|
 |
9c35a8 |
From 2c183a2457d8640aaee3a98fc8fea70bf64d46f2 Mon Sep 17 00:00:00 2001
|
|
|
9c35a8 |
From: Phil Sutter <phil@nwl.cc>
|
|
|
9c35a8 |
Date: Sat, 29 Feb 2020 02:08:26 +0100
|
|
|
9c35a8 |
Subject: [PATCH] nft: cache: Make nft_rebuild_cache() respect fake cache
|
|
|
9c35a8 |
|
|
|
9c35a8 |
If transaction needed a refresh in nft_action(), restore with flush
|
|
|
9c35a8 |
would fetch a full cache instead of merely refreshing table list
|
|
|
9c35a8 |
contained in "fake" cache.
|
|
|
9c35a8 |
|
|
|
9c35a8 |
To fix this, nft_rebuild_cache() must distinguish between fake cache and
|
|
|
9c35a8 |
full rule cache. Therefore introduce NFT_CL_FAKE to be distinguished
|
|
|
9c35a8 |
from NFT_CL_RULES.
|
|
|
9c35a8 |
|
|
|
9c35a8 |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
9c35a8 |
(cherry picked from commit 40ad7793d1884f28767cf58c96e9d76ae0a18db1)
|
|
|
9c35a8 |
|
|
|
9c35a8 |
RHEL-only fix: Make nft_rebuild_cache() check 'level' instead of
|
|
|
9c35a8 |
'h->cache_level' as the latter may be reset by __nft_flush_cache().
|
|
|
9c35a8 |
|
|
|
9c35a8 |
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
|
9c35a8 |
---
|
|
|
9c35a8 |
iptables/nft-cache.c | 13 +++++++++----
|
|
|
9c35a8 |
iptables/nft.h | 3 ++-
|
|
|
9c35a8 |
2 files changed, 11 insertions(+), 5 deletions(-)
|
|
|
9c35a8 |
|
|
|
9c35a8 |
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
|
|
|
9c35a8 |
index bc6e7f7eaebfb..9623b463f0dd5 100644
|
|
|
9c35a8 |
--- a/iptables/nft-cache.c
|
|
|
9c35a8 |
+++ b/iptables/nft-cache.c
|
|
|
9c35a8 |
@@ -480,6 +480,7 @@ __nft_build_cache(struct nft_handle *h, enum nft_cache_level level,
|
|
|
9c35a8 |
break;
|
|
|
9c35a8 |
/* fall through */
|
|
|
9c35a8 |
case NFT_CL_RULES:
|
|
|
9c35a8 |
+ case NFT_CL_FAKE:
|
|
|
9c35a8 |
break;
|
|
|
9c35a8 |
}
|
|
|
9c35a8 |
|
|
|
9c35a8 |
@@ -516,7 +517,7 @@ void nft_fake_cache(struct nft_handle *h)
|
|
|
9c35a8 |
|
|
|
9c35a8 |
h->cache->table[type].chains = nftnl_chain_list_alloc();
|
|
|
9c35a8 |
}
|
|
|
9c35a8 |
- h->cache_level = NFT_CL_RULES;
|
|
|
9c35a8 |
+ h->cache_level = NFT_CL_FAKE;
|
|
|
9c35a8 |
mnl_genid_get(h, &h->nft_genid);
|
|
|
9c35a8 |
}
|
|
|
9c35a8 |
|
|
|
9c35a8 |
@@ -629,9 +630,13 @@ void nft_rebuild_cache(struct nft_handle *h)
|
|
|
9c35a8 |
if (h->cache_level)
|
|
|
9c35a8 |
__nft_flush_cache(h);
|
|
|
9c35a8 |
|
|
|
9c35a8 |
- h->nft_genid = 0;
|
|
|
9c35a8 |
- h->cache_level = NFT_CL_NONE;
|
|
|
9c35a8 |
- __nft_build_cache(h, level, NULL, NULL, NULL);
|
|
|
9c35a8 |
+ if (level == NFT_CL_FAKE) {
|
|
|
9c35a8 |
+ nft_fake_cache(h);
|
|
|
9c35a8 |
+ } else {
|
|
|
9c35a8 |
+ h->nft_genid = 0;
|
|
|
9c35a8 |
+ h->cache_level = NFT_CL_NONE;
|
|
|
9c35a8 |
+ __nft_build_cache(h, level, NULL, NULL, NULL);
|
|
|
9c35a8 |
+ }
|
|
|
9c35a8 |
}
|
|
|
9c35a8 |
|
|
|
9c35a8 |
void nft_release_cache(struct nft_handle *h)
|
|
|
9c35a8 |
diff --git a/iptables/nft.h b/iptables/nft.h
|
|
|
9c35a8 |
index 5cf260a6d2cd3..2094b01455194 100644
|
|
|
9c35a8 |
--- a/iptables/nft.h
|
|
|
9c35a8 |
+++ b/iptables/nft.h
|
|
|
9c35a8 |
@@ -32,7 +32,8 @@ enum nft_cache_level {
|
|
|
9c35a8 |
NFT_CL_TABLES,
|
|
|
9c35a8 |
NFT_CL_CHAINS,
|
|
|
9c35a8 |
NFT_CL_SETS,
|
|
|
9c35a8 |
- NFT_CL_RULES
|
|
|
9c35a8 |
+ NFT_CL_RULES,
|
|
|
9c35a8 |
+ NFT_CL_FAKE /* must be last entry */
|
|
|
9c35a8 |
};
|
|
|
9c35a8 |
|
|
|
9c35a8 |
struct nft_cache {
|
|
|
9c35a8 |
--
|
|
|
9c35a8 |
2.28.0
|
|
|
9c35a8 |
|