If transaction needed a refresh in nft_action(), restore with flush
would fetch a full cache instead of merely refreshing table list
contained in "fake" cache.
To fix this, nft_rebuild_cache() must distinguish between fake cache and
full rule cache. Therefore introduce NFT_CL_FAKE to be distinguished
from NFT_CL_RULES.
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
iptables/nft-cache.c | 11 ++++++++---
iptables/nft.h | 3 ++-
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index 6f21f2283e0fb..e1b1e89c9e0d3 100644
--- a/iptables/nft-cache.c
+++ b/iptables/nft-cache.c
@@ -484,6 +484,7 @@ retry:
break;
/* fall through */
case NFT_CL_RULES:
+ case NFT_CL_FAKE:
break;
}
@@ -528,7 +529,7 @@ void nft_fake_cache(struct nft_handle *h)
h->cache->table[type].chains = nftnl_chain_list_alloc();
}
- h->cache_level = NFT_CL_RULES;
+ h->cache_level = NFT_CL_FAKE;
mnl_genid_get(h, &h->nft_genid);
}
@@ -641,8 +642,12 @@ void nft_rebuild_cache(struct nft_handle *h)
if (h->cache_level)
__nft_flush_cache(h);
- h->cache_level = NFT_CL_NONE;
- __nft_build_cache(h, level, NULL, NULL, NULL);
+ if (h->cache_level == NFT_CL_FAKE) {
+ nft_fake_cache(h);
+ } else {
+ h->cache_level = NFT_CL_NONE;
+ __nft_build_cache(h, level, NULL, NULL, NULL);
+ }
}
void nft_release_cache(struct nft_handle *h)
diff --git a/iptables/nft.h b/iptables/nft.h
index 5cf260a6d2cd3..2094b01455194 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -32,7 +32,8 @@ enum nft_cache_level {
NFT_CL_TABLES,
NFT_CL_CHAINS,
NFT_CL_SETS,
- NFT_CL_RULES
+ NFT_CL_RULES,
+ NFT_CL_FAKE /* must be last entry */
};
struct nft_cache {
--
2.25.1
