mirror of
https://github.com/systemd/systemd.git
synced 2024-10-27 01:55:22 +03:00
firewall-util: probe firewall backend in fw_ctx_new()
FirewallContext is used by networkd and nspawn. Both allocates the context when it is really necessary. Hence, it is not necessary to delay probing backend. Moreover, if iptables backend is not enabled on build, and nftables is not supported by kernel, previously `fw_nftables_init()` is called everytime when we try to configure masquerade or dnat. It causes significant performance loss. Fixes test-firewall-util issue in #19052.
This commit is contained in:
parent
4fb8a48ff0
commit
dfb433f2a7
@ -48,18 +48,12 @@ int fw_ctx_new(FirewallContext **ret) {
|
||||
if (!ctx)
|
||||
return -ENOMEM;
|
||||
|
||||
/* could probe here. However, this means that we will load
|
||||
* iptable_nat or nf_tables, both will enable connection tracking.
|
||||
*
|
||||
* Alternative would be to probe here but only call
|
||||
* fw_ctx_new when nspawn/networkd know they will call
|
||||
* fw_add_masquerade/local_dnat later anyway.
|
||||
*/
|
||||
|
||||
*ctx = (FirewallContext) {
|
||||
.backend = _FW_BACKEND_INVALID,
|
||||
};
|
||||
|
||||
firewall_backend_probe(ctx);
|
||||
|
||||
*ret = TAKE_PTR(ctx);
|
||||
return 0;
|
||||
}
|
||||
@ -90,8 +84,6 @@ int fw_add_masquerade(
|
||||
return r;
|
||||
}
|
||||
|
||||
firewall_backend_probe(*ctx);
|
||||
|
||||
switch ((*ctx)->backend) {
|
||||
#if HAVE_LIBIPTC
|
||||
case FW_BACKEND_IPTABLES:
|
||||
@ -124,8 +116,6 @@ int fw_add_local_dnat(
|
||||
return r;
|
||||
}
|
||||
|
||||
firewall_backend_probe(*ctx);
|
||||
|
||||
switch ((*ctx)->backend) {
|
||||
#if HAVE_LIBIPTC
|
||||
case FW_BACKEND_IPTABLES:
|
||||
|
Loading…
Reference in New Issue
Block a user