diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-09-14 18:04:09 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-09-14 18:10:57 +0200 |
commit | ba378ca9c04a5fc1b2cf0f0274a9d02eb3d1bad9 (patch) | |
tree | 8665ae84918021d813e2f072ab6ae6cfb1fdc424 /security | |
parent | netfilter: bridge: fix routing of bridge frames with call-iptables=1 (diff) | |
download | linux-ba378ca9c04a5fc1b2cf0f0274a9d02eb3d1bad9.tar.xz linux-ba378ca9c04a5fc1b2cf0f0274a9d02eb3d1bad9.zip |
netfilter: nft_compat: skip family comparison in case of NFPROTO_UNSPEC
Fix lookup of existing match/target structures in the corresponding list
by skipping the family check if NFPROTO_UNSPEC is used.
This is resulting in the allocation and insertion of one match/target
structure for each use of them. So this not only bloats memory
consumption but also severely affects the time to reload the ruleset
from the iptables-compat utility.
After this patch, iptables-compat-restore and iptables-compat take
almost the same time to reload large rulesets.
Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'security')
0 files changed, 0 insertions, 0 deletions