From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Eric Garver <eric@garver.life>,
netfilter-devel@vger.kernel.org, nhofmeyr@sysmocom.de
Subject: Re: [PATCH nft 2/2,v2] cache: recycle existing cache with incremental updates
Date: Tue, 23 Jul 2024 07:29:40 +0200 [thread overview]
Message-ID: <Zp8_xIP0FUsOdEHF@orbyte.nwl.cc> (raw)
In-Reply-To: <Zp7QSXcMHt9a8Hm7@calendula>
On Mon, Jul 22, 2024 at 11:34:01PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Jul 22, 2024 at 04:48:40PM -0400, Eric Garver wrote:
> > On Tue, May 28, 2024 at 05:28:17PM +0200, Pablo Neira Ayuso wrote:
> > > Cache tracking has improved over time by incrementally adding/deleting
> > > objects when evaluating commands that are going to be sent to the kernel.
> > >
> > > nft_cache_is_complete() already checks that the cache contains objects
> > > that are required to handle this batch of commands by comparing cache
> > > flags.
> > >
> > > Infer from the current generation ID if no other transaction has
> > > invalidated the existing cache, this allows to skip unnecessary cache
> > > flush then refill situations which slow down incremental updates.
> > >
> > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> > > ---
> > > v2: no changes
> >
> > Hi Pablo,
> >
> > This patch introduced a regression with the index keyword. It seems to
> > be triggered by adding a rule with "insert", then referencing the new
> > rule with by "add"-ing another rule using index.
> >
> > https://github.com/firewalld/firewalld/issues/1366#issuecomment-2243772215
>
> I can reproduce it:
>
> # nft -i
> nft> add table inet foo
> nft> add chain inet foo bar { type filter hook input priority filter; }
> nft> add rule inet foo bar accept
> nft> insert rule inet foo bar index 0 accept
> nft> add rule inet foo bar index 0 accept
> Error: Could not process rule: No such file or directory
> add rule inet foo bar index 0 accept
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Thanks for providing instructions.
> Cache woes. Maybe a bug in
>
> commit e5382c0d08e3c6d8246afa95b7380f0d6b8c1826
> Author: Phil Sutter <phil@nwl.cc>
> Date: Fri Jun 7 19:21:21 2019 +0200
I'll have a look later today.
Cheers, Phil
next prev parent reply other threads:[~2024-07-23 5:29 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-28 15:28 [PATCH nft 1/2,v2] cache: check for NFT_CACHE_REFRESH in current requested cache too Pablo Neira Ayuso
2024-05-28 15:28 ` [PATCH nft 2/2,v2] cache: recycle existing cache with incremental updates Pablo Neira Ayuso
2024-07-22 20:48 ` Eric Garver
2024-07-22 21:34 ` Pablo Neira Ayuso
2024-07-23 5:29 ` Phil Sutter [this message]
2024-07-23 11:56 ` Phil Sutter
2024-07-23 12:19 ` Pablo Neira Ayuso
2024-07-23 12:57 ` Pablo Neira Ayuso
2024-07-23 15:09 ` Phil Sutter
2024-07-24 7:51 ` Pablo Neira Ayuso
2024-07-23 14:34 ` Phil Sutter
2024-07-23 19:30 ` Eric Garver
2024-07-23 20:56 ` Phil Sutter
2024-07-24 7:44 ` Pablo Neira Ayuso
2024-07-24 11:51 ` Eric Garver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zp8_xIP0FUsOdEHF@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=eric@garver.life \
--cc=netfilter-devel@vger.kernel.org \
--cc=nhofmeyr@sysmocom.de \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.