From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: kaber@trash.net
Subject: [PATCH nft,v4 00/16] cache consolidation
Date: Mon, 6 Jul 2015 20:16:52 +0200 [thread overview]
Message-ID: <1436206628-23894-1-git-send-email-pablo@netfilter.org> (raw)
Hi,
This is another round of the patchset to consolidate the nft cache. The idea
consists of creating a cache of tables that is populated with chains, rules,
sets and elements before parsing/evaluation.
This comes with several advantages:
1) We can now keep the ruleset file in a linear list fashion. We can also apply
incremental set declaration updates in a file in an atomic fashion, eg.
-o-FILE:nft-ruleset-o-
add table filter
add chain filter input { type filter hook input priority 0; }
add set filter blacklist { type ipv4_addr; }
add element filter blacklist { 4.4.4.10 }
-o-EOF-o-
2) We have a single point to create a consistent cache, thus, we can handle
EINTR and validate generation counter to make sure we operate with a ruleset
that is up-to-date.
3) We can provide better error reporting from the evaluation step, eg.
# nft add element filter blacklist { 1.1.1.1 }
<cmdline>:1:1-36: Error: Could not process rule: Table 'filter' does not exist
add element filter blacklist { 1.1.1.1 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
instead of:
# nft add element filter blacklist { 1.1.1.1 }
<cmdline>:1:1-36: Error: Could not process rule: No such file or directory
add element filter blacklist { 1.1.1.1 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
In follow up patches, it should be possible to reduce the number of object
lookups by attaching the corresponding object to struct cmd, so we don't need
to look it up again from the final command execution step.
4) We can later on use the cache to perform ruleset transformations as Patrick
already suggested.
I will keep testing this here a bit more, then if no objections, I'll push this
to master.
Thanks.
Pablo Neira Ayuso (16):
src: consolidate table cache
src: add cmd_evaluate_list()
rule: add reference counter to the table object
src: add table declaration to cache
src: consolidate set cache
src: add set declaration to cache
src: early allocation of the set ID
segtree: pass element expression as parameter to set_to_intervals()
rule: use netlink_add_setelems() when creating literal sets
rule: fix use of intervals in set declarations
rule: add chain reference counter
src: consolidate chain cache
evaluate: add cmd_evaluate_rename()
src: add chain declarations to cache
rule: consolidate rule cache
src: consolidate set element cache
include/expression.h | 3 +-
include/rule.h | 9 ++
src/evaluate.c | 142 +++++++++++++++++-------
src/main.c | 30 +++++-
src/netlink.c | 4 -
src/rule.c | 294 ++++++++++++++++++++++++++------------------------
src/segtree.c | 15 +--
7 files changed, 300 insertions(+), 197 deletions(-)
--
1.7.10.4
next reply other threads:[~2015-07-06 18:11 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-06 18:16 Pablo Neira Ayuso [this message]
2015-07-06 18:16 ` [PATCH nft,v4 01/16] src: consolidate table cache Pablo Neira Ayuso
2015-07-06 18:16 ` [PATCH nft,v4 02/16] src: add cmd_evaluate_list() Pablo Neira Ayuso
2015-07-06 18:16 ` [PATCH nft,v4 03/16] rule: add reference counter to the table object Pablo Neira Ayuso
2015-07-06 18:16 ` [PATCH nft,v4 04/16] src: add table declaration to cache Pablo Neira Ayuso
2015-07-06 18:16 ` [PATCH nft,v4 05/16] src: consolidate set cache Pablo Neira Ayuso
2015-07-06 18:16 ` [PATCH nft,v4 06/16] src: add set declaration to cache Pablo Neira Ayuso
2015-07-06 18:16 ` [PATCH nft,v4 07/16] src: early allocation of the set ID Pablo Neira Ayuso
2015-07-06 18:17 ` [PATCH nft,v4 08/16] segtree: pass element expression as parameter to set_to_intervals() Pablo Neira Ayuso
2015-07-06 18:17 ` [PATCH nft,v4 09/16] rule: use netlink_add_setelems() when creating literal sets Pablo Neira Ayuso
2015-07-06 18:17 ` [PATCH nft,v4 10/16] rule: fix use of intervals in set declarations Pablo Neira Ayuso
2015-07-06 18:17 ` [PATCH nft,v4 11/16] rule: add chain reference counter Pablo Neira Ayuso
2015-07-06 18:17 ` [PATCH nft,v4 12/16] src: consolidate chain cache Pablo Neira Ayuso
2015-07-06 18:17 ` [PATCH nft,v4 13/16] evaluate: add cmd_evaluate_rename() Pablo Neira Ayuso
2015-07-06 18:17 ` [PATCH nft,v4 14/16] src: add chain declarations to cache Pablo Neira Ayuso
2015-07-06 18:17 ` [PATCH nft,v4 15/16] rule: consolidate rule cache Pablo Neira Ayuso
2015-07-06 18:17 ` [PATCH nft,v4 16/16] src: consolidate set element cache Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1436206628-23894-1-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).