From ecd80647d4b862324943ba8ecb40ae988a7e6376 Mon Sep 17 00:00:00 2001

From: Phil Sutter <phil@nwl.cc>

Date: Thu, 20 Dec 2018 16:09:15 +0100

Subject: [PATCH] xtables: Optimize nft_chain_zero_counters()

If a chain name was given, make use of nftnl_chain_list_lookup_byname().

Streamline nft_chain_zero_rule_counters() to be suitable for calling

from nftnl_chain_list_foreach().

There is an unrelated optimization in here, too: Add batch job

NFT_COMPAT_CHAIN_ZERO only if it is a base chain. Since user-defined

chains don't have counters, there is no need to do anything for them.

Signed-off-by: Phil Sutter <phil@nwl.cc>

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

(cherry picked from commit a6ce0c65d3a390bfff16e834c18650beedecf40c)

Signed-off-by: Phil Sutter <psutter@redhat.com>

---

 iptables/nft.c | 72 +++++++++++++++++++++++++-------------------------

 1 file changed, 36 insertions(+), 36 deletions(-)

diff --git a/iptables/nft.c b/iptables/nft.c

index a23acbcc9b100..9951bf3212197 100644

--- a/iptables/nft.c

+++ b/iptables/nft.c

@@ -2939,15 +2939,36 @@ int nft_xtables_config_load(struct nft_handle *h, const char *filename,

 	return h->config_done;

 }

-static void nft_chain_zero_rule_counters(struct nft_handle *h,

-					 struct nftnl_chain *c)

+struct chain_zero_data {

+	struct nft_handle	*handle;

+	bool			verbose;

+};

+

+static int __nft_chain_zero_counters(struct nftnl_chain *c, void *data)

 {

+	struct chain_zero_data *d = data;

+	struct nft_handle *h = d->handle;

 	struct nftnl_rule_iter *iter;

 	struct nftnl_rule *r;

+	int ret = 0;

+

+	if (d->verbose)

+		fprintf(stdout, "Zeroing chain `%s'\n",

+			nftnl_chain_get_str(c, NFTNL_CHAIN_NAME));

+

+	if (nftnl_chain_is_set(c, NFTNL_CHAIN_HOOKNUM)) {

+		/* zero base chain counters. */

+		nftnl_chain_set_u64(c, NFTNL_CHAIN_PACKETS, 0);

+		nftnl_chain_set_u64(c, NFTNL_CHAIN_BYTES, 0);

+		nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE);

+		ret = batch_chain_add(h, NFT_COMPAT_CHAIN_ZERO, c);

+		if (ret)

+			return -1;

+	}

 	iter = nftnl_rule_iter_create(c);

 	if (iter == NULL)

-		return;

+		return -1;

 	r = nftnl_rule_iter_next(iter);

 	while (r != NULL) {

@@ -2989,13 +3010,17 @@ static void nft_chain_zero_rule_counters(struct nft_handle *h,

 	}

 	nftnl_rule_iter_destroy(iter);

+	return 0;

 }

 int nft_chain_zero_counters(struct nft_handle *h, const char *chain,

 			    const char *table, bool verbose)

 {

 	struct nftnl_chain_list *list;

-	struct nftnl_chain_list_iter *iter;

+	struct chain_zero_data d = {

+		.handle = h,

+		.verbose = verbose,

+	};

 	struct nftnl_chain *c;

 	int ret = 0;

@@ -3003,41 +3028,16 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain,

 	if (list == NULL)

 		goto err;

-	iter = nftnl_chain_list_iter_create(list);

-	if (iter == NULL)

-		goto err;

-

-	c = nftnl_chain_list_iter_next(iter);

-	while (c != NULL) {

-		const char *chain_name =

-			nftnl_chain_get(c, NFTNL_CHAIN_NAME);

-

-		if (chain != NULL && strcmp(chain, chain_name) != 0)

-			goto next;

-

-		if (verbose)

-			fprintf(stdout, "Zeroing chain `%s'\n", chain_name);

-

-		if (nftnl_chain_is_set(c, NFTNL_CHAIN_HOOKNUM)) {

-			/* zero base chain counters. */

-			nftnl_chain_set_u64(c, NFTNL_CHAIN_PACKETS, 0);

-			nftnl_chain_set_u64(c, NFTNL_CHAIN_BYTES, 0);

-		}

-

-		nft_chain_zero_rule_counters(h, c);

-

-		nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE);

-

-		ret = batch_chain_add(h, NFT_COMPAT_CHAIN_ZERO, c);

+	if (chain) {

+		c = nftnl_chain_list_lookup_byname(list, chain);

+		if (!c)

+			return 0;

-		if (chain != NULL)

-			break;

-next:

-		c = nftnl_chain_list_iter_next(iter);

+		ret = __nft_chain_zero_counters(c, &d);

+		goto err;

 	}

-	nftnl_chain_list_iter_destroy(iter);

-

+	ret = nftnl_chain_list_foreach(list, __nft_chain_zero_counters, &d);

 err:

 	/* the core expects 1 for success and 0 for error */

 	return ret == 0 ? 1 : 0;

-- 

2.20.1