From 27bc424993e8138e26d7db1d7f902baaf269dd7c Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 12 Dec 2018 20:04:12 +0100
Subject: [PATCH] xtables: Speed up chain deletion in large rulesets

Kernel prefers to identify chain by handle if it was given which causes
manual traversal of the chain list. In contrast, chain lookup by name in
kernel makes use of a hash table so is considerably faster. Force this
code path by removing the cached chain's handle when removing it.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit a5f517a41d72794fae3d1332e6e0e413a5cd16c1)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
 iptables/nft.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/iptables/nft.c b/iptables/nft.c
index 1ce1ecdd276be..9c0ad9a2d054f 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1660,6 +1660,8 @@ static int __nft_chain_user_del(struct nftnl_chain *c, void *data)
 		fprintf(stdout, "Deleting chain `%s'\n",
 			nftnl_chain_get_str(c, NFTNL_CHAIN_NAME));
 
+	/* XXX This triggers a fast lookup from the kernel. */
+	nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE);
 	ret = batch_chain_add(h, NFT_COMPAT_CHAIN_USER_DEL, c);
 	if (ret)
 		return -1;
-- 
2.21.0