firewall-util: probe firewall backend in fw_ctx_new()

FirewallContext is used by networkd and nspawn. Both allocates the context when it is really necessary. Hence, it is not necessary to delay probing backend. Moreover, if iptables backend is not enabled on build, and nftables is not supported by kernel, previously `fw_nftables_init()` is called everytime when we try to configure masquerade or dnat. It causes significant performance loss. Fixes test-firewall-util issue in #19052.
2024-10-27 01:55:22 +03:00 · 2021-03-23 14:38:18 +09:00 · 2021-03-23 14:38:18 +09:00 · dfb433f2a7
commit dfb433f2a7
parent 4fb8a48ff0
1 changed files with 2 additions and 12 deletions
--- a/src/shared/firewall-util.c
+++ b/src/shared/firewall-util.c
@ -48,18 +48,12 @@ int fw_ctx_new(FirewallContext **ret) {
        if (!ctx)
                return -ENOMEM;

-        /* could probe here.  However, this means that we will load
-         * iptable_nat or nf_tables, both will enable connection tracking.
-         *
-         * Alternative would be to probe here but only call
-         * fw_ctx_new when nspawn/networkd know they will call
-         * fw_add_masquerade/local_dnat later anyway.
-         */
-
        *ctx = (FirewallContext) {
                .backend = _FW_BACKEND_INVALID,
        };

+        firewall_backend_probe(ctx);
+
        *ret = TAKE_PTR(ctx);
        return 0;
 }
@ -90,8 +84,6 @@ int fw_add_masquerade(
                        return r;
        }

-        firewall_backend_probe(*ctx);
-
        switch ((*ctx)->backend) {
 #if HAVE_LIBIPTC
        case FW_BACKEND_IPTABLES:
@ -124,8 +116,6 @@ int fw_add_local_dnat(
                        return r;
        }

-        firewall_backend_probe(*ctx);
-
        switch ((*ctx)->backend) {
 #if HAVE_LIBIPTC
        case FW_BACKEND_IPTABLES: