|
|
8cce6c |
From adf121e392eeb87eb77df65527a4fc8580e9a84d Mon Sep 17 00:00:00 2001
|
|
|
8cce6c |
From: Phil Sutter <phil@nwl.cc>
|
|
|
8cce6c |
Date: Thu, 20 Dec 2018 16:09:19 +0100
|
|
|
8cce6c |
Subject: [PATCH] xtables: Optimize list rules command with given chain
|
|
|
8cce6c |
|
|
|
8cce6c |
If a chain name was given, make use of nftnl_chain_list_lookup_byname().
|
|
|
8cce6c |
|
|
|
8cce6c |
Likewise in nftnl_rule_list_chain_save(), but introduce
|
|
|
8cce6c |
__nftnl_rule_list_chain_save() suitable for passing to
|
|
|
8cce6c |
nftnl_chain_list_foreach().
|
|
|
8cce6c |
|
|
|
8cce6c |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
8cce6c |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
8cce6c |
(cherry picked from commit 6b1871914e4f3717c7e6324727b80cf1d5d985b1)
|
|
|
8cce6c |
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
|
8cce6c |
---
|
|
|
8cce6c |
iptables/nft.c | 93 +++++++++++++++++++++++---------------------------
|
|
|
8cce6c |
1 file changed, 43 insertions(+), 50 deletions(-)
|
|
|
8cce6c |
|
|
|
8cce6c |
diff --git a/iptables/nft.c b/iptables/nft.c
|
|
|
8cce6c |
index e1c997836cb97..e0455eabda77a 100644
|
|
|
8cce6c |
--- a/iptables/nft.c
|
|
|
8cce6c |
+++ b/iptables/nft.c
|
|
|
8cce6c |
@@ -2339,46 +2339,44 @@ list_save(struct nftnl_rule *r, unsigned int num, unsigned int format)
|
|
|
8cce6c |
nft_rule_print_save(r, NFT_RULE_APPEND, format);
|
|
|
8cce6c |
}
|
|
|
8cce6c |
|
|
|
8cce6c |
+static int __nftnl_rule_list_chain_save(struct nftnl_chain *c, void *data)
|
|
|
8cce6c |
+{
|
|
|
8cce6c |
+ const char *chain_name = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
|
|
|
8cce6c |
+ uint32_t policy = nftnl_chain_get_u32(c, NFTNL_CHAIN_POLICY);
|
|
|
8cce6c |
+ int *counters = data;
|
|
|
8cce6c |
+
|
|
|
8cce6c |
+ if (!nft_chain_builtin(c)) {
|
|
|
8cce6c |
+ printf("-N %s\n", chain_name);
|
|
|
8cce6c |
+ return 0;
|
|
|
8cce6c |
+ }
|
|
|
8cce6c |
+
|
|
|
8cce6c |
+ /* this is a base chain */
|
|
|
8cce6c |
+
|
|
|
8cce6c |
+ printf("-P %s %s", chain_name, policy_name[policy]);
|
|
|
8cce6c |
+ if (*counters)
|
|
|
8cce6c |
+ printf(" -c %"PRIu64" %"PRIu64,
|
|
|
8cce6c |
+ nftnl_chain_get_u64(c, NFTNL_CHAIN_PACKETS),
|
|
|
8cce6c |
+ nftnl_chain_get_u64(c, NFTNL_CHAIN_BYTES));
|
|
|
8cce6c |
+ printf("\n");
|
|
|
8cce6c |
+ return 0;
|
|
|
8cce6c |
+}
|
|
|
8cce6c |
+
|
|
|
8cce6c |
static int
|
|
|
8cce6c |
nftnl_rule_list_chain_save(struct nft_handle *h, const char *chain,
|
|
|
8cce6c |
struct nftnl_chain_list *list, int counters)
|
|
|
8cce6c |
{
|
|
|
8cce6c |
- struct nftnl_chain_list_iter *iter;
|
|
|
8cce6c |
struct nftnl_chain *c;
|
|
|
8cce6c |
|
|
|
8cce6c |
- iter = nftnl_chain_list_iter_create(list);
|
|
|
8cce6c |
- if (iter == NULL)
|
|
|
8cce6c |
- return 0;
|
|
|
8cce6c |
-
|
|
|
8cce6c |
- c = nftnl_chain_list_iter_next(iter);
|
|
|
8cce6c |
- while (c != NULL) {
|
|
|
8cce6c |
- const char *chain_name =
|
|
|
8cce6c |
- nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
|
|
|
8cce6c |
- uint32_t policy =
|
|
|
8cce6c |
- nftnl_chain_get_u32(c, NFTNL_CHAIN_POLICY);
|
|
|
8cce6c |
-
|
|
|
8cce6c |
- if (chain && strcmp(chain, chain_name) != 0)
|
|
|
8cce6c |
- goto next;
|
|
|
8cce6c |
+ if (chain) {
|
|
|
8cce6c |
