* Modifying ebtables to read the commands from a file
@ 2010-03-28 10:07 Peter Gordon
2010-03-28 13:00 ` Jan Engelhardt
0 siblings, 1 reply; 5+ messages in thread
From: Peter Gordon @ 2010-03-28 10:07 UTC (permalink / raw)
To: netfilter-devel
I need to add a number of rules to the ebtables and I cannot afford the
fork overhead for each line. So what I want to do is to read each line
from a file and have the program iterate over the file.
ebtables-save and ebtables-restore is not good enough for my
application, because I can't add rules incrementally. ebtables-restore
doesn't add add rules, but replaces all existing rules.
I have changed ebtables-standalone.c:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include "include/ebtables_u.h"
static struct ebt_u_replace replace;
void ebt_early_init_once();
#define MAX_TOKENS 100
int main(int argc, char *argv[])
{
ebt_silent = 0;
ebt_early_init_once();
char *tok ;
char **myArgv ;
char *delim = " " ;
char *p ;
FILE *fp ;
char line[1000] ;
int myArgc = 0 ;
int i ;
myArgv = malloc(MAX_TOKENS * sizeof(char *)) ;
for (i=0 ; i<MAX_TOKENS ; i++) {
myArgv[i] = NULL ;
}
if (argc == 3 && strcmp(argv[1],"-f") == 0) {
myArgv[0] = "ebtables" ;
myArgc = 1 ;
fp = fopen(argv[2],"r") ;
if (fp == NULL) {
fprintf(stderr,"Can't open file %s\n",argv[2]) ;
exit(1);
}
while(fgets(line,sizeof(line),fp)) {
/* Ignore comments */
if (*line == '#' || *line == '\n') {
continue ;
}
*strchr(line, '\n') = '\0';
p = line ;
while(1) {
tok = strtok(p,delim) ;
if (tok == NULL) {
break ;
}
p = NULL ;
/* printf("Token %s\n",tok) ; */
if (myArgc >= MAX_TOKENS) {
fprintf(stderr,"Too many tokens on line %s\n",line) ;
exit(1) ;
}
/* printf("TOKEN: number: %d name: %s\n",myArgc,tok) ;*/
myArgv[myArgc++] = tok ;
}
memset(&replace,0,sizeof(replace)) ;
strcpy(replace.name, "filter");
do_command(myArgc, myArgv, EXEC_STYLE_PRG, &replace);
myArgc = 1 ;
}
return 0;
}
strcpy(replace.name, "filter");
do_command(argc, argv, EXEC_STYLE_PRG, &replace);
return 0;
}
I have also added some extra initialization to ebtables.c - the extra
code added is the three for loops:
opterr = 0;
ebt_modprobe = NULL;
for (m = ebt_matches; m; m = m->next) {
m->used = 0 ;
m->flags = 0 ;
}
for (t = ebt_targets; t; t = t->next) {
t->used = 0 ;
t->flags = 0 ;
}
for (w = ebt_watchers; w; w = w->next) {
w->used = 0 ;
w->flags = 0 ;
}
replace = replace_;
/* The daemon doesn't use the environment variable */
if (exec_style == EXEC_STYLE_PRG) {
I am still missing some initializations - I am getting leftover
information from previous rules.
The essential problem is to allow do_command to be called more than
once.
Can anyone tell me how to correctly initialize all the structures in the
do_command.
Thanks,
Peter
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Modifying ebtables to read the commands from a file
2010-03-28 10:07 Modifying ebtables to read the commands from a file Peter Gordon
@ 2010-03-28 13:00 ` Jan Engelhardt
2010-03-28 15:43 ` Bart De Schuymer
0 siblings, 1 reply; 5+ messages in thread
From: Jan Engelhardt @ 2010-03-28 13:00 UTC (permalink / raw)
To: Peter Gordon; +Cc: netfilter-devel
On Sunday 2010-03-28 12:07, Peter Gordon wrote:
>I need to add a number of rules to the ebtables and I cannot afford the
>fork overhead for each line.
The larger part of the overhead is due to the tables recomputed (dumped,
rule added, restored) every time you call it. That's why one should use
xx-restore.
>So what I want to do is to read each line
>from a file and have the program iterate over the file.
>
>ebtables-save and ebtables-restore is not good enough for my
>application, because I can't add rules incrementally.
Dump the rules with ebtables-save to a buffer, add your rules,
and use -restore. That's sort of incrementally, and the fastest
way to put a ruleset in atomic fashion into place.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Modifying ebtables to read the commands from a file
2010-03-28 13:00 ` Jan Engelhardt
@ 2010-03-28 15:43 ` Bart De Schuymer
2010-03-31 7:23 ` Peter Gordon
0 siblings, 1 reply; 5+ messages in thread
From: Bart De Schuymer @ 2010-03-28 15:43 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Peter Gordon, netfilter-devel
Jan Engelhardt schreef:
> On Sunday 2010-03-28 12:07, Peter Gordon wrote:
>
>
>> I need to add a number of rules to the ebtables and I cannot afford the
>> fork overhead for each line.
