On Tue, May 28, 2024 at 05:28:17PM +0200, Pablo Neira Ayuso wrote: > Cache tracking has improved over time by incrementally adding/deleting > objects when evaluating commands that are going to be sent to the kernel. > > nft_cache_is_complete() already checks that the cache contains objects > that are required to handle this batch of commands by comparing cache > flags. > > Infer from the current generation ID if no other transaction has > invalidated the existing cache, this allows to skip unnecessary cache > flush then refill situations which slow down incremental updates. > > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > --- > v2: no changes Hi Pablo, This patch introduced a regression with the index keyword. It seems to be triggered by adding a rule with "insert", then referencing the new rule with by "add"-ing another rule using index. https://github.com/firewalld/firewalld/issues/1366#issuecomment-2243772215 I'm happy to test any fixes. Thanks. Eric. --->8--- # cat /tmp/foo2 add table inet foo add chain inet foo bar { type filter hook input priority filter; } add rule inet foo bar accept insert rule inet foo bar index 0 accept add rule inet foo bar index 0 accept # nft delete table inet foo; nft -i < /tmp/foo2 ; nft list table inet foo Error: Could not process rule: No such file or directory add rule inet foo bar index 0 accept ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ table inet foo { chain bar { type filter hook input priority filter; policy accept; accept accept } } # git revert e791dbe109b6dd891a63a4236df5dc29d7a4b863 [master 30ae3c684990] Revert "cache: recycle existing cache with incremental updates" 1 file changed, 3 insertions(+), 15 deletions(-) # make install [..] # nft delete table inet foo; nft -i < /tmp/foo2 ; nft list table inet foo table inet foo { chain bar { type filter hook input priority filter; policy accept; accept accept accept } }
