[PATCH nft] cache: filter out sets and maps that are not requested

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH nft] cache: filter out sets and maps that are not requested
@ 2021-09-29 16:53 Pablo Neira Ayuso
  0 siblings, 0 replies; only message in thread
From: Pablo Neira Ayuso @ 2021-09-29 16:53 UTC (permalink / raw)
  To: netfilter-devel

Do not fetch set content for list commands that specify a
set name.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/cache.h |  1 +
 src/cache.c     | 23 +++++++++++++++++++++--
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/include/cache.h b/include/cache.h
index b238c1cfe326..07c05bb50176 100644
--- a/include/cache.h
+++ b/include/cache.h
@@ -41,6 +41,7 @@ enum cache_level_flags {
 struct nft_cache_filter {
 	bool			enabled;
 	const char		*table;
+	const char		*set;
 };
 
 struct nft_cache;
diff --git a/src/cache.c b/src/cache.c
index 563860e82fb8..8289ca9c0bce 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -138,6 +138,15 @@ static unsigned int evaluate_cache_list(struct cmd *cmd, unsigned int flags,
 		}
 		flags |= NFT_CACHE_FULL | NFT_CACHE_REFRESH;
 		break;
+	case CMD_OBJ_SET:
+	case CMD_OBJ_MAP:
+		if (filter && cmd->handle.table.name) {
+			filter->table = cmd->handle.table.name;
+			filter->set = cmd->handle.set.name;
+			filter->enabled = true;
+		}
+		flags |= NFT_CACHE_FULL | NFT_CACHE_REFRESH;
+		break;
 	case CMD_OBJ_CHAINS:
 		flags |= NFT_CACHE_TABLE | NFT_CACHE_CHAIN;
 		break;
@@ -343,6 +352,7 @@ struct chain *chain_cache_find(const struct table *table, const char *name)
 struct set_cache_dump_ctx {
 	struct netlink_ctx	*nlctx;
 	struct table		*table;
+	const struct nft_cache_filter *filter;
 };
 
 static int set_cache_cb(struct nftnl_set *nls, void *arg)
@@ -357,6 +367,13 @@ static int set_cache_cb(struct nftnl_set *nls, void *arg)
 		return -1;
 
 	set_name = nftnl_set_get_str(nls, NFTNL_SET_NAME);
+
+	if (ctx->filter && ctx->filter->enabled &&
+	    (strcmp(ctx->filter->set, set->handle.set.name))) {
+		set_free(set);
+		return 0;
+	}
+
 	hash = djb_hash(set_name) % NFT_CACHE_HSIZE;
 	cache_add(&set->cache, &ctx->table->set_cache, hash);
 
@@ -364,11 +381,13 @@ static int set_cache_cb(struct nftnl_set *nls, void *arg)
 }
 
 static int set_cache_init(struct netlink_ctx *ctx, struct table *table,
-			  struct nftnl_set_list *set_list)
+			  struct nftnl_set_list *set_list,
+			  const struct nft_cache_filter *filter)
 {
 	struct set_cache_dump_ctx dump_ctx = {
 		.nlctx	= ctx,
 		.table	= table,
+		.filter = filter,
 	};
 	nftnl_set_list_foreach(set_list, set_cache_cb, &dump_ctx);
 
@@ -644,7 +663,7 @@ static int cache_init_objects(struct netlink_ctx *ctx, unsigned int flags,
 				ret = -1;
 				goto cache_fails;
 			}
-			ret = set_cache_init(ctx, table, set_list);
+			ret = set_cache_init(ctx, table, set_list, filter);
 
 			nftnl_set_list_free(set_list);
 
-- 
2.30.2


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2021-09-29 16:53 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-09-29 16:53 [PATCH nft] cache: filter out sets and maps that are not requested Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).