On Thu, Jul 30, 2020 at 03:57:10PM +0200, Phil Sutter wrote:
> The full list of tables in kernel is not relevant, only those used by
> iptables-nft and for those, knowing if they exist or not is sufficient.
> For holding that information, the already existing 'table' array in
> nft_cache suits well.
>
> Consequently, nft_table_find() merely checks if the new 'exists' boolean
> is true or not and nft_for_each_table() iterates over the builtin_table
> array in nft_handle, additionally checking the boolean in cache for
> whether to skip the entry or not.
>
> Signed-off-by: Phil Sutter <phil@xxxxxx>
> ---
> iptables/nft-cache.c | 73 +++++++++++---------------------------------
> iptables/nft-cache.h | 9 ------
> iptables/nft.c | 55 +++++++++------------------------
> iptables/nft.h | 2 +-
> 4 files changed, 34 insertions(+), 105 deletions(-)
This diffstat looks interesting :-)
One question:
c->table[i].exists = true;
then we assume this table is still in the kernel and we don't recheck?
I mean, if you pipe command to an open process running
iptables-restore (which has been the recommended interface for years
to avoid of the overhead of system() invocation and to ensure atomic
updates), is there any cache this new approach might get out of sync?
Thanks.
