Kernel prefers to identify chain by handle if it was given which causes manual traversal of the chain list. In contrast, chain lookup by name in kernel makes use of a hash table so is considerably faster. Force this code path by removing the cached chain's handle when removing it.
Signed-off-by: Phil Sutter <[email protected]> --- iptables/nft.c | 1 + 1 file changed, 1 insertion(+) diff --git a/iptables/nft.c b/iptables/nft.c index 5ef3a75efcde5..8ff21e09f0344 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1643,6 +1643,7 @@ static int __nft_chain_user_del(struct nftnl_chain *c, void *data) fprintf(stdout, "Deleting chain `%s'\n", nftnl_chain_get_str(c, NFTNL_CHAIN_NAME)); + nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE); ret = batch_chain_add(h, NFT_COMPAT_CHAIN_USER_DEL, c); if (ret) return -1; -- 2.19.0
