iptables: skip iptables if no rules are set

Users that never set iptables rules shouldn't incur the iptables performance cost. Suggested by Ian (@iangudger). PiperOrigin-RevId: 317232921
author: Kevin Krakauer <krakauer@google.com> 2020-06-18 19:45:13 -0700
committer: gVisor bot <gvisor-bot@google.com> 2020-06-18 19:46:36 -0700
commit: 0c169b6ad598200a57db7bf0f679da1d6cb395c4 (patch)
tree: 924d94abd0ff7447138c5f3433442ea43bc6f24e /pkg/tcpip/stack/iptables.go
parent: 28b8a5cc3ac538333756084da28d7f13f13b5c87 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/pkg/tcpip/stack/iptables.go b/pkg/tcpip/stack/iptables.go
index dc2b77c9d..62d4eb1b6 100644
--- a/pkg/tcpip/stack/iptables.go
+++ b/pkg/tcpip/stack/iptables.go
@@ -170,6 +170,7 @@ func (it *IPTables) GetTable(name string) (Table, bool) {
 func (it *IPTables) ReplaceTable(name string, table Table) {
 	it.mu.Lock()
 	defer it.mu.Unlock()
+	it.modified = true
 	it.tables[name] = table
 }
 
@@ -201,6 +202,15 @@ const (
 //
 // Precondition: pkt.NetworkHeader is set.
 func (it *IPTables) Check(hook Hook, pkt *PacketBuffer, gso *GSO, r *Route, address tcpip.Address, nicName string) bool {
+	// Many users never configure iptables. Spare them the cost of rule
+	// traversal if rules have never been set.
+	it.mu.RLock()
+	if !it.modified {
+		it.mu.RUnlock()
+		return true
+	}
+	it.mu.RUnlock()
+
 	// Packets are manipulated only if connection and matching
 	// NAT rule exists.
 	it.connections.HandlePacket(pkt, hook, gso, r)
author	Kevin Krakauer <krakauer@google.com>	2020-06-18 19:45:13 -0700
committer	gVisor bot <gvisor-bot@google.com>	2020-06-18 19:46:36 -0700
commit	0c169b6ad598200a57db7bf0f679da1d6cb395c4 (patch)
tree	924d94abd0ff7447138c5f3433442ea43bc6f24e /pkg/tcpip/stack/iptables.go
parent	28b8a5cc3ac538333756084da28d7f13f13b5c87 (diff)