netfilter: nft_compat: skip family comparison in case of NFPROTO_UNSPEC - linux-dev - Linux kernel development work

diff options

author	Pablo Neira Ayuso <pablo@netfilter.org>	2015-09-14 18:04:09 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2015-09-14 18:10:57 +0200
commit	ba378ca9c04a5fc1b2cf0f0274a9d02eb3d1bad9 (patch)
tree	8665ae84918021d813e2f072ab6ae6cfb1fdc424 /tools
parent	netfilter: bridge: fix routing of bridge frames with call-iptables=1 (diff)
download	linux-dev-ba378ca9c04a5fc1b2cf0f0274a9d02eb3d1bad9.tar.xz linux-dev-ba378ca9c04a5fc1b2cf0f0274a9d02eb3d1bad9.zip

netfilter: nft_compat: skip family comparison in case of NFPROTO_UNSPEC

Fix lookup of existing match/target structures in the corresponding list by skipping the family check if NFPROTO_UNSPEC is used. This is resulting in the allocation and insertion of one match/target structure for each use of them. So this not only bloats memory consumption but also severely affects the time to reload the ruleset from the iptables-compat utility. After this patch, iptables-compat-restore and iptables-compat take almost the same time to reload large rulesets. Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'tools')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: