rpms / iptables

Clone
Source Code
GIT

Blame SOURCES/0028-xtables-Optimize-list-rules-command-with-given-chain.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   1dc35b9e66315dee6f954690d97855f152af6aed
  2.   SOURCES
  3.   0028-xtables-Optimize-list-rules-command-with-given-chain.patch
Blob History Raw
1dc35b 
From 23ef58d88034cdd5c972b9392944a772cccd61f9 Mon Sep 17 00:00:00 2001
8cce6c 
From: Phil Sutter <phil@nwl.cc>
8cce6c 
Date: Thu, 20 Dec 2018 16:09:19 +0100
8cce6c 
Subject: [PATCH] xtables: Optimize list rules command with given chain
8cce6c
8cce6c 
If a chain name was given, make use of nftnl_chain_list_lookup_byname().
8cce6c
8cce6c 
Likewise in nftnl_rule_list_chain_save(), but introduce
8cce6c 
__nftnl_rule_list_chain_save() suitable for passing to
8cce6c 
nftnl_chain_list_foreach().
8cce6c
8cce6c 
Signed-off-by: Phil Sutter <phil@nwl.cc>
8cce6c 
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
8cce6c 
(cherry picked from commit 6b1871914e4f3717c7e6324727b80cf1d5d985b1)
8cce6c 
Signed-off-by: Phil Sutter <psutter@redhat.com>
8cce6c 
---
8cce6c 
 iptables/nft.c | 93 +++++++++++++++++++++++---------------------------
8cce6c 
 1 file changed, 43 insertions(+), 50 deletions(-)
8cce6c
8cce6c 
diff --git a/iptables/nft.c b/iptables/nft.c
8cce6c 
index e1c997836cb97..e0455eabda77a 100644
8cce6c 
--- a/iptables/nft.c
8cce6c 
+++ b/iptables/nft.c
8cce6c 
@@ -2339,46 +2339,44 @@ list_save(struct nftnl_rule *r, unsigned int num, unsigned int format)
8cce6c 
 	nft_rule_print_save(r, NFT_RULE_APPEND, format);
8cce6c 
 }
8cce6c
8cce6c 
+static int __nftnl_rule_list_chain_save(struct nftnl_chain *c, void *data)
8cce6c 
+{
8cce6c 
+	const char *chain_name = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
8cce6c 
+	uint32_t policy = nftnl_chain_get_u32(c, NFTNL_CHAIN_POLICY);
8cce6c 
+	int *counters = data;
8cce6c 
+
8cce6c 
+	if (!nft_chain_builtin(c)) {
8cce6c 
+		printf("-N %s\n", chain_name);
8cce6c 
+		return 0;
8cce6c 
+	}
8cce6c 
+
8cce6c 
+	/* this is a base chain */
8cce6c 
+
8cce6c 
+	printf("-P %s %s", chain_name, policy_name[policy]);
8cce6c 
+	if (*counters)
8cce6c 
+		printf(" -c %"PRIu64" %"PRIu64,
8cce6c 
+		       nftnl_chain_get_u64(c, NFTNL_CHAIN_PACKETS),
8cce6c 
+		       nftnl_chain_get_u64(c, NFTNL_CHAIN_BYTES));
8cce6c 
+	printf("\n");
8cce6c 
+	return 0;
8cce6c 
+}
8cce6c 
+
8cce6c 
 static int
8cce6c 
 nftnl_rule_list_chain_save(struct nft_handle *h, const char *chain,
8cce6c 
 			   struct nftnl_chain_list *list, int counters)
8cce6c 
 {
8cce6c 
-	struct nftnl_chain_list_iter *iter;
8cce6c 
 	struct nftnl_chain *c;
8cce6c
8cce6c 
-	iter = nftnl_chain_list_iter_create(list);
8cce6c 
-	if (iter == NULL)
8cce6c 
-		return 0;
8cce6c 
-
8cce6c 
-	c = nftnl_chain_list_iter_next(iter);
8cce6c 
-	while (c != NULL) {
8cce6c 
-		const char *chain_name =
8cce6c 
-			nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
8cce6c 
-		uint32_t policy =
8cce6c 