>>
>
> The larger part of the overhead is due to the tables recomputed (dumped,
> rule added, restored) every time you call it. That's why one should use
> xx-restore.
>
>
>> So what I want to do is to read each line
>>
> >from a file and have the program iterate over the file.
>
>> ebtables-save and ebtables-restore is not good enough for my
>> application, because I can't add rules incrementally.
>>
>
> Dump the rules with ebtables-save to a buffer, add your rules,
> and use -restore. That's sort of incrementally, and the fastest
> way to put a ruleset in atomic fashion into place.
>
That's indeed the easiest way to do it. The only problem is that the
counters of already existing rules won't always be correct because
packets will traverse the chains between the -save and -restore time.
It's probably not so hard to alter ebtables-restore to keep the counters
correct.
A few years ago I experimented with an ebtables 'daemon' that would run
in the background and commands could be sent to it through a pipe. This
has the advantage that the distinction between added and already
existing rules is maintained, enabling correct counters. The changed
table is updated in userspace and only committed to the kernel when a
specific command is given. See ebtablesd.c and ebtablesu.c for the code.
Performance tests are available in examples/perf_test/perf_test. I'm not
maintaining these files for free, though.
cheers,
Bart
--
Bart De Schuymer
www.artinalgorithms.be
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Modifying ebtables to read the commands from a file
2010-03-28 15:43 ` Bart De Schuymer
@ 2010-03-31 7:23 ` Peter Gordon
2010-03-31 11:45 ` Bart De Schuymer
0 siblings, 1 reply; 5+ messages in thread
From: Peter Gordon @ 2010-03-31 7:23 UTC (permalink / raw)
To: Bart De Schuymer; +Cc: Jan Engelhardt, netfilter-devel
Thanks for the reply.
The counters are not particularly interesting in my application, so that
isn't a problem.
ebtables-restore replaces the rules atomically. There are two meanings
in this context to "atomic".
a) The old ruleset is deleted, and after, the new ruleset is applied
atomically, at a single instant in time.
or
b) The old ruleset is deleted and replaced by the new ruleset as one
action - with no time gap between them.
Peter
On Sun, 2010-03-28 at 17:43 +0200, Bart De Schuymer wrote:
> Jan Engelhardt schreef:
> > On Sunday 2010-03-28 12:07, Peter Gordon wrote:
> >
> >
> >> I need to add a number of rules to the ebtables and I cannot afford the
> >> fork overhead for each line.
> >>
> >
> > The larger part of the overhead is due to the tables recomputed (dumped,
> > rule added, restored) every time you call it. That's why one should use
> > xx-restore.
> >
> >
> >> So what I want to do is to read each line
> >>
> > >from a file and have the program iterate over the file.
> >
> >> ebtables-save and ebtables-restore is not good enough for my
> >> application, because I can't add rules incrementally.
> >>
> >
> > Dump the rules with ebtables-save to a buffer, add your rules,
> > and use -restore. That's sort of incrementally, and the fastest
> > way to put a ruleset in atomic fashion into place.
> >
> That's indeed the easiest way to do it. The only problem is that the
> counters of already existing rules won't always be correct because
> packets will traverse the chains between the -save and -restore time.
> It's probably not so hard to alter ebtables-restore to keep the counters
> correct.
> A few years ago I experimented with an ebtables 'daemon' that would run
> in the background and commands could be sent to it through a pipe. This
> has the advantage that the distinction between added and already
> existing rules is maintained, enabling correct counters. The changed
> table is updated in userspace and only committed to the kernel when a
> specific command is given. See ebtablesd.c and ebtablesu.c for the code.
> Performance tests are available in examples/perf_test/perf_test. I'm not
> maintaining these files for free, though.
>
> cheers,
> Bart
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Modifying ebtables to read the commands from a file
2010-03-31 7:23 ` Peter Gordon
@ 2010-03-31 11:45 ` Bart De Schuymer
0 siblings, 0 replies; 5+ messages in thread
From: Bart De Schuymer @ 2010-03-31 11:45 UTC (permalink / raw)
To: Peter Gordon; +Cc: Jan Engelhardt, netfilter-devel
Peter Gordon schreef:
> Thanks for the reply.
>
> The counters are not particularly interesting in my application, so that
> isn't a problem.
>
> ebtables-restore replaces the rules atomically. There are two meanings
> in this context to "atomic".
>
> a) The old ruleset is deleted, and after, the new ruleset is applied
> atomically, at a single instant in time.
>
> or
>
> b) The old ruleset is deleted and replaced by the new ruleset as one
> action - with no time gap between them.
>
>
1 the new table content is constructed
2 the pointer to the old table is replaced by a pointer to the new table
3 the old table is deleted
So there's no gap of time in which there is no table ruleset present.
cheers,
Bart
--
Bart De Schuymer
www.artinalgorithms.be
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-03-31 11:45 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-03-28 10:07 Modifying ebtables to read the commands from a file Peter Gordon
2010-03-28 13:00 ` Jan Engelhardt
2010-03-28 15:43 ` Bart De Schuymer
2010-03-31 7:23 ` Peter Gordon
2010-03-31 11:45 ` Bart De Schuymer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).