1 files changed, 10 insertions, 8 deletions

diff --git a/pkg/tcpip/stack/iptables.go b/pkg/tcpip/stack/iptables.go
index 4e9b404c8..62d4eb1b6 100644
--- a/pkg/tcpip/stack/iptables.go
+++ b/pkg/tcpip/stack/iptables.go
@@ -170,17 +170,10 @@ func (it *IPTables) GetTable(name string) (Table, bool) {
 func (it *IPTables) ReplaceTable(name string, table Table) {
 	it.mu.Lock()
 	defer it.mu.Unlock()
+	it.modified = true
 	it.tables[name] = table
 }
 
-// ModifyTables acquires write-lock and calls fn with internal name-to-table
-// map. This function can be used to update multiple tables atomically.
-func (it *IPTables) ModifyTables(fn func(map[string]Table)) {
-	it.mu.Lock()
-	defer it.mu.Unlock()
-	fn(it.tables)
-}
-
 // GetPriorities returns slice of priorities associated with hook.
 func (it *IPTables) GetPriorities(hook Hook) []string {
 	it.mu.RLock()
@@ -209,6 +202,15 @@ const (
 //
 // Precondition: pkt.NetworkHeader is set.
 func (it *IPTables) Check(hook Hook, pkt *PacketBuffer, gso *GSO, r *Route, address tcpip.Address, nicName string) bool {
+	// Many users never configure iptables. Spare them the cost of rule
+	// traversal if rules have never been set.
+	it.mu.RLock()
+	if !it.modified {
+		it.mu.RUnlock()
+		return true
+	}
+	it.mu.RUnlock()
+
 	// Packets are manipulated only if connection and matching
 	// NAT rule exists.
 	it.connections.HandlePacket(pkt, hook, gso, r)