-			nftnl_chain_get_u32(c, NFTNL_CHAIN_POLICY);
8cce6c 
-
8cce6c 
-		if (chain && strcmp(chain, chain_name) != 0)
8cce6c 
-			goto next;
8cce6c 
+	if (chain) {
8cce6c 
+		c = nftnl_chain_list_lookup_byname(list, chain);
8cce6c 
+		if (!c)
8cce6c 
+			return 0;
8cce6c
8cce6c 
-		/* this is a base chain */
8cce6c 
-		if (nft_chain_builtin(c)) {
8cce6c 
-			printf("-P %s %s", chain_name, policy_name[policy]);
8cce6c 
-
8cce6c 
-			if (counters) {
8cce6c 
-				printf(" -c %"PRIu64" %"PRIu64"\n",
8cce6c 
-					nftnl_chain_get_u64(c, NFTNL_CHAIN_PACKETS),
8cce6c 
-					nftnl_chain_get_u64(c, NFTNL_CHAIN_BYTES));
8cce6c 
-			} else
8cce6c 
-				printf("\n");
8cce6c 
-		} else {
8cce6c 
-			printf("-N %s\n", chain_name);
8cce6c 
-		}
8cce6c 
-next:
8cce6c 
-		c = nftnl_chain_list_iter_next(iter);
8cce6c 
+		__nftnl_rule_list_chain_save(c, &counters);
8cce6c 
+		return 1;
8cce6c 
 	}
8cce6c
8cce6c 
-	nftnl_chain_list_iter_destroy(iter);
8cce6c 
-
8cce6c 
+	nftnl_chain_list_foreach(list, __nftnl_rule_list_chain_save, &counters);
8cce6c 
 	return 1;
8cce6c 
 }
8cce6c
8cce6c 
@@ -2410,41 +2408,36 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain,
8cce6c
8cce6c 
 	list = nft_chain_list_get(h, table);
8cce6c 
 	if (!list)
8cce6c 
-		goto err;
8cce6c 
+		return 0;
8cce6c
8cce6c 
 	/* Dump policies and custom chains first */
8cce6c 
 	if (!rulenum)
8cce6c 
 		nftnl_rule_list_chain_save(h, chain, list, counters);
8cce6c
8cce6c 
-	/* Now dump out rules in this table */
8cce6c 
-	iter = nftnl_chain_list_iter_create(list);
8cce6c 
-	if (iter == NULL)
8cce6c 
-		goto err;
8cce6c 
-
8cce6c 
 	if (counters < 0)
8cce6c 
 		format = FMT_C_COUNTS;
8cce6c 
 	else if (counters == 0)
8cce6c 
 		format = FMT_NOCOUNTS;
8cce6c
8cce6c 
-	c = nftnl_chain_list_iter_next(iter);
8cce6c 
-	while (c != NULL) {
8cce6c 
-		const char *chain_name =
8cce6c 
-			nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
8cce6c 
+	if (chain) {
8cce6c 
+		c = nftnl_chain_list_lookup_byname(list, chain);
8cce6c 
+		if (!c)
8cce6c 
+			return 0;
8cce6c
8cce6c 
-		if (chain && strcmp(chain, chain_name) != 0)
8cce6c 
-			goto next;
8cce6c 
+		return __nft_rule_list(h, c, rulenum, format, list_save);
8cce6c 
+	}
8cce6c
8cce6c 
-		ret = __nft_rule_list(h, c, rulenum, format, list_save);
8cce6c 
+	/* Now dump out rules in this table */
8cce6c 
+	iter = nftnl_chain_list_iter_create(list);
8cce6c 
+	if (iter == NULL)
8cce6c 
+		return 0;
8cce6c
8cce6c 
-		/* we printed the chain we wanted, stop processing. */
8cce6c 
-		if (chain)
8cce6c 
-			break;
8cce6c 
-next:
8cce6c 
+	c = nftnl_chain_list_iter_next(iter);
8cce6c 
+	while (c != NULL) {
8cce6c 
+		ret = __nft_rule_list(h, c, rulenum, format, list_save);
8cce6c 
 		c = nftnl_chain_list_iter_next(iter);
8cce6c 
 	}
8cce6c 
-
8cce6c 
 	nftnl_chain_list_iter_destroy(iter);
8cce6c 
-err:
8cce6c 
 	return ret;
8cce6c 
 }
8cce6c
8cce6c 
--
1dc35b 
2.21.0
8cce6c

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation