You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
81 lines
2.2 KiB
81 lines
2.2 KiB
2 years ago
|
From 2c183a2457d8640aaee3a98fc8fea70bf64d46f2 Mon Sep 17 00:00:00 2001
|
||
|
From: Phil Sutter <phil@nwl.cc>
|
||
|
Date: Sat, 29 Feb 2020 02:08:26 +0100
|
||
|
Subject: [PATCH] nft: cache: Make nft_rebuild_cache() respect fake cache
|
||
|
|
||
|
If transaction needed a refresh in nft_action(), restore with flush
|
||
|
would fetch a full cache instead of merely refreshing table list
|
||
|
contained in "fake" cache.
|
||
|
|
||
|
To fix this, nft_rebuild_cache() must distinguish between fake cache and
|
||
|
full rule cache. Therefore introduce NFT_CL_FAKE to be distinguished
|
||
|
from NFT_CL_RULES.
|
||
|
|
||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||
|
(cherry picked from commit 40ad7793d1884f28767cf58c96e9d76ae0a18db1)
|
||
|
|
||
|
RHEL-only fix: Make nft_rebuild_cache() check 'level' instead of
|
||
|
'h->cache_level' as the latter may be reset by __nft_flush_cache().
|
||
|
|
||
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||
|
---
|
||
|
iptables/nft-cache.c | 13 +++++++++----
|
||
|
iptables/nft.h | 3 ++-
|
||
|
2 files changed, 11 insertions(+), 5 deletions(-)
|
||
|
|
||
|
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
|
||
|
index bc6e7f7eaebfb..9623b463f0dd5 100644
|
||
|
--- a/iptables/nft-cache.c
|
||
|
+++ b/iptables/nft-cache.c
|
||
|
@@ -480,6 +480,7 @@ __nft_build_cache(struct nft_handle *h, enum nft_cache_level level,
|
||
|
break;
|
||
|
/* fall through */
|
||
|
case NFT_CL_RULES:
|
||
|
+ case NFT_CL_FAKE:
|
||
|
break;
|
||
|
}
|
||
|
|
||
|
@@ -516,7 +517,7 @@ void nft_fake_cache(struct nft_handle *h)
|
||
|
|
||
|
h->cache->table[type].chains = nftnl_chain_list_alloc();
|
||
|
}
|
||
|
- h->cache_level = NFT_CL_RULES;
|
||
|
+ h->cache_level = NFT_CL_FAKE;
|
||
|
mnl_genid_get(h, &h->nft_genid);
|
||
|
}
|
||
|
|
||
|
@@ -629,9 +630,13 @@ void nft_rebuild_cache(struct nft_handle *h)
|
||
|
if (h->cache_level)
|
||
|
__nft_flush_cache(h);
|
||
|
|
||
|
- h->nft_genid = 0;
|
||
|
- h->cache_level = NFT_CL_NONE;
|
||
|
- __nft_build_cache(h, level, NULL, NULL, NULL);
|
||
|
+ if (level == NFT_CL_FAKE) {
|
||
|
+ nft_fake_cache(h);
|
||
|
+ } else {
|
||
|
+ h->nft_genid = 0;
|
||
|
+ h->cache_level = NFT_CL_NONE;
|
||
|
+ __nft_build_cache(h, level, NULL, NULL, NULL);
|
||
|
+ }
|
||
|
}
|
||
|
|
||
|
void nft_release_cache(struct nft_handle *h)
|
||
|
diff --git a/iptables/nft.h b/iptables/nft.h
|
||
|
index 5cf260a6d2cd3..2094b01455194 100644
|
||
|
--- a/iptables/nft.h
|
||
|
+++ b/iptables/nft.h
|
||
|
@@ -32,7 +32,8 @@ enum nft_cache_level {
|
||
|
NFT_CL_TABLES,
|
||
|
NFT_CL_CHAINS,
|
||
|
NFT_CL_SETS,
|
||
|
- NFT_CL_RULES
|
||
|
+ NFT_CL_RULES,
|
||
|
+ NFT_CL_FAKE /* must be last entry */
|
||
|
};
|
||
|
|
||
|
struct nft_cache {
|
||
|
--
|
||
|
2.28.0
|
||
|
|