diff options
| author | Florian Westphal <fw@strlen.de> | 2025-11-28 12:26:54 +0100 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2026-01-20 16:23:37 +0100 |
| commit | 6f93616a7323d646d18db9c09f147e453b40fdd7 (patch) | |
| tree | cafe3ca87ea37ee47dbf0451942a361b1337dece /include/linux/rtmutex.h | |
| parent | 77b9c4a438fc66e2ab004c411056b3fb71a54f2c (diff) | |
netfilter: nf_tables: reset table validation state on abort
If a transaction fails the final validation in the commit hook, the table
validation state is changed to NFT_VALIDATE_DO and a replay of the batch is
performed. Every rule insert will then do a graph validation.
This is much slower, but provides better error reporting to the user
because we can point at the rule that introduces the validation issue.
Without this reset the affected table(s) remain in full validation mode,
i.e. on next transaction we start with slow-mode.
This makes the next transaction after a failed incremental update very slow:
# time iptables-restore < /tmp/ruleset
real 0m0.496s [..]
# time iptables -A CALLEE -j CALLER
iptables v1.8.11 (nf_tables): RULE_APPEND failed (Too many links): rule in chain CALLEE
real 0m0.022s [..]
# time iptables-restore < /tmp/ruleset
real 1m22.355s [..]
After this patch, 2nd iptables-restore is back to ~0.5s.
Fixes: 9a32e9850686 ("netfilter: nf_tables: don't write table validation state without mutex")
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'include/linux/rtmutex.h')
0 files changed, 0 insertions, 0 deletions