[nftables RFC PATCH]limit netlink message size during delete operation

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [nftables RFC PATCH]limit netlink message size during delete operation
@ 2013-10-02 23:12 Eric Leblond
  2013-10-02 23:14 ` [libnftables PATCH] src: add function nft_rule_nlmsg_build_id Eric Leblond
  2013-10-02 23:16 ` [nftables PATCH] netlink: use build_id to lower message size Eric Leblond
  0 siblings, 2 replies; 4+ messages in thread
From: Eric Leblond @ 2013-10-02 23:12 UTC (permalink / raw)
  To: Netfilter Devel; +Cc: Pablo Neira Ayuso

Hello,

When working on the flush issue, I've observed that the deletion message
was containing the whole the rule definition. This seems to be useless
as only table, chain and handle number are used to delete a rule.

The following patchset introduces a new function in libnftables to be
able to only put only these identifiers in the deletion message.

BR,
-- 
Eric Leblond <eric@regit.org>
Blog: https://home.regit.org/

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [libnftables PATCH] src: add function nft_rule_nlmsg_build_id
  2013-10-02 23:12 [nftables RFC PATCH]limit netlink message size during delete operation Eric Leblond
@ 2013-10-02 23:14 ` Eric Leblond
  2013-10-02 23:16 ` [nftables PATCH] netlink: use build_id to lower message size Eric Leblond
  1 sibling, 0 replies; 4+ messages in thread
From: Eric Leblond @ 2013-10-02 23:14 UTC (permalink / raw)
  To: netfilter-devel; +Cc: eric, pablo

This patch adds a new function nft_rule_nlmsg_build_id which can
be used to only dump the identifiers of a rule to the netlink
message. This allow to limit the size of the messages when doing
some deletion operation where the other parameters are not used.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 include/libnftables/rule.h |  1 +
 src/libnftables.map        |  1 +
 src/rule.c                 | 14 ++++++++++----
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/include/libnftables/rule.h b/include/libnftables/rule.h
index 9fba9c8..08c9cc4 100644
--- a/include/libnftables/rule.h
+++ b/include/libnftables/rule.h
@@ -40,6 +40,7 @@ uint64_t nft_rule_attr_get_u64(const struct nft_rule *r, uint16_t attr);
 
 void nft_rule_add_expr(struct nft_rule *r, struct nft_rule_expr *expr);
 
+void nft_rule_nlmsg_build_id(struct nlmsghdr *nlh, struct nft_rule *t);
 void nft_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_rule *t);
 
 enum {
diff --git a/src/libnftables.map b/src/libnftables.map
index 1223403..e6cd12c 100644
--- a/src/libnftables.map
+++ b/src/libnftables.map
@@ -72,6 +72,7 @@ global:
   nft_rule_parse;
   nft_rule_snprintf;
   nft_rule_nlmsg_build_hdr;
+  nft_rule_nlmsg_build_id;
   nft_rule_nlmsg_build_payload;
   nft_rule_nlmsg_parse;
   nft_rule_add_expr;
diff --git a/src/rule.c b/src/rule.c
index 7f2bce6..f9861da 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -248,11 +248,8 @@ nft_rule_nlmsg_build_hdr(char *buf, uint16_t cmd, uint16_t family,
 }
 EXPORT_SYMBOL(nft_rule_nlmsg_build_hdr);
 
-void nft_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_rule *r)
+void nft_rule_nlmsg_build_id(struct nlmsghdr *nlh, struct nft_rule *r)
 {
-	struct nft_rule_expr *expr;
-	struct nlattr *nest;
-
 	if (r->flags & (1 << NFT_RULE_ATTR_TABLE))
 		mnl_attr_put_strz(nlh, NFTA_RULE_TABLE, r->table);
 	if (r->flags & (1 << NFT_RULE_ATTR_CHAIN))
@@ -261,6 +258,15 @@ void nft_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_rule *r)
 		mnl_attr_put_u64(nlh, NFTA_RULE_HANDLE, htobe64(r->handle));
 	if (r->flags & (1 << NFT_RULE_ATTR_POSITION))
 		mnl_attr_put_u64(nlh, NFTA_RULE_POSITION, htobe64(r->position));
+}
+EXPORT_SYMBOL(nft_rule_nlmsg_build_id);
+
+void nft_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_rule *r)
+{
+	struct nft_rule_expr *expr;
+	struct nlattr *nest;
+
+	nft_rule_nlmsg_build_id(nlh, r);
 
 	if (!list_empty(&r->expr_list)) {
 		nest = mnl_attr_nest_start(nlh, NFTA_RULE_EXPRESSIONS);
-- 
1.8.4.rc3


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [nftables PATCH] netlink: use build_id to lower message size
  2013-10-02 23:12 [nftables RFC PATCH]limit netlink message size during delete operation Eric Leblond
  2013-10-02 23:14 ` [libnftables PATCH] src: add function nft_rule_nlmsg_build_id Eric Leblond
@ 2013-10-02 23:16 ` Eric Leblond
  2013-10-03 16:25   ` Pablo Neira Ayuso
  1 sibling, 1 reply; 4+ messages in thread
From: Eric Leblond @ 2013-10-02 23:16 UTC (permalink / raw)
  To: netfilter-devel; +Cc: eric, pablo

THis patch makes use of the new nft_rule_nlmsg_build_id function
from libnftables for the delete operation. This lower the size
of the netlink message sent to kernel when flushing the rules.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 src/mnl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/mnl.c b/src/mnl.c
index 27b181a..3c07156 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -292,7 +292,7 @@ int mnl_nft_rule_batch_del(struct nft_rule *nlr, unsigned int flags,
 			nft_rule_attr_get_u32(nlr, NFT_RULE_ATTR_FAMILY),
 			NLM_F_ACK, seqnum);
 
-	nft_rule_nlmsg_build_payload(nlh, nlr);
+	nft_rule_nlmsg_build_id(nlh, nlr);
 
 	if (!mnl_nlmsg_batch_next(batch))
 		mnl_batch_page_add();
-- 
1.8.4.rc3


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [nftables PATCH] netlink: use build_id to lower message size
  2013-10-02 23:16 ` [nftables PATCH] netlink: use build_id to lower message size Eric Leblond
@ 2013-10-03 16:25   ` Pablo Neira Ayuso
  0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2013-10-03 16:25 UTC (permalink / raw)
  To: Eric Leblond; +Cc: netfilter-devel

On Thu, Oct 03, 2013 at 01:16:33AM +0200, Eric Leblond wrote:
> THis patch makes use of the new nft_rule_nlmsg_build_id function
> from libnftables for the delete operation. This lower the size
> of the netlink message sent to kernel when flushing the rules.

I think we can simplify the flush operation with a small change in
nf_tables_delrule. The idea is to delete all rule if no chain is
specified.

The current approach is pretty time consuming, as we have to fetch the
ruleset from the kernel, iterate over it and build the message to
delete them.

Would you send me patches to follow this approach?

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2013-10-03 16:25 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-10-02 23:12 [nftables RFC PATCH]limit netlink message size during delete operation Eric Leblond
2013-10-02 23:14 ` [libnftables PATCH] src: add function nft_rule_nlmsg_build_id Eric Leblond
2013-10-02 23:16 ` [nftables PATCH] netlink: use build_id to lower message size Eric Leblond
2013-10-03 16:25   ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).