| From 2c183a2457d8640aaee3a98fc8fea70bf64d46f2 Mon Sep 17 00:00:00 2001 |
| From: Phil Sutter <phil@nwl.cc> |
| Date: Sat, 29 Feb 2020 02:08:26 +0100 |
| Subject: [PATCH] nft: cache: Make nft_rebuild_cache() respect fake cache |
| |
| If transaction needed a refresh in nft_action(), restore with flush |
| would fetch a full cache instead of merely refreshing table list |
| contained in "fake" cache. |
| |
| To fix this, nft_rebuild_cache() must distinguish between fake cache and |
| full rule cache. Therefore introduce NFT_CL_FAKE to be distinguished |
| from NFT_CL_RULES. |
| |
| Signed-off-by: Phil Sutter <phil@nwl.cc> |
| (cherry picked from commit 40ad7793d1884f28767cf58c96e9d76ae0a18db1) |
| |
| RHEL-only fix: Make nft_rebuild_cache() check 'level' instead of |
| 'h->cache_level' as the latter may be reset by __nft_flush_cache(). |
| |
| Signed-off-by: Phil Sutter <psutter@redhat.com> |
| |
| iptables/nft-cache.c | 13 +++++++++---- |
| iptables/nft.h | 3 ++- |
| 2 files changed, 11 insertions(+), 5 deletions(-) |
| |
| diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c |
| index bc6e7f7eaebfb..9623b463f0dd5 100644 |
| |
| |
| @@ -480,6 +480,7 @@ __nft_build_cache(struct nft_handle *h, enum nft_cache_level level, |
| break; |
| /* fall through */ |
| case NFT_CL_RULES: |
| + case NFT_CL_FAKE: |
| break; |
| } |
| |
| @@ -516,7 +517,7 @@ void nft_fake_cache(struct nft_handle *h) |
| |
| h->cache->table[type].chains = nftnl_chain_list_alloc(); |
| } |
| - h->cache_level = NFT_CL_RULES; |
| + h->cache_level = NFT_CL_FAKE; |
| mnl_genid_get(h, &h->nft_genid); |
| } |
| |
| @@ -629,9 +630,13 @@ void nft_rebuild_cache(struct nft_handle *h) |
| if (h->cache_level) |
| __nft_flush_cache(h); |
| |
| - h->nft_genid = 0; |
| - h->cache_level = NFT_CL_NONE; |
| - __nft_build_cache(h, level, NULL, NULL, NULL); |
| + if (level == NFT_CL_FAKE) { |
| + nft_fake_cache(h); |
| + } else { |
| + h->nft_genid = 0; |
| + h->cache_level = NFT_CL_NONE; |
| + __nft_build_cache(h, level, NULL, NULL, NULL); |
| + } |
| } |
| |
| void nft_release_cache(struct nft_handle *h) |
| diff --git a/iptables/nft.h b/iptables/nft.h |
| index 5cf260a6d2cd3..2094b01455194 100644 |
| |
| |
| @@ -32,7 +32,8 @@ enum nft_cache_level { |
| NFT_CL_TABLES, |
| NFT_CL_CHAINS, |
| NFT_CL_SETS, |
| - NFT_CL_RULES |
| + NFT_CL_RULES, |
| + NFT_CL_FAKE /* must be last entry */ |
| }; |
| |
| struct nft_cache { |
| -- |
| 2.28.0 |
| |