This series implements a rule list in chains to allow for per chain rule
caches in iptables-nft as well as nftables.
A second patch then adds utility functions for chain and rule lookups,
preparing for further optimizing these tasks in a transparent way since
users won't open-code the chain/rule
For now, these lookup functions simply iterate over the linked list
until they find the right entry. In future, they may make use of more
optimized data structures behind the curtains.
Signed-off-by: Phil Sutter
---
include/libnftnl/chain.h | 2 ++
src/chain.c | 28
Currently DNS resolvers that send both A and queries from same source port
can trigger stream mode prematurely, which results in non-early-evictable
conntrack entry
for three minutes, even though DNS requests are done in a few milliseconds.
Add a two second grace period where we continue to
