[nftables RFC PATCH]limit netlink message size during delete operation

[nftables RFC PATCH]limit netlink message size during delete operation

[Eric Leblond]

Hello,

When working on the flush issue, I've observed that the deletion message
was containing the whole the rule definition. This seems to be useless
as only table, chain and handle number are used to delete a rule.

The following patchset introduces a new function in libnftables to be
able to only put only these identifiers in the deletion message.

BR,
-- 
Eric Leblond <eric@regit.org>
Blog: https://home.regit.org/

[libnftables PATCH] src: add function nft_rule_nlmsg_build_id

[Eric Leblond]

This patch adds a new function nft_rule_nlmsg_build_id which can
be used to only dump the identifiers of a rule to the netlink
message. This allow to limit the size of the messages when doing
some deletion operation where the other parameters are not used.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 include/libnftables/rule.h |  1 +
 src/libnftables.map        |  1 +
 src/rule.c                 | 14 ++++++++++----
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/include/libnftables/rule.h b/include/libnftables/rule.h
index 9fba9c8..08c9cc4 100644
--- a/include/libnftables/rule.h
+++ b/include/libnftables/rule.h
@@ -40,6 +40,7 @@ uint64_t nft_rule_attr_get_u64(const struct nft_rule *r, uint16_t attr);
 
 void nft_rule_add_expr(struct nft_rule *r, struct nft_rule_expr *expr);
 
+void nft_rule_nlmsg_build_id(struct nlmsghdr *nlh, struct nft_rule *t);
 void nft_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_rule *t);
 
 enum {
diff --git a/src/libnftables.map b/src/libnftables.map
index 1223403..e6cd12c 100644
--- a/src/libnftables.map
+++ b/src/libnftables.map
@@ -72,6 +72,7 @@ global:
   nft_rule_parse;
   nft_rule_snprintf;
   nft_rule_nlmsg_build_hdr;
+  nft_rule_nlmsg_build_id;
   nft_rule_nlmsg_build_payload;
   nft_rule_nlmsg_parse;
   nft_rule_add_expr;
diff --git a/src/rule.c b/src/rule.c
index 7f2bce6..f9861da 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -248,11 +248,8 @@ nft_rule_nlmsg_build_hdr(char *buf, uint16_t cmd, uint16_t family,
 }
 EXPORT_SYMBOL(nft_rule_nlmsg_build_hdr);
 
-void nft_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_rule *r)
+void nft_rule_nlmsg_build_id(struct nlmsghdr *nlh, struct nft_rule *r)
 {
-	struct nft_rule_expr *expr;
-	struct nlattr *nest;
-
 	if (r->flags & (1 << NFT_RULE_ATTR_TABLE))
 		mnl_attr_put_strz(nlh, NFTA_RULE_TABLE, r->table);
 	if (r->flags & (1 << NFT_RULE_ATTR_CHAIN))
@@ -261,6 +258,15 @@ void nft_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_rule *r)
 		mnl_attr_put_u64(nlh, NFTA_RULE_HANDLE, htobe64(r->handle));
 	if (r->flags & (1 << NFT_RULE_ATTR_POSITION))
 		mnl_attr_put_u64(nlh, NFTA_RULE_POSITION, htobe64(r->position));
+}
+EXPORT_SYMBOL(nft_rule_nlmsg_build_id);
+
+void nft_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_rule *r)
+{
+	struct nft_rule_expr *expr;
+	struct nlattr *nest;
+
+	nft_rule_nlmsg_build_id(nlh, r);
 
 	if (!list_empty(&r->expr_list)) {
 		nest = mnl_attr_nest_start(nlh, NFTA_RULE_EXPRESSIONS);
-- 
1.8.4.rc3

[nftables PATCH] netlink: use build_id to lower message size

[Eric Leblond]

THis patch makes use of the new nft_rule_nlmsg_build_id function
from libnftables for the delete operation. This lower the size
of the netlink message sent to kernel when flushing the rules.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 src/mnl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/mnl.c b/src/mnl.c
index 27b181a..3c07156 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -292,7 +292,7 @@ int mnl_nft_rule_batch_del(struct nft_rule *nlr, unsigned int flags,
 			nft_rule_attr_get_u32(nlr, NFT_RULE_ATTR_FAMILY),
 			NLM_F_ACK, seqnum);
 
-	nft_rule_nlmsg_build_payload(nlh, nlr);
+	nft_rule_nlmsg_build_id(nlh, nlr);
 
 	if (!mnl_nlmsg_batch_next(batch))
 		mnl_batch_page_add();
-- 
1.8.4.rc3

Re: [nftables PATCH] netlink: use build_id to lower message size

[Pablo Neira Ayuso]

On Thu, Oct 03, 2013 at 01:16:33AM +0200, Eric Leblond wrote:
> THis patch makes use of the new nft_rule_nlmsg_build_id function
> from libnftables for the delete operation. This lower the size
> of the netlink message sent to kernel when flushing the rules.

I think we can simplify the flush operation with a small change in
nf_tables_delrule. The idea is to delete all rule if no chain is
specified.

The current approach is pretty time consuming, as we have to fetch the
ruleset from the kernel, iterate over it and build the message to
delete them.

Would you send me patches to follow this approach?