Hi Pablo, On Mon, Mar 02, 2020 at 08:19:30PM +0100, Pablo Neira Ayuso wrote: > On Mon, Mar 02, 2020 at 06:53:55PM +0100, Phil Sutter wrote: > > iptables-nft-restore calls nft_action(h, NFT_COMPAT_COMMIT) for each > > COMMIT line in input. When restoring a dump containing multiple large > > tables, chances are nft_rebuild_cache() has to run multiple times. > > Then, fix nft_rebuild_cache() please. This is not the right place to fix the problem: nft_rebuild_cache() simply rebuilds the cache, switching to a secondary instance if not done so before to avoid freeing objects referenced from batch jobs. When creating batch jobs (e.g., adding a rule or chain), code is not aware of which cache instance is currently in use. It will just add those objects to nft_handle->cache pointer. It is the job of nft_release_cache() to return things back to normal after each COMMIT line, which includes restoring nft_handle->cache pointer to point at first cache instance. If you see a flaw in my reasoning, I'm all ears. Also, if you see a better solution, please elaborate - IMO, nft_release_cache() should undo what nft_rebuild_cache() may have done. From nft_action() perspective, they are related. Cheers, Phil
