From: pablo@netfilter.org
To: netfilter-devel@vger.kernel.org
Cc: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Subject: [PATCH 1/2] netfilter: nf_tables: use 64-bits rule handle instead of 16-bits
Date: Thu, 1 Nov 2012 17:02:23 +0100 [thread overview]
Message-ID: <1351785744-7492-2-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1351785744-7492-1-git-send-email-pablo@netfilter.org>
From: Pablo Neira Ayuso <pablo@netfilter.org>
This allows fast handle allocation. This speeds up rule addition
from O(n) to O(1).
I assume 64-bits handle should be enough to avoid an overrun
(such thing may lead to two rules having the same handle quite
easily with 16-bits).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 4 ++--
net/netfilter/nf_tables_api.c | 23 ++++++++---------------
2 files changed, 10 insertions(+), 17 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 74b8b770..3289e0d 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -302,7 +302,7 @@ static inline void *nft_expr_priv(const struct nft_expr *expr)
*/
struct nft_rule {
struct list_head list;
- u16 handle;
+ u64 handle;
u16 dlen;
unsigned char data[]
__attribute__((aligned(__alignof__(struct nft_expr))));
@@ -356,7 +356,7 @@ struct nft_chain {
u8 policy;
u16 use;
u16 level;
- u16 hgenerator;
+ u64 hgenerator;
char name[NFT_CHAIN_MAXNAMELEN];
};
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index e510f18..cfe6b85 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1061,7 +1061,7 @@ static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
*/
static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
- u16 handle)
+ u64 handle)
{
struct nft_rule *rule;
@@ -1080,26 +1080,19 @@ static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
if (nla == NULL)
return ERR_PTR(-EINVAL);
- return __nf_tables_rule_lookup(chain, ntohs(nla_get_be16(nla)));
+ return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
}
-static u16 nf_tables_rule_alloc_handle(struct nft_chain *chain)
+static inline u64 nf_tables_rule_alloc_handle(struct nft_chain *chain)
{
- int i = 0xFFFF;
- u16 handle;
-
- do {
- handle = ++chain->hgenerator;
- } while (--i > 0 && !IS_ERR(__nf_tables_rule_lookup(chain, handle)));
-
- return i > 0 ? handle : 0;
+ return ++chain->hgenerator;
}
static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
[NFTA_RULE_TABLE] = { .type = NLA_STRING },
[NFTA_RULE_CHAIN] = { .type = NLA_STRING,
.len = NFT_CHAIN_MAXNAMELEN - 1 },
- [NFTA_RULE_HANDLE] = { .type = NLA_U16 },
+ [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
[NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
};
@@ -1129,7 +1122,7 @@ static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 pid, u32 seq,
goto nla_put_failure;
if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
goto nla_put_failure;
- if (nla_put_be16(skb, NFTA_RULE_HANDLE, htons(rule->handle)))
+ if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle)))
goto nla_put_failure;
list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
@@ -1317,7 +1310,7 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
unsigned int size, i, n;
int err, rem;
bool create;
- u16 handle;
+ u64 handle;
create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
@@ -1334,7 +1327,7 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
return PTR_ERR(chain);
if (nla[NFTA_RULE_HANDLE]) {
- handle = ntohs(nla_get_be16(nla[NFTA_RULE_HANDLE]));
+ handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
rule = __nf_tables_rule_lookup(chain, handle);
if (IS_ERR(rule)) {
if (PTR_ERR(rule) != -ENOENT)
--
1.7.10.4
next prev parent reply other threads:[~2012-11-01 16:02 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-01 16:02 [PATCH 0/2] [RFC] nf_tables: speed up rule addition and deletion pablo
2012-11-01 16:02 ` pablo [this message]
2012-11-01 16:02 ` [PATCH 2/2] netfilter: nf_tables: improve deletion performance pablo
2012-11-02 9:05 ` Tomasz Bursztyka
2012-11-04 18:44 ` Pablo Neira Ayuso
2012-11-05 10:16 ` Tomasz Bursztyka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1351785744-7492-2-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=tomasz.bursztyka@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).