8cce6c |
- if (verbose)
|
|
|
8cce6c |
- fprintf(stdout, "Flushing chain `%s'\n", chain_name);
|
|
|
8cce6c |
-
|
|
|
8cce6c |
- __nft_rule_flush(h, table, chain_name);
|
|
|
8cce6c |
+ __nft_rule_flush(h, table, chain_name, verbose);
|
|
|
8cce6c |
flush_rule_cache(c);
|
|
|
8cce6c |
-
|
|
|
8cce6c |
- if (chain != NULL)
|
|
|
8cce6c |
- break;
|
|
|
8cce6c |
-next:
|
|
|
8cce6c |
c = nftnl_chain_list_iter_next(iter);
|
|
|
8cce6c |
}
|
|
|
8cce6c |
nftnl_chain_list_iter_destroy(iter);
|
|
|
8cce6c |
--
|
|
|
8cce6c |
2.20.1
|
|
|
8cce6c |
|