From: "Pablo M. Bermudo Garay" <pablombg@gmail.com>
To: netfilter-devel@vger.kernel.org
Cc: pablo@netfilter.org, "Pablo M. Bermudo Garay" <pablombg@gmail.com>
Subject: [PATCH iptables 3/3] xtables-compat: add rule cache
Date: Sun, 21 Aug 2016 20:10:27 +0200 [thread overview]
Message-ID: <20160821181027.14622-3-pablombg@gmail.com> (raw)
In-Reply-To: <20160821181027.14622-1-pablombg@gmail.com>
This patch adds a cache of rules within the nft handle. This feature is
more useful after the new checks of ruleset compatibility, since the
rule list is loaded twice consecutively.
Now all the operations causing changes in the ruleset must invalidate
the cache, a function called flush_rule_cache has been introduced for
this purpose.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
---
iptables/nft.c | 35 +++++++++++++++++++++++------------
iptables/nft.h | 1 +
2 files changed, 24 insertions(+), 12 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 7389689..71bf6f7 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -780,8 +780,17 @@ int nft_init(struct nft_handle *h, struct builtin_table *t)
return 0;
}
+static void flush_rule_cache(struct nft_handle *h)
+{
+ if (h->rule_cache) {
+ nftnl_rule_list_free(h->rule_cache);
+ h->rule_cache = NULL;
+ }
+}
+
void nft_fini(struct nft_handle *h)
{
+ flush_rule_cache(h);
mnl_socket_close(h->nl);
free(mnl_nlmsg_batch_head(h->batch));
mnl_nlmsg_batch_stop(h->batch);
@@ -1121,6 +1130,7 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table,
if (batch_rule_add(h, type, r) < 0)
nftnl_rule_free(r);
+ flush_rule_cache(h);
return 1;
}
@@ -1284,6 +1294,9 @@ static struct nftnl_rule_list *nft_rule_list_get(struct nft_handle *h)
struct nftnl_rule_list *list;
int ret;
+ if (h->rule_cache)
+ return h->rule_cache;
+
list = nftnl_rule_list_alloc();
if (list == NULL)
return 0;
@@ -1297,6 +1310,7 @@ static struct nftnl_rule_list *nft_rule_list_get(struct nft_handle *h)
return NULL;
}
+ h->rule_cache = list;
return list;
}
@@ -1333,7 +1347,6 @@ next:
}
nftnl_rule_list_iter_destroy(iter);
- nftnl_rule_list_free(list);
/* the core expects 1 for success and 0 for error */
return 1;
@@ -1396,6 +1409,7 @@ next:
}
nftnl_chain_list_iter_destroy(iter);
+ flush_rule_cache(h);
err:
nftnl_chain_list_free(list);
@@ -1829,8 +1843,6 @@ int nft_rule_check(struct nft_handle *h, const char *chain,
if (ret == 0)
errno = ENOENT;
- nftnl_rule_list_free(list);
-
return ret;
}
@@ -1855,7 +1867,7 @@ int nft_rule_delete(struct nft_handle *h, const char *chain,
} else
errno = ENOENT;
- nftnl_rule_list_free(list);
+ flush_rule_cache(h);
return ret;
}
@@ -1879,6 +1891,7 @@ nft_rule_add(struct nft_handle *h, const char *chain,
return 0;
}
+ flush_rule_cache(h);
return 1;
}
@@ -1908,7 +1921,7 @@ int nft_rule_insert(struct nft_handle *h, const char *chain,
r = nft_rule_find(h, list, chain, table, data,
rulenum - 1);
if (r != NULL) {
- nftnl_rule_list_free(list);
+ flush_rule_cache(h);
return nft_rule_append(h, chain, table, data,
0, verbose);
}
@@ -1920,12 +1933,12 @@ int nft_rule_insert(struct nft_handle *h, const char *chain,
handle = nftnl_rule_get_u64(r, NFTNL_RULE_HANDLE);
DEBUGP("adding after rule handle %"PRIu64"\n", handle);
- nftnl_rule_list_free(list);
+ flush_rule_cache(h);
}
return nft_rule_add(h, chain, table, data, handle, verbose);
err:
- nftnl_rule_list_free(list);
+ flush_rule_cache(h);
return 0;
}
@@ -1953,7 +1966,7 @@ int nft_rule_delete_num(struct nft_handle *h, const char *chain,
} else
errno = ENOENT;
- nftnl_rule_list_free(list);
+ flush_rule_cache(h);
return ret;
}
@@ -1983,7 +1996,7 @@ int nft_rule_replace(struct nft_handle *h, const char *chain,
} else
errno = ENOENT;
- nftnl_rule_list_free(list);
+ flush_rule_cache(h);
return ret;
}
@@ -2037,8 +2050,6 @@ next:
nftnl_rule_list_iter_destroy(iter);
err:
- nftnl_rule_list_free(list);
-
if (ret == 0)
errno = ENOENT;
@@ -2266,7 +2277,7 @@ int nft_rule_zero_counters(struct nft_handle *h, const char *chain,
false);
error:
- nftnl_rule_list_free(list);
+ flush_rule_cache(h);
return ret;
}
diff --git a/iptables/nft.h b/iptables/nft.h
index f5449db..4126593 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -35,6 +35,7 @@ struct nft_handle {
struct mnl_nlmsg_batch *batch;
struct nft_family_ops *ops;
struct builtin_table *tables;
+ struct nftnl_rule_list *rule_cache;
bool restore;
bool batch_support;
};
--
2.9.3
next prev parent reply other threads:[~2016-08-21 18:11 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-21 18:10 [PATCH iptables 1/3] xtables-compat: remove useless functions Pablo M. Bermudo Garay
2016-08-21 18:10 ` [PATCH iptables 2/3] xtables-compat: check if nft ruleset is compatible Pablo M. Bermudo Garay
2016-08-21 20:25 ` Arturo Borrero Gonzalez
2016-08-22 9:56 ` Pablo Neira Ayuso
2016-08-21 18:10 ` Pablo M. Bermudo Garay [this message]
2016-08-22 9:51 ` [PATCH iptables 1/3] xtables-compat: remove useless functions Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160821181027.14622-3-pablombg@gmail.com \
--to=pablombg@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).