+ c = nftnl_chain_list_lookup_byname(list, chain);
|
|
|
8cce6c |
+ if (!c)
|
|
|
8cce6c |
+ return 0;
|
|
|
8cce6c |
|
|
|
8cce6c |
- /* this is a base chain */
|
|
|
8cce6c |
- if (nft_chain_builtin(c)) {
|
|
|
8cce6c |
- printf("-P %s %s", chain_name, policy_name[policy]);
|
|
|
8cce6c |
-
|
|
|
8cce6c |
- if (counters) {
|
|
|
8cce6c |
- printf(" -c %"PRIu64" %"PRIu64"\n",
|
|
|
8cce6c |
- nftnl_chain_get_u64(c, NFTNL_CHAIN_PACKETS),
|
|
|
8cce6c |
- nftnl_chain_get_u64(c, NFTNL_CHAIN_BYTES));
|
|
|
8cce6c |
- } else
|
|
|
8cce6c |
- printf("\n");
|
|
|
8cce6c |
- } else {
|
|
|
8cce6c |
- printf("-N %s\n", chain_name);
|
|
|
8cce6c |
- }
|
|
|
8cce6c |
-next:
|
|
|
8cce6c |
- c = nftnl_chain_list_iter_next(iter);
|
|
|
8cce6c |
+ __nftnl_rule_list_chain_save(c, &counters);
|
|
|
8cce6c |
+ return 1;
|
|
|
8cce6c |
}
|
|
|
8cce6c |
|
|
|
8cce6c |
- nftnl_chain_list_iter_destroy(iter);
|
|
|
8cce6c |
-
|
|
|
8cce6c |
+ nftnl_chain_list_foreach(list, __nftnl_rule_list_chain_save, &counters);
|
|
|
8cce6c |
return 1;
|
|
|
8cce6c |
}
|
|
|
8cce6c |
|
|
|
8cce6c |
@@ -2410,41 +2408,36 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain,
|
|
|
8cce6c |
|
|
|
8cce6c |
list = nft_chain_list_get(h, table);
|
|
|
8cce6c |
if (!list)
|
|
|
8cce6c |
- goto err;
|
|
|
8cce6c |
+ return 0;
|
|
|
8cce6c |
|
|
|
8cce6c |
/* Dump policies and custom chains first */
|
|
|
8cce6c |
if (!rulenum)
|
|
|
8cce6c |
nftnl_rule_list_chain_save(h, chain, list, counters);
|
|
|
8cce6c |
|
|
|
8cce6c |
- /* Now dump out rules in this table */
|
|
|
8cce6c |
- iter = nftnl_chain_list_iter_create(list);
|
|
|
8cce6c |
- if (iter == NULL)
|
|
|
8cce6c |
- goto err;
|
|
|
8cce6c |
-
|
|
|
8cce6c |
if (counters < 0)
|
|
|
8cce6c |
format = FMT_C_COUNTS;
|
|
|
8cce6c |
else if (counters == 0)
|
|
|
8cce6c |
format = FMT_NOCOUNTS;
|
|
|
8cce6c |
|
|
|
8cce6c |
- c = nftnl_chain_list_iter_next(iter);
|
|
|
8cce6c |
- while (c != NULL) {
|
|
|
8cce6c |
- const char *chain_name =
|
|
|
8cce6c |
- nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
|
|
|
8cce6c |
+ if (chain) {
|
|
|
8cce6c |
+ c = nftnl_chain_list_lookup_byname(list, chain);
|
|
|
8cce6c |
+ if (!c)
|
|
|
8cce6c |
+ return 0;
|
|
|
8cce6c |
|
|
|
8cce6c |
- if (chain && strcmp(chain, chain_name) != 0)
|
|
|
8cce6c |
- goto next;
|
|
|
8cce6c |
+ return __nft_rule_list(h, c, rulenum, format, list_save);
|
|
|
8cce6c |
+ }
|
|
|
8cce6c |
|
|
|
8cce6c |
- ret = __nft_rule_list(h, c, rulenum, format, list_save);
|
|
|
8cce6c |
+ /* Now dump out rules in this table */
|
|
|
8cce6c |
+ iter = nftnl_chain_list_iter_create(list);
|
|
|
8cce6c |
+ if (iter == NULL)
|
|
|
8cce6c |
+ return 0;
|
|
|
8cce6c |
|
|
|
8cce6c |
- /* we printed the chain we wanted, stop processing. */
|
|
|
8cce6c |
- if (chain)
|
|
|
8cce6c |
- break;
|
|
|
8cce6c |
-next:
|
|
|
8cce6c |
+ c = nftnl_chain_list_iter_next(iter);
|
|
|
8cce6c |
+ while (c != NULL) {
|
|
|
8cce6c |
+ ret = __nft_rule_list(h, c, rulenum, format, list_save);
|
|
|
8cce6c |
c = nftnl_chain_list_iter_next(iter);
|
|
|
8cce6c |
}
|
|
|
8cce6c |
-
|
|
|
8cce6c |
nftnl_chain_list_iter_destroy(iter);
|
|
|
8cce6c |
-err:
|
|
|
8cce6c |
return ret;
|
|
|
8cce6c |
}
|
|
|
8cce6c |
|
|
|
8cce6c |
--
|
|
|
8cce6c |
2.20.1
|
|
|
8cce6c |